<<<
Chronological Index
>>> <<<
Thread Index
>>>
[gnso-ff-pdp-may08] Chunked 18b
- To: gnso-ff-pdp-may08@xxxxxxxxx
- Subject: [gnso-ff-pdp-may08] Chunked 18b
- From: Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>
- Date: Mon, 15 Sep 2008 21:37:22 -0700
Following is based on forum.icann.org/lists/gnso-ff-pdp-may08/msg00055.html
as currently shown in the changes document at 18.b
The following shows how 18.b can be broken out into individual chunks.
18.b.1 -----------------------------------------------------------------------
After
#"Who is harmed by fast flux activities?"
#
#1. Individuals whose computers are infected by attackers and subsequently
#used to host name servers or web sites for a fast flux phishing attack. The
#individual may have his Internet connection blocked. In the extreme, should
#the computer be suspected of hosting illegal material, the computer may be
#seized by law enforcement agents (LEAs) and the individual may be subjected
#to a criminal investigation.
add:
-- even if their connection doesn't end up completely blocked, users may
experience degraded performance (as computer or network resources get
consumed by the parasitic miscreant user(s) of their system)
-- also, even if the ISP doesn't block the infected user, remote ISPs
may end up blocking all or some traffic from the user, e.g., as a result
of the user's IP being listed on a DNS block list
-- the user may be (repeatedly) diverted from a normal connection to a walled
garden where the only resources they can access are remediation sites
or tools
-- a user's systems may become unstable as a result of malware which was
installed to enable fast fluxing (even some *vendors* have trouble
building patches that are safe for *all* version/patch permutations,
so it shouldn't be surprising if some malware also causes stability issues)
Some specific examples of how users can be harmed by this, beyond what's
already been mentioned, can be seen in things like:
-- increased operational complexity and loss of Internet transparency as
operators implement increasingly draconian measures in an effort to
control abuse from potentially compromised users
-- costs associated with the prophylactic purchase of antivirus products,
home firewall "routers" and other security products meant to keep bots
and other security threats at bay
-- clean up costs when prophylactic measures fail (e.g., when a non-technical
user needs to hire a technician to help them try to get uninfected)
-- in the case of users who get dropped by their ISP, or who become so
disgusted with their ISP that they leave, the costs associated with
moving from one ISP to another, including both direct contractual costs
(such as potentially overlapping subscription costs, or disconnection
and connection fees), as well as indirect costs such as changes in
email addresses (with attendent lost or delayed email), time spent
learning the ins-and-outs of a new ISP, time spent reconfiguring
systems to use the new ISP, etc.
18.b.2 -----------------------------------------------------------------------
Following
#2. Businesses and organizations whose computers are infected may have
#Internet connections blocked, which may result in loss of connectivity for
#all users as well as the possible loss of connectivity for any Internet
#services also hosted via the blocked connection (e.g., mail, web, e-merchant
#or ecommerce sites). Again, in the extreme, should the computer be suspected
#to host illegal material, the computer may be seized by LEAs and the
#individual may be subjected to a criminal investigation. If this computer
#were hosting web and other services for the business/organization, the
#seizure could also result in an interruption of service, loss of income or
#"web presence".
add
A compromised system in a business environment also immediately raises the
dreaded spectre of a breach of personally identifiable information (PII).
If PII was present on the compromised machine, notification may be mandated
by statute, which may result in substantial direct costs to affected
organization (my understanding is that a dollar a notification is a very
conservative floor for notification costs, and obviously some PII incidents
involve millions of affected individuals). PII-related worries also drive
the substantial costs associated with deployment of whole disk encryption.
Some businesses may also be affected by additional legislation specific to
their discipline, e.g., here in the States, things like GLBA or HIPAA apply
to financial institutions or health care institutions, respectively.
Employees may also be subject to non-criminal consequences, including
sanctions up to and including dismisal if they are found to be, or are
simply *believed to be*, at least partially responsible for their
company-supplied system being compromised.
18.b.3 -----------------------------------------------------------------------
Following
#3. Individuals who receive phishing emails and are lured to a phishing site
#hosted on a bot used by the miscreants/criminals who run the phishing attack
#may have their identities stolen or suffer financial loss from credit card,
#securities or bank fraud.
add
Those losses may include both direct losses which a financial institution
declines to make whole, as well as indirect costs (potentially higher
interest rates, reduced credit lines, declined credit applications, etc.)
Identity theft can also touch on national security issues, if stolen
identity information is used to illegally cross borders, to illegally
remain in country or to work without permission, or to purchase items or
services (such as weapons or airline travel) that might not otherwise be
available if a person used their real identity.
18.b.4 -----------------------------------------------------------------------
Following
#They may unwittingly disclose medical or personal
#information that could be used for blackmail or coersion.
add
or for discriminatory treatment by employers concerned with potential
costs associated with identified (but latent) genetic conditions, for
example.
Fear that medical record systems are porus may also deter some individuals
from even seeking help ("I'd like to find out what's causing my condition,
but I'm afraid that if I go in, the whole town will know I have <whatever>")
18.b.5 ---------------------------------------------------------------------
Delete
#They may infect
#their computers with malicious software that would "enlist" their computers
#into a bot herd.
