Re: [gnso-ff-pdp-may08] Fluxor Working Group Summary Data on Fast Flux Domains

[Dave Piscitello <dave.piscitello@xxxxxxxxx>]

Two points:


 1.  Rod's data point, with Joe's qualifier, make sense to me
 2.  Since we are all over the map with respect to what data we ought to 
collect and study, I think it might be helpful to provide some data points that 
we do have to illustrate that there are many ways to collect and study data 
associated with flux-based attacks. For example, we have some data that helps 
drive home aspects of the working definition (e.g., IP addresses span multiple 
ASNs). Including such data points seems useful to me.


On 9/3/08 12:00 PM, "Joe St Sauver" <joe@xxxxxxxxxxxxxxxxxx> wrote:



Rod mentioned:

#Here's the link:
#
# http://fluxor.laser.dico.unimi.it/~fluxor/summary.html
#
#My understanding is that their detection/qualification is mostly based
#on spam traps and reporting from individuals.  This averages to a
#little over 160 FFLUX domains per day through the 25th of August
#detected in their system.

I think that 160 would be a very low estimate, and at the same time,
that number might give a mis-given impression as to the number of
distinct actors using this technique.

Recall that the normal approach that spammers employ (when using fastflux
*or* regular domains) is to register "batches" of domains. How do we know
they're "batches"? Well, because they resolve to the same set of IPs,
they share common whois data characteristics including things like common
point of contact data, common name servers, etc. They clump or cluster,
they really do.

So I would assert that the fluxor data simultaneously:

-- understates the number of domains fluxing in any given day, and

-- conveys what might be a misleading impression w.r.t. the number of
   actors actually using this method

But as I type this while listening to Dave's comments on the phone,
I have to agree that before we say, "The next step is to gather more
data," what data do we really want/need?

For example, does anyone really doubt that fastflux exists? I hope
that at least the existence of the technique, and its use, is not in
doubt. True?

Does it really matter if the TTL is 300 or 1200 or 600? If so, that
can be studied -- but to what end?

Do we care about the number of IPs seen per FF domain? The number of ASNs?

The registrars used to register the domains?

What the domains are being used for?

I do agree that there was substantial interest in identifying examples
of so-called "legitimate" fast flux uses, so that's one bit of research
that is unquestionably still pending, but beyond that, I'm just not seeing
a clear data collection/research-oriented agenda, you know what I mean?

I'm just trying to understand WHAT people want to see researched/what
people need more data to address...

Thanks,

Joe