ICANN ICANN Email List Archives

[gnso-ff-pdp-may08]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [gnso-ff-pdp-may08] The Definition of Fast Flux

  • To: Fast Flux Workgroup <gnso-ff-pdp-May08@xxxxxxxxx>
  • Subject: Re: [gnso-ff-pdp-may08] The Definition of Fast Flux
  • From: "Mike O'Connor" <mike@xxxxxxxxxx>
  • Date: Mon, 21 Jul 2008 09:35:51 -0500


At 08:54 AM 7/21/2008, Dave Piscitello wrote:



On 7/20/08 12:37 PM, "Mike O'Connor" <mike@xxxxxxxxxx> wrote:
>
> -- Proposal:  remove references to intent from our definition of
> Fastflux.  On re-listening to the conversation, I didn't detect a
> strong demand to include intent in the definition and a lot of good
> arguments for removing it.  Let's have a discussion about that.  I'm
> leaning in favor at the moment.

I missed the call so I need a clarification regarding intent. Do you mean
making a value/moral distinction as in "this application of fast flux is
good and this one is bad"?

Yeah, that's it in a nutshell. I took a little more than my usual care when I hammered this sentence together from several pieces of the conversation;

"Intent can be viewed as criminal or benign, depending on vantage point -- and, given how difficult this is to determine, we should be careful when thinking about building that distinction-making into the solutions that we propose. "


I still believe that it's important to distinguish a fast flux network as
something operated on systems using software installed without the user's
knowledge and consent. This to me is a key differentiation: simply put, I do
not believe that there you can claim good/legal/legitimate/noble intent if
you are running your network on someone else's property in an unauthorized
and covert fashion.

We had a pretty long discussion around the notion of some kind of "fingerprint" that we could use to distinguish between good and bad uses of fastflux. I tried out the very point you're making, but learned that there are *consentual* botnets, which again makes this difficult to determine from afar.


> -- Proposal: let the solution drive the definition.  One approach is
> to let the solution-defining continue for a bit and let that inform
> the definition.  My instincts tell me that this isn't terrible, but
> runs the risk of "hammer looking for a nail" or "if we build it they
> will come."  So I'm neutral on this one.

This is indeed "hammer looking for a nail".

> -- Proposal: let the definition allow for "slow fast flux".  Rod
> pointed out that some people use all the same techniques, but don't
> do the constant-IP-changing part and that we shouldn't limit our
> discussion/proposals just to "fast."  My initial reaction (in Paris)
> was a scope concern, but now that I've had the benefit of the last
> couple weeks of email, I think we could handle the scope issue and
> agree with Rod that we don't want to be so narrow that we exclude
> solutions that would address this broader case.  So I'm leaning in favor.

Agree entirely. Instead of a "jumbo shrimp" label, I would suggest that we
say "flux"  or "slow and fast flux".

This will dramatically change the hammer.




<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy