RE: [Bulk] [gnso-ff-pdp-may08] Mike R's "24/7 abuse queue" proposal

["Diaz, Paul" <pdiaz@xxxxxxxxxxxxxxxxxxxx>]

Hi Joe,

Ok, so we're in agreement that the cost of running a 24/7 threat
response capability is not zero.  Either Model A or Model B (below) will
entail costs.  It's too soon to say whether there will be incremental
costs once the web reporting and analysis form is built, but this begs
the question: who will develop and/or maintain the capability?  ICANN?
It took them a long time to come up with the WDPRS, and people still
complain about that system.  

Even if we use that model, I believe it will be very important to know
who points the finger.  WDPRS has been overloaded in the past.  Without
some sort of confirmation requirement (and the ability to block any
senders who abuse the resource), it's not hard imagining fastfluxers
bombarding a web form-based system with bogus reports to frustrate any
enforcement efforts.  If we try to avoid that with Model B, then we're
acknowledging that anti-FF efforts are going to be costly ...which
brings me back to my previous question: who will pay for all of this
process?

Regards, P

-----Original Message-----
From: Joe St Sauver [mailto:joe@xxxxxxxxxxxxxxxxxx] 
Sent: Sunday, August 03, 2008 9:56 PM
To: Diaz, Paul
Cc: gnso-ff-pdp-May08@xxxxxxxxx
Subject: RE: [Bulk] [gnso-ff-pdp-may08] Mike R's "24/7 abuse queue"
proposal

Hi Paul!

You commented:

#To argue that "the incremental cost of running a 24/7 threat-response
#capability is zero" is misguided. 

It may be a matter of what folks have in mind. Consider two different
models:

Model A: Web form (or abuse reporting email address) accepts abuse
complaints 24x7, where the submission is just a domain name. At the
time of submission, the domain name is automatically tested for
fast flux characteristics. If the domain name appears to exhibit
fast flux characteristics, it is further tested for characteristics
relevant to "high risk" domains that shouldn't be touched. All
that investigative goodness is then passed to a handler for review
and action. Handlers might deal with reported domains once a day,
eight hours a day, or round the clock. Assuming a registrar is
already dealing with other issue reports (e.g., WDPRS, UDRP, 
etc.), and the registrar is not awash with badness, I truly
don't believe this model would require much (if anything) in the
way of incremental resources once the web reporting and analysis
form is built (and that could be shared across all registrars).

Model B would potentially be much more labor intensive. Complaints
could be accepted by phone, or fax, or as free form emails.
Proactive screening and manual site review might occur. Multiple 
parties (handler plus manager, for example) might review all 
submitted domains. Legal might be involved. Formal customer notification
might be attempted in all cases. This process might happen 24x7
in near real time, including having enough capacity to handle
surges in reports.

Obviously model B would be much more expensive than model A, but
I'm not convinced that model A wouldn't be sufficient.

#This brings me back to some of the questions I posed in an earlier
#thread: what standards will be used to identify fastflux domains, 

One mathematical model for this was mentioned in the Mannheim paper:
https://pi1.informatik.uni-mannheim.de/filepool/research/publicati
ons/fast-flux-ndss08.pdf (URL wrapped due to length)

#how will we vet the "police" making the claim, 

The nice thing about fastflux is that *who* points the finger
doesn't really matter, because the fastflux phenomena is empirically
and objectively assessible.

It's like figuring out if a patient is running a fever: within the
limits of measurement accuracy, the thermometer provides a trustworthy
objective assessment, and the formula from the Mannheim paper provides 
a similar trustworthy assessment for fast flux.

#who will pay for all of this process, etc.? 

For model A, you could probably just raid the office coffee pool. :-)

Regards,

Joe