<<<
Chronological Index
>>> <<<
Thread Index
>>>
[gnso-ff-pdp-may08] Comments on the report
- To: Fast Flux Workgroup <gnso-ff-pdp-May08@xxxxxxxxx>
- Subject: [gnso-ff-pdp-may08] Comments on the report
- From: Dave Piscitello <dave.piscitello@xxxxxxxxx>
- Date: Tue, 2 Sep 2008 11:08:37 -0700
Section 5, Fast Flux Definition
Lines 260-261
· Is operated on one or more compromised hosts (i.e., using software that
was installed on hosts without notice or consent to the system
operator/owner);
Suggested change:
· Some but not necessarily all of the network nodes are operated on
compromised hosts (i.e., using software that was installed on hosts without
notice or consent to the system operator/owner);
[This considers the scenarios the WG discussed where attackers use
bulletproof web hosting or hosts they "lease" for the phishing or illegal
web sites and use obfuscation/redirection thru proxies operated on
compromised sites]
Suggested addition: Insert after line 274:
Additional characteristics that in combination or collectively have been
used to distinguish or "fingerprint" a fast flux hosting attack include:
- Multiple IPs per NS spanning multiple ASNs,
- frequent NS changes,
- in-addrs of IPs lying within consumer broadband allocation blocks,
- domain name age,
- poor quality WHOIS,
- determination that the nginx proxy is running on the addressed machine:
nginx is commonly used to hide/proxy illegal web server
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|