ICANN Email Archives: [gnso-ff-pdp-may08]

ICANN ICANN Email List Archives

[gnso-ff-pdp-may08]

<<< Chronological Index >>> <<< Thread Index >>>

RE: [gnso-ff-pdp-may08] Fluxor Working Group Summary Data on Fast Flux Domains

To: rod.rasmussen@xxxxxxxxxxxxxxxxxxxx
Subject: RE: [gnso-ff-pdp-may08] Fluxor Working Group Summary Data on Fast Flux Domains
From: Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>
Date: Wed, 3 Sep 2008 09:00:26 -0700

Rod mentioned:

#Here's the link:
#
# http://fluxor.laser.dico.unimi.it/~fluxor/summary.html
#
#My understanding is that their detection/qualification is mostly based  
#on spam traps and reporting from individuals.  This averages to a  
#little over 160 FFLUX domains per day through the 25th of August  
#detected in their system.

I think that 160 would be a very low estimate, and at the same time,
that number might give a mis-given impression as to the number of 
distinct actors using this technique.

Recall that the normal approach that spammers employ (when using fastflux 
*or* regular domains) is to register "batches" of domains. How do we know
they're "batches"? Well, because they resolve to the same set of IPs, 
they share common whois data characteristics including things like common 
point of contact data, common name servers, etc. They clump or cluster, 
they really do.

So I would assert that the fluxor data simultaneously:

-- understates the number of domains fluxing in any given day, and

-- conveys what might be a misleading impression w.r.t. the number of
   actors actually using this method

But as I type this while listening to Dave's comments on the phone, 
I have to agree that before we say, "The next step is to gather more
data," what data do we really want/need?

For example, does anyone really doubt that fastflux exists? I hope
that at least the existence of the technique, and its use, is not in 
doubt. True?

Does it really matter if the TTL is 300 or 1200 or 600? If so, that
can be studied -- but to what end?

Do we care about the number of IPs seen per FF domain? The number of ASNs?

The registrars used to register the domains?

What the domains are being used for?

I do agree that there was substantial interest in identifying examples
of so-called "legitimate" fast flux uses, so that's one bit of research
that is unquestionably still pending, but beyond that, I'm just not seeing
a clear data collection/research-oriented agenda, you know what I mean?

I'm just trying to understand WHAT people want to see researched/what 
people need more data to address...

Thanks,

Joe

Follow-Ups:
- Re: [gnso-ff-pdp-may08] Fluxor Working Group Summary Data on Fast Flux Domains
  - From: Dave Piscitello

<<< Chronological Index >>> <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy