ICANN ICANN Email List Archives

[gnso-ff-pdp-may08]


<<< Chronological Index >>>    <<< Thread Index >>>

[gnso-ff-pdp-may08] The reason we're doing this...

  • To: Fast Flux Workgroup <gnso-ff-pdp-May08@xxxxxxxxx>
  • Subject: [gnso-ff-pdp-may08] The reason we're doing this...
  • From: Rod Rasmussen <rod.rasmussen@xxxxxxxxxxxxxxxxxxxx>
  • Date: Fri, 15 Aug 2008 09:48:37 -0700


Hi everyone.

Given the various questions and directions we've been exploring through the list here and on the calls, I thought I'd try to help focus things in a bit as things get chewed on over the next few weeks. A lot of people have been asking great questions about scope of the issues, how things can be addressed in a variety of ways, and why the ICANN community is looking at this issue at all. When the conversation last week postulated that the APWG should be taking care of this issue, I thought that's the sign that we've come full circle on this and need to take a deep breath! We seem to be trying to solve the entire spectrum of online fraud and e-crime issues with our little group now - there's certainly no need for that, there are plenty of other groups, companies, governments and people that are working on these broader issues. Many of us in the working group here are members of half a dozen or more other independent efforts, and we all run into the same issues from time to time, where the problem seems simply overwhelming, as we're the type of people who like to take on and solve problems and there's just so much to do!

Anyways, I think we're struggling with definitions, solutions, policies, ideas, etc. that are well beyond what is needed here. The APWG and many, many other organizations are all doing lots of great work on attacking the on-line e-crime problem through lots of the ways brought up on this list (spam control, multi-factor authentication, user education, black lists, more secure code, and on and on). We're talking about major government and industry collaborative efforts, not to mention the hundreds of millions of dollars in "security" services and products sold annually to address all these issues. So in general, the problems with on-line fraud/crime are being addressed by multiple efforts, and we are getting better at it (though it doesn't seem like it all the time!)

So what's the problem with "flux" and why are we coming to ICANN to try to help us solve it? Quite simply it is THE most effective technique for keeping fraudulent sites active on the Internet for the longest period of time, and it requires a domain registration as it's primary component for success. The anti-fraud/spam/crime/phishing/ (whatever) industry has gotten pretty good at getting people and providers to deal with sites on compromised servers or that use fake user accounts - both after getting a report in, and in preventing them in the first place. Note that the institutions being attacked are spending millions on site mitigation efforts, and the ISPs/hosts are doing the same when it comes to intrusion detection, spam prevention, anti-virus, and other vectors that lead to these types of malicious sites. We still have lots to do, but those kinds of issues are getting dealt with relatively quickly these days. However, what has consistently proven more difficult to mitigate are sites using fraudulently registered domain names supported by networks of compromised computers (bots) that flux from place to place either automatically on a pre-planned schedule, or in response to a bot being removed. We can mitigate bots all day long, but without killing (or preventing) the fraudulent domain, the malicious sites live on and on. We're seeing more criminal groups using these techniques, and one that has even targeted a major member of the registrar community with such an attack. So this is becoming a more important e-crime issue that is also affecting members of the ICANN community directly as well.

So what kind of difference are we talking - flux vs. "standard" fraud content hosting? That's a key question for why this does or does not deserve special attention. Well a very typical answer you will see in the security community is that a "flux" domain attack lasts about twice to SIX times longer than any other kind of phishing site. Here's a reference to an excellent paper on this by Tyler Moore and Richard Clayton of Cambridge from last year on the topic of phishing site uptimes that breaks this out based on hard data:

http://www.cl.cam.ac.uk/~rnc1/ecrime07.pdf

So these flux techniques keep a site up at least twice as long, much longer on many occasions. That's a problem. But what does that mean for monetary/social/other impact? Well, let's stick with just a "hard" data example to give some financial impacts, as they are actually measurable - other stuff, while perhaps much more important, is harder to measure and leads the observer to interpret the way they want to. Here's some results of a study just done by a major US Bank on "losses per hour" due to phishing site exposure. Note these are very conservative estimates as they are bottom-line MEASURED loss impacts and don't factor in unseen losses through untracked channels or impact of ID theft on the customer:

Cost of stolen bank access credential (on-line account access/debit card/etc.): $400
Credentials stolen per hour: .75 (two every three hours)
Hourly cost = $300
Impact holds throughout the first 72 hours of site uptime.

Typical phishing site median uptime - 9 hours = $2700
FLUX type attack median uptime - 22 hours = $6600

FLUX "profit margin" = $3900 per site (domain).

And that's just for phishing. Other fraud types may not net as much pure profit per site, but for pharma and botnets for instance, there are a heck of a lot more sites (an order of magnitude or two the data will show).

How many flux sites? Well we're still gathering data, but a very solid report from RSA we've gotten in shows for PHISHING type flux attacks, we're looking at over 1200 per month over the first six months of 2008. That would extrapolate the "profit" of phishing using flux to nearly $5 million per month = $60MM/year.

Those are supportable hard dollar figures that can be seen as a FLOOR for losses. Note that the bank numbers in that study are for attacks that don't include ROCK phish attacks (a flux technique) that typically net far higher loss numbers per site (domain). For example, one institution targeted by ROCK for 6 months had a lot more losses just itself than the annual figure mentioned above - all directly traced to those ROCK attacks.

Personally, I believe the number of flux domains for phishing are likely about 2-3 times greater, and the impacts much higher to the Internet community because of ID theft and other losses incurred by individuals. So soft dollars, we're talking much more, and again, that's just phishing alone.

OK, so we've got a $60MM problem that's supportable with measured numbers, that is in reality quite a bit larger for phishing alone, and a heck of a lot bigger when all forms of online fraud are figured in. And remember, this is attributing it solely to the property of FLUX attacks being more effective than other attacks, not the fact that attacks are occurring.

So that brings us back to the original questions of why we are addressing FLUX within the ICANN community? First, it's because the technique is doing significantly more harm than others in the on-line crime space. Second it requires the actions of the domain registration community to effectively mitigate through quick mitigation or prevention. The uptime numbers show this second point empirically, and the experience of the first-responders is fairly universal in support of the notion that it is more difficult to mitigate a flux attack because *in general* the domain registration community is less responsive/proactive than the ISP and hosting communities that are affected by other types of e-crime attacks. We've been working on this FLUX problem in the anti-e-crime community for over two years now, and things aren't getting a lot better attacking it one registrar/registry/rsp at a time, so we hope that a centralized effort can make a real difference.

So perhaps a realistic "goal" metric would be to try to get FLUX attacks to be no worse than other types of online crime events in impact and/or lifetime, and a stretch goal would be to nearly eliminate them.

Anyway, there you go, some thoughts on why we're here and trying to keep focused. There are people and institutions (including many ICANN constituency members) around the world being harmed quite significantly because of this e-crime methodology, and we are in a position to potentially do something about it.

Thanks for your contributions!

Rod Rasmussen
Co-Chair, Internet Policy Committee, APWG



<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy