Re: [gnso-ff-pdp-may08] Abuse in general

[Marc Perkel <marc@xxxxxxxxxx>]

Dave Piscitello wrote:
> The criminals may have adopted short TTLs but that's not the only 
> marker. Anyone who looks at a DNS configuration, sees a short TTL, and 
> concludes "this is a fast flux attack" is going to be wrong. And we 
> have already agreed to this point.  
Agreed. I sometimes use very short TTLs myself. Generally if I'm moving 
from one data center to another. (Mass IP change) I will generally 
reduce the TTLs to 5 minutes the day before. Then when I make the move 
it changes quickly. After the move I set the TTLs back. If someone were 
looking only at TTLs then I would be mischaracterized as a criminal.
Generally to get accuracy you need to look at a lot of information and 
combine it. Fast TTLs is just one of many indicators. But it's a 
combination of things that leads to a conclusion.