<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [gnso-ff-pdp-may08] The Definition of Fast Flux
- To: RLVaughn <RL_Vaughn@xxxxxxxxxx>, Dave Piscitello <dave.piscitello@xxxxxxxxx>
- Subject: Re: [gnso-ff-pdp-may08] The Definition of Fast Flux
- From: "Mike O'Connor" <mike@xxxxxxxxxx>
- Date: Mon, 21 Jul 2008 12:24:15 -0500
At 11:44 AM 7/21/2008, RLVaughn wrote:
Dave Piscitello wrote:
On 7/21/08 10:35 AM, "Mike O'Connor" <mike@xxxxxxxxxx> wrote:
I still believe that it's important to distinguish a fast flux network as
something operated on systems using software installed without the user's
knowledge and consent. This to me is a key
differentiation: simply put, I do
not believe that there you can claim good/legal/legitimate/noble intent if
you are running your network on someone else's property in an unauthorized
and covert fashion.
We had a pretty long discussion around the notion of some kind of
"fingerprint" that we could use to distinguish between good and bad
uses of fastflux. I tried out the very point you're making, but
learned that there are *consentual* botnets, which again makes this
difficult to determine from afar.
This is hurting my brain.
First principles: it is criminal activity or it is not. We are trying so
hard to do no harm to non-criminal cases but at the same time we persist in
treating the two applications as one.
If it is consentual, it is not fast flux.
If it is consentual, it is not a bot net.
Barring the definitions from such unreliable resources as wikipedia, let's
try to stay consistent with the definition I painstakingly solicited from
the anticrime/antiphishing community that appears in SAC 025, Fast Flux...:
A botnet is a network of compromised third-party computers running software
(ro)bots. These bots can be remotely controlled initially by the actual
attacker, and subsequently by a party who pays the attacker for use of the
botnet for any number of unauthorized or illegal activities. The attacker
is typically associated with an organized criminal element. The attacker
will install "bot software" without notice or authorization on a PC via a
spyware download or virus attached to an email message, and more commonly,
through browser or other client-side exploits (e.g., compromised banner
advertising). Once the bot is able to execute, it establishes a back-channel
to a control infrastructure setup by the attacker. The traditional botnet
design employed a centralized model, and all back-channels connected to an
attacker's command-and-control center (C&C). Recently, botnet operators have
employed peer-to-peer models for back-channel operation to thwart detection
of the C&C via traffic analysis.
I *beg* you all to choose TWO different labels.
It hurts what little is left of my brain as well. But the need for
precise definition is apparent from both comments as the perceived
squishiness of the fastflux term and to the conclusions gathered in
the various steps of the process.
To everyone's great misfortune I am therefore tossing on my dusty
mathematician's hat in order to produce some definitions and
acronyms. Feel free to ignore them all.
Definition:
A Compromised Host is a computer which has had software functionality
installed without the express consent of the host's owner.
Definition:
A Compromised Host Service Network (CHSN) is a network whose
infrastructure depends on the use of compromised hosts.
The above category would include my definition of FF and Rod's
phishing networks.
Definition:
A volatile network is one is purposed to distribute logically
identical services over multiple (perhaps virtual) hosts at request
time.
Both the traditional RRDNS and CDN fall into the definition of
volatile networks. Anycast DNS and CDN's also meet the definition of
volatile networks.
Definition:
A volatile CHSN (VCHSN) is a volatile network which is also a CHSN.
The fastflux vernacular refers to a VCHSN.
Now consider two networks of intent:
a) Illegally Purposed Service Networks; and,
b) Politically Purposed Service Networks.
Definition:
An Illegally Purposed Service Network (IPSN) is a network whose
infrastructure is built with the intent of conducting activities
which are considered to be of an illegal nature.
Definition:
A Politically Purposed Service Network (PPSN) is a network whose
infrastructure is built with the intent of conducting activities which
are considered to be of a political nature.
The inclusion of a PPSN in the IPSN category would often be a matter
of debate.
Observations:
An IPSN may not be a CHSN. As an hypthetical example, pedophile
networks might be entirely built with voluntarily contributed assests.
A PPSN may not be a CHSN. For example, a network purposed for
political dissent may be built entirely with voluntary assests.
None of the various service networks described above (IPSN, PPSN,
CHSN) are necessarily built using volatile (flux) networks.
This is neat!
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|