Re: [gnso-ff-pdp-may08] case study: fluxing domains used for unusual purpose

[RLVaughn <RL_Vaughn@xxxxxxxxxx>]

Greg Aaron wrote:
> Dear Randy:
>
> Your detective work is ever-thorough!
>
> A conclusion I draw is that it sometimes takes a lot of human expertise and
> hard work (both far beyond the norm) to figure out what is going on with
> some of these names.  
>
> Using the Mannheim formula, this domain would be flagged as a fast-flux
> domain -- in other words, as a false-positive.  And at this point, you feel
> the hosts are not compromised.
>
> The Internet is certainly an ocean of new and unexpected things.
>
> All best,
> --Greg
<snip>

My ability to act with scope measured in microns is only exceeded by
my ability to act at sub-glacial speed.

Even though "The Mannheim Formula" (TMF) title has the visceral appeal worthy
of a Robert Ludnum novel, it is merely an empirical measure with
a concomitant non-zero probability of Type I error.

As to the lack of host compromise on the domain of discussion.  My dowsing
into the responses indicates the first host IP returned for a domain request
predictably seems to be a valid, non-compromised host in commercial space.  The
second and third IPs, on the other hand, appear, with one notable exception, 
appear to be non-responsive to http connection attempts.  I am tempted to 
hypothesize the second and third A record IPs are tossed out as entropy. 
Although this hypothesis is based on my rather-fuzzy recollection of how
'stock' resolvers operate.
Two examples of the above behavior
209.151.227.84, and
58.22.102.8,
present in the data.

I have no idea if what I suspect are entropy-IPs are being used with the
knowledge of the rightful IP holder.  Were the IPs being used without
permission, what would the proper term the IPs be? Exploited?  Inducted?

Based on my mathematical interpretation of the meaning of the word 'all', the 
cumulative application of the TMF would identify the domain as a fastflux
candidate.  Our definition has more detail ( or is in the want thereof)
which we can use to make a further determination of the actual admission of
the domain into the fastflux category, namely node population within eyeball
networks.  The domain fails this secondary test which prevents 
mis-classification.

So, yes, fasflux using TMF.  Not fastflux using the distribution test.

The point of my rambling is, we need to approach classification with
as much scientific method as possible.

I also agree with Mike on keeping things on course and hereby volunteer
to take on the occasional thorn in the side roll for both groups.


Randy