ICANN ICANN Email List Archives

[gnso-ff-pdp-may08]


<<< Chronological Index >>>    <<< Thread Index >>>

RE: [Bulk] [gnso-ff-pdp-may08] Mike R's "24/7 abuse queue" proposal

  • To: pdiaz@xxxxxxxxxxxxxxxxxxxx
  • Subject: RE: [Bulk] [gnso-ff-pdp-may08] Mike R's "24/7 abuse queue" proposal
  • From: Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>
  • Date: Sun, 3 Aug 2008 18:56:12 -0700

Hi Paul!

You commented:

#To argue that "the incremental cost of running a 24/7 threat-response
#capability is zero" is misguided. 

It may be a matter of what folks have in mind. Consider two different
models:

Model A: Web form (or abuse reporting email address) accepts abuse
complaints 24x7, where the submission is just a domain name. At the
time of submission, the domain name is automatically tested for
fast flux characteristics. If the domain name appears to exhibit
fast flux characteristics, it is further tested for characteristics
relevant to "high risk" domains that shouldn't be touched. All
that investigative goodness is then passed to a handler for review
and action. Handlers might deal with reported domains once a day,
eight hours a day, or round the clock. Assuming a registrar is
already dealing with other issue reports (e.g., WDPRS, UDRP, 
etc.), and the registrar is not awash with badness, I truly
don't believe this model would require much (if anything) in the
way of incremental resources once the web reporting and analysis
form is built (and that could be shared across all registrars).

Model B would potentially be much more labor intensive. Complaints
could be accepted by phone, or fax, or as free form emails.
Proactive screening and manual site review might occur. Multiple 
parties (handler plus manager, for example) might review all 
submitted domains. Legal might be involved. Formal customer notification
might be attempted in all cases. This process might happen 24x7
in near real time, including having enough capacity to handle
surges in reports.

Obviously model B would be much more expensive than model A, but
I'm not convinced that model A wouldn't be sufficient.

#This brings me back to some of the questions I posed in an earlier
#thread: what standards will be used to identify fastflux domains, 

One mathematical model for this was mentioned in the Mannheim paper:
https://pi1.informatik.uni-mannheim.de/filepool/research/publicati
ons/fast-flux-ndss08.pdf (URL wrapped due to length)

#how will we vet the "police" making the claim, 

The nice thing about fastflux is that *who* points the finger
doesn't really matter, because the fastflux phenomena is empirically
and objectively assessible.

It's like figuring out if a patient is running a fever: within the
limits of measurement accuracy, the thermometer provides a trustworthy
objective assessment, and the formula from the Mannheim paper provides 
a similar trustworthy assessment for fast flux.

#who will pay for all of this process, etc.? 

For model A, you could probably just raid the office coffee pool. :-)

Regards,

Joe



<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy