Re: [gnso-ff-pdp-may08] TTL Limiting Idea - Alive or Dead?

[Dave Piscitello <dave.piscitello@xxxxxxxxx>]

By TTL limiting (and assuming you mean TTLs for name server records) do you 
mean:


 1.  restricting the minimum TTL value that can be set for the name servers 
associated with <name>.<tld>?
 2.  restricting the total number of times per {hour,day,week,month} a 
registrant can change the TTL of a name server
 3.  rate limiting (throttling) the TTL changes in some other manner, e.g., a 
backoff algorithm

I think the original idea came from the SSAC Fast Flux advisory. To be clear, I 
included that option because it was among the possible solutions expressed at 
the time (nearly 11 months ago), when we knew far less about flux attacks than 
we do today. SSAC did not recommend that controlling TTL values alone was a 
definitive remedy, nor one that should be considered effective when used as the 
only remedy.

Given all that the antiphishing and anticrime communities have learned about 
flux attacks since that report, I think that regulating TTL values will not 
prove useful, since it is only one means of creating a resilient network.

You have pretty much stated repeatedly and accurately, in several threads, that 
the choke point that offers the most bang for the buck is taking down the 
domain. A big benefit from focusing on accelerating suspension is that it will 
be effective for a very large set of techniques attackers might use to flux 
their networks to keep them resilient and available.



On 8/8/08 9:18 AM, "Marc Perkel" <marc@xxxxxxxxxx> wrote:



Originally there was an idea on the table about limiting TTLs as a
solution to Fast Flux. Now I think there's some consensus that there is
some good fast flux - so - does that mean that TTL limiting idea is dead
or is there a different between how phishers flux than the way that free
speech fluxes?