[gnso-ff-pdp-may08] Proposed additional text, section 5, following line 274

[Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>]

[existing text at lines 258-273 recounts one definition of fastflux, and
clearly, the definition of fastflux is a pivotal issue for the draft
report. I am, therefore, puzzled that the report omits two important 
alternative working definitions of fast flux which were discussed on 
the mailing list.]

I would like to propose the inclusion of the following additional text 
immediately below line 274 on PDF page 14:

   "Some alternative definitions of fastflux.
    -----------------------------------------

   While the above definition is one that received some discussion in the
   working group, alternative definitions of fastflux also exist. For
   example:

   1) Spamhaus, a major DNS block list operator, defines fastflux (see 
   http://www.spamhaus.org/faq/answers.lasso?section=ISP%20Spam%20Issues#164 )
   to be:

   "Fast flux domain hosting involves the use of botnet zombie drones on 
   broadband IPs infected to act as reverse proxies for the spammer's 
   website or nameservers. The spamvertised domain, or its nameserver, is 
   pointed at a rapidly changing series of zombie IPs (hence the name) with 
   very short "TTL" values -- usually less than five minutes (300s). There 
   are typically four or five "A" records to distribute the load and 
   increase the odds of the website staying up. Their proxy service hides 
   the IP location of the spammer's dedicated servers. As the very action 
   of hijacking computers is illegal in most jurisdictions, such fast flux 
   hosting is only used for further criminal activities such as phishing 
   and child pornography. Because the criminals know they could be 
   identified if they used valid "whois" data, they always use bogus data, 
   so registrars can confidently HOLD (suspend) the domain based on ICANN 
   3.7.7.2."

   2) The first empircal study of fast-flux service networks, by Holz,
   Gorecki, Rieck and Freiling, "Measuring and Detecting Fast-Flux Service 
   Networks," https://pi1.informatik.uni-mannheim.de/filepool/research/
   publications/fast-flux-ndss08.pdf (URL broken due to its length) at 
   PDF page 6 provides a flux score which can be used to differentiate
   fastflux and non-fastflux domain names.

   Namely, they compute a flux score f(x) = 1.32*n(A) + 18.54*n(ASN)
   where n(A)=the number of "A" records to which a domain name resolves,
   and n(ASN)=the number of autonomous system numbers associated with 
   those A records. If f(x) exceeds 142.38, they score that domain as
   fastflux. Note that f(x) may increase over time with multiple
   resolutions of the domain name yielding additional A records and
   potentially additional ASNs."

Inclusion of those two definitions will help to illustrate some of the
alternative working definitions in use, while also showing that we've
done due dilligence with respect to the existing state of the academic
literature in the area. 

Thank you for considering this potential additional text for the report.

Regards,

Joe

Disclaimer: all opinions strictly my own