[gnso-ff-pdp-may08] Who is harmed, who benefits (replacement text)

[Dave Piscitello <dave.piscitello@xxxxxxxxx>]

The rationale for including this change is that provides a reasonably
complete set of harms and benefits given the working definition of fast flux
we include in the report. The harms are an enumeration of harms identified
in prior work on fast flux (Honeynext FF paper, SSAC report). The benefits
capture the suggested beneficial uses of fast flux techniques that appear to
have been acceptable to several members of the FFWG. The proposed text in
this section has been revised to match the working definition of fast flux
including changes I proposed earlier.


Who is harmed by fast flux techniques when used in support of attack
networks?

1. Individuals whose computers are infected by attackers and subsequently
used to host facilities in a fast flux attack network (e.g., nginc proxies,
nameservers or web sites). The individual may have his Internet connection
blocked. In the extreme, should the computer be suspected of hosting illegal
material (e.g., child pornography), the computer may be seized by law
enforcement agents (LEAs) and the individual may be subjected to a criminal
investigation.

2. Businesses and organizations whose computers are infected and
subsequently to host facilities in a fast flux attack network. These
organizations may have Internet connections blocked, which may result in
loss of connectivity for all users and customers, as well as the possible
loss of connectivity for any Internet services also hosted via the blocked
connection (e.g., mail, web, e-merchant or ecommerce sites). Again, in the
extreme, should the computer be suspected to host illegal material, the
computer may be seized by LEAs and the
individual may be subjected to a criminal investigation. If this computer
were hosting web and other services for the business/organization, the
seizure could also result in an interruption of service, loss of income or
"web presence". Registries may suspend name resolution of the organization¹s
domain if ordered by courts or LEAs.

3. Individuals who receive phishing emails and are lured to a phishing site
hosted on a fast flux attack network  may have their identities stolen or
suffer financial loss from credit card, securities or bank fraud. They may
unwittingly disclose medical or personal information that could be used for
blackmail or coersion. They may infect their computers with malicious
software that would "enlist" their computers into a bot herd. Individuals
who purchase bogus products, especially pharmaceuticals, may be  physically
harmed from using such products.

4. Internet access operators are harmed when their IP address blocks are
associated with fast flux attack networks. These operators also bear the
burden of switching the unauthorized traffic that fast flux attack networks
generate and they may also incur the cost of diverting staff and resources
to respond to abuse reports or legal inquiries.

5. Registrars may be reputationally harmed when their registration and DNS
hosting services are used to facilitate fast flux attack networks that
employ "double flux" techniques. Like Internet access providers, they may
also incur the cost of diverting staff and resources to monitor abuse, or to
respond to abuse reports or legal inquiries.

6. Businesses and organizations who are "phished" from bogus web sites
hosted on fast flux attack networks may experience financial or material
loss,
tarnish to brand, or loss of customer/consumer confidence. They also incur
the cost associated with brand abuse monitoring, detection and mitigation.

7. Individuals or businesses whose lives or livelihoods are affected by the
illegal activities abetted through fast flux attack networks, as are persons
who are defrauded of funds or identities, whose products are imitated or
brands
infringed upon, and persons who are exploited emotionally or physically by
the distribution of images or enslavement.

8. Registries may incur the cost of diverting staff and resources to monitor
abuse or to respond to abuse reports or legal inquiries relating to fast
flux attack network activity.

Who benefits from the use of fast flux techniques

1. Organizations that operate highly targetable networks (e.g., government
and military/tactical networks) strive to adhere to very stringent
availability metrics and use short TTLs specifically (and other fast flux
techniques as appropriate) to rapidly relocate network resources which may
come under attack. Note: Targeting a dotted quad rather than a FQDN is
generally preferred by intelligent attackers because this method is more
difficult to detect and isolate the attack origin(s).

2. Content distribution networks such as Akamai use fast flux techniques for
situations where "add, drop, change" of servers are common activities to
complement existing servers with additional capacity, to load balance or
location-adjust servers to meet performance metrics (latency, for example,
can be reduced by making servers available that are fewer hops from the
current most active locus of users and by avoiding lower capacity or higher
cost international/intercontinental transmission links).

3. Organizations that provide channels for free speech, minority advocacies,
and activities, revolutionary thinking may use fast flux techniques to avoid
detection.

4. Criminals, terrorists, and generally, any organization that operates a
fast flux attack network at public expense, harm or detriment benefit from
the use of fast flux techniques.