<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [gnso-ff-pdp-may08] The Definition of Fast Flux
- To: "Mike O'Connor" <mike@xxxxxxxxxx>, Fast Flux Workgroup <gnso-ff-pdp-May08@xxxxxxxxx>
- Subject: Re: [gnso-ff-pdp-may08] The Definition of Fast Flux
- From: Dave Piscitello <dave.piscitello@xxxxxxxxx>
- Date: Mon, 21 Jul 2008 07:48:14 -0700
On 7/21/08 10:35 AM, "Mike O'Connor" <mike@xxxxxxxxxx> wrote:
>
>> I still believe that it's important to distinguish a fast flux network as
>> something operated on systems using software installed without the user's
>> knowledge and consent. This to me is a key differentiation: simply put, I do
>> not believe that there you can claim good/legal/legitimate/noble intent if
>> you are running your network on someone else's property in an unauthorized
>> and covert fashion.
>
> We had a pretty long discussion around the notion of some kind of
> "fingerprint" that we could use to distinguish between good and bad
> uses of fastflux. I tried out the very point you're making, but
> learned that there are *consentual* botnets, which again makes this
> difficult to determine from afar.
This is hurting my brain.
First principles: it is criminal activity or it is not. We are trying so
hard to do no harm to non-criminal cases but at the same time we persist in
treating the two applications as one.
If it is consentual, it is not fast flux.
If it is consentual, it is not a bot net.
Barring the definitions from such unreliable resources as wikipedia, let's
try to stay consistent with the definition I painstakingly solicited from
the anticrime/antiphishing community that appears in SAC 025, Fast Flux...:
A botnet is a network of compromised third-party computers running software
(ro)bots. These bots can be remotely controlled initially by the actual
attacker, and subsequently by a party who pays the attacker for use of the
botnet for any number of unauthorized or illegal activities. The attacker
is typically associated with an organized criminal element. The attacker
will install "bot software" without notice or authorization on a PC via a
spyware download or virus attached to an email message, and more commonly,
through browser or other client-side exploits (e.g., compromised banner
advertising). Once the bot is able to execute, it establishes a back-channel
to a control infrastructure setup by the attacker. The traditional botnet
design employed a centralized model, and all back-channels connected to an
attacker's command-and-control center (C&C). Recently, botnet operators have
employed peer-to-peer models for back-channel operation to thwart detection
of the C&C via traffic analysis.
I *beg* you all to choose TWO different labels.
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|