ICANN ICANN Email List Archives

[gnso-ff-pdp-may08]

<<< Chronological Index >>>    <<< Thread Index >>>

RE: [gnso-ff-pdp-may08] Fwd: NCUC FF Statement

  • To: <joe@xxxxxxxxxxxxxxxxxx>, <dave.piscitello@xxxxxxxxx>
  • Subject: RE: [gnso-ff-pdp-may08] Fwd: NCUC FF Statement
  • From: "Greg Aaron" <gaaron@xxxxxxxxxxxx>
  • Date: Tue, 19 Aug 2008 10:41:30 -0400
The Mannheim formula is interesting for identifying "domains of interest"
for additional investigation.  The intent or use of the domains, i.e.
whether they are a problem or not, is another matter, of course.

I don't think we want to throw out Dave's work, though -- he made good
points about compromised hosts, etc.  I think it would be useful to go back
to that enumeration.

All best,
--Greg

-----Original Message-----
From: owner-gnso-ff-pdp-may08@xxxxxxxxx
[mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] On Behalf Of Joe St Sauver
Sent: Tuesday, August 19, 2008 2:33 AM
To: dave.piscitello@xxxxxxxxx
Cc: gnso-ff-pdp-May08@xxxxxxxxx
Subject: Re: [gnso-ff-pdp-may08] Fwd: NCUC FF Statement


Dave mentioned:

#At one point we were on a very constructive path towards enumerating the 
#characteristics of fast flux networks and thus defining the varieties of 
#such networks. I really wish we would go back to that enumeration and 
#complete it very analytically and dispassionately.

I continue to be quite pleased with the Mannheim definition for 
fastflux (see "Measuring and Detecting Fast-Flux Service Networks,"
http://www.isoc.org/isoc/conferences/ndss/08/papers/
16_measuring_and_detecting.pdf , URL wrapped due to length), and I've yet 
to see an example where it provides an incorrect "false positive" 
classification of a non-fastflux domain as fastflux.

For those who'd like to try a quick test, hotnoun.com (yet another
Canadian Pharmacy pillz domain) currently scores 341.58 at
http://www.uoregon.edu/~joe/fastflux/simple.cgi , well above
the 142.38 cutoff threshold even on just a single pass...

Found 20 IPs:

77.37.135.249 --> AS42610
61.98.168.69 --> AS9318
221.128.232.197 --> AS18231
89.208.200.112 --> AS12695
78.42.14.203 --> AS29562
61.18.133.69 --> AS9908
221.126.242.14 --> AS9304
89.208.26.245 --> AS12695
118.219.160.188 --> AS9318
67.184.29.131 --> AS33491
59.21.113.155 --> AS4766
210.194.15.44 --> AS9824
87.228.105.209 --> AS31514
85.135.118.158 --> AS30764
212.15.147.37 --> AS8813
69.245.174.253 --> AS33491
59.116.10.136 --> AS3462
71.58.129.162 --> AS33287
211.175.6.157 --> AS10066
79.111.85.98 --> AS12714

17 unique ASNs

Mannheim score = 341.58

Could we agree to use the Mannheim definition unless/until someone
else proposes something else that is empirically based and which
seems to do a better job of identifying these domains? The Mannheim
test is simple, fast, objective and seems to provide good
discriminatory power.

Regards,

Joe

Disclaimer: all opinions strictly my own.
<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy