Re: [gnso-ff-pdp-may08] The Definition of Fast Flux

[RLVaughn <RL_Vaughn@xxxxxxxxxx>]

Dave Piscitello wrote:
> On 7/21/08 10:35 AM, "Mike O'Connor" <mike@xxxxxxxxxx> wrote:
>
> > > I still believe that it's important to distinguish a fast flux network as
> > > something operated on systems using software installed without the user's
> > > knowledge and consent. This to me is a key differentiation: simply put, I do
> > > not believe that there you can claim good/legal/legitimate/noble intent if
> > > you are running your network on someone else's property in an unauthorized
> > > and covert fashion.
> > We had a pretty long discussion around the notion of some kind of
> > "fingerprint" that we could use to distinguish between good and bad
> > uses of fastflux.  I tried out the very point you're making, but
> > learned that there are *consentual* botnets,  which again makes this
> > difficult to determine from afar.
> This is hurting my brain.
>
> First principles: it is criminal activity or it is not. We are trying so
> hard to do no harm to non-criminal cases but at the same time we persist in
> treating the two applications as one.
>
> If it is consentual, it is not fast flux.
> If it is consentual, it is not a bot net.
>
> Barring the definitions from such unreliable resources as wikipedia, let's
> try to stay consistent with the definition I painstakingly solicited from
> the anticrime/antiphishing community that appears in SAC 025, Fast Flux...:
>
> A botnet is a network of compromised third-party computers running software
> (ro)bots. These bots can be remotely controlled ­ initially by the actual
> attacker, and subsequently by a party who pays the attacker for use of the
> botnet ­ for any number of unauthorized or illegal activities. The attacker
> is typically associated with an organized criminal element. The attacker
> will install "bot software" without notice or authorization on a PC via a
> spyware download or virus attached to an email message, and more commonly,
> through browser or other client-side exploits (e.g., compromised banner
> advertising). Once the bot is able to execute, it establishes a back-channel
> to a control infrastructure setup by the attacker. The traditional botnet
> design employed a centralized model, and all back-channels connected to an
> attacker's command-and-control center (C&C). Recently, botnet operators have
> employed peer-to-peer models for back-channel operation to thwart detection
> of the C&C via traffic analysis.
>
> I *beg* you all to choose TWO different labels.
It hurts what little is left of my brain as well.  But the need for
precise definition is apparent from both comments as the perceived
squishiness of the fastflux term and to the conclusions gathered in
the various steps of the process.

To everyone's great misfortune I am therefore tossing on my dusty
mathematician's hat in order to produce some definitions and
acronyms.  Feel free to ignore them all.


Definition:
A Compromised Host is a computer which has had software functionality
installed without the express consent of the host's owner.

Definition:
A Compromised Host Service Network (CHSN) is a network whose
infrastructure depends on the use of compromised hosts.

The above category would include my definition of FF and Rod's
phishing networks.

Definition:
A volatile network is one is purposed to distribute logically
identical services over multiple (perhaps virtual) hosts at request
time.

Both the traditional RRDNS and CDN fall into the definition of
volatile networks.  Anycast DNS and CDN's also meet the definition of
volatile networks.

Definition:
A volatile CHSN (VCHSN) is a volatile network which is also a CHSN.

The fastflux vernacular refers to a VCHSN.

Now consider two networks of intent:
  a) Illegally Purposed Service Networks; and,
  b) Politically Purposed Service Networks.

Definition:
An Illegally Purposed Service Network (IPSN) is a network whose
infrastructure is built with the intent of conducting activities
which are considered to be of an illegal nature.

Definition:
A Politically Purposed Service Network (PPSN) is a network whose
infrastructure is built with the intent of conducting activities which
are considered to be of a political nature.

The inclusion of a PPSN in the IPSN category would often be a matter
of debate.

Observations:

An IPSN may not be a CHSN.  As an hypthetical example, pedophile
networks might be entirely built with voluntarily contributed assests.

A PPSN may not be a CHSN.  For example, a network purposed for
political dissent may be built entirely with voluntary assests.

None of the various service networks described above (IPSN, PPSN,
CHSN) are necessarily built using volatile (flux) networks.