Rationale:
It seems odd to have this item pop up here -- this feels more like something
that belongs in an introductory paragraph explaining how fastflux works
18.b.6 ---------------------------------------------------------------------
Below
#Individuals who purchase bogus products, especially
#pharmaceuticals, may be physically harmed from using such products.
strike the trailing period and add
... and in a variety of ways. For example:
-- teenagers might have uncontrolled access to narcotics, steroids or other
dangerous controlled substances, with potentially tragic consequences,
-- women attempting to purchase birth control patches online might be sold
adhesive bandages with no active ingredient whatsoever instead
-- cancer patients, rather than receiving efficacious treatment from a
licensed physician, might rely on bogus online herbal "cures" that
actually do nothing to treat their disease, again, potentially resulting
in deaths or serious complications
Illegal generic drugs also undercut the incentive for pharmaceutical firms
to invest in new drug research by cutting into their earning stream while
their discovery is, or should be protected by patents.
Sale of counterfeit products is another example of how fast flux networks
can result in users and businesses being harmed. Counterfeit products may
undermine the value of carefully nurtured brand names, leave consumers with
shoddy or disfunctional products, deny nations legitimate customs revenues
associated with the importation of premium brand-name products, or result in
unsafe products (for example as a result of counterfeit UL-listed electrical
appliances cords).
18.b.7 ----------------------------------------------------------------------
#4. Internet access operators
Replace
"Internet access operators"
with
"Internet service providers"
Rationale: "Internet service providers" is the commonly used term for the
service being referred to; "Internet access operators" would be an uncommon
and potentially confusing usage
18.b.8 ----------------------------------------------------------------------
Below
#are harmed when their IP address blocks
add
and their domain names
Rationale: reputation damage accrues not just to IP addresses but also to
domain names.
18.b.9 ----------------------------------------------------------------------
Below:
#are associated with bot nets and phishing attacks that are linked to fast flux
#activities. These operators also bear the burden of switching the
#unauthorized traffic that phishing attacks generate and they may also incur
#the cost of diverting staff and resources to respond to abuse reports or
#legal inquiries.
strike the final period and add:
or helping users to get cleaned up, or purchasing antivirus products
to hand out to users, or deploying network-based remediation solutions.
ISPs are harmed when spammers send spam spamvertising fastflux hosted
sites, and the ISP get deluged with that fastflux-enabled spam.
ISPs may also experience excess DNS-related traffic as a result of
fastflux, resulting in the need for them to deploy additional
recursive resolver capacity.
ISPs may also be forced to deploy deep packet inspection equipment or
other networking equipment to detect and respond to fastflux hosted
sites on customer systems. (Because fast flux web sites can be easily
hosted on arbitrary ports, port-based blocking solutions won't work
to control fastflux hosting, unlike port 25 blocks depoloyed to
control direct-to-MX spam).
18.b.10 ---------------------------------------------------------------------
Below
#5. Registrars are harmed when their registration and DNS hosting services
#are used to abet "double flux" attacks. Like Internet access providers, they
#may also incur the cost of diverting staff and resources to monitor abuse,
#or to respond to abuse reports or legal inquiries.
add
Registrars currently see wdprs.internic.net complaints in conjunction with
fast flux domain simply because that's the sole complaint mechanism
currently available which potentially reaches fastflux domain name abuse.
Antispam activists have thus become very good at carefully scrutinizing
spamvertised fastflux domain names for whois problems.
Dealing with those WDPRS reports represents an additional registrar-specific
cost.
Providing a reporting channel that focusses on the actual issue (a domain
has been detected which is engaged in criminal activity) rather than the
substitute issue (there's a problem with the domain's whois data), will
clarify the problem at hand.
18.b.11 --------------------------------------------------------------------
After
7. Individuals or businesses whose lives or livelihoods are affected by the
#illegal activities abetted through fast flux networks, as are persons who
#are defrauded of funds or identities, whose products are imitated or brands
#infringed upon, and persons who are exploited emotionally or physically by
#the distribution of images or enslavement.
add
Examples of these ills can be seen in things such as child pornography,
unauthorized distribution of proprietary software ("warez"), unauthorized
distribution of copyrighted music and movies, unauthorized distribution of
counterfeit "knock-off" trademarked merchandise, etc.
18.b.12 --------------------------------------------------------------------
After
#8. Registries may incur the cost of diverting staff and resources to monitor
#abuse or to respond to abuse reports or legal inquiries.
add
Uptake/legitimate use of some TLDs may also be impacted by fast flux abuse.
If the public perceives that sheer use of a domain from a particular TLD
may result in negative scoring by anti-spam software such as SpamAssassin,
that can be a powerful disincentive hindering the adoption and use of that
registry's TLD.
18.b.13 --------------------------------------------------------------------
After
#Who benefits from the use of short TTLs?
add
"Short TTLs" per se are NOT synonymous with "fastflux." Short TTLs are
only one characteristic associated with fastflux domains.
18.b.14 --------------------------------------------------------------------
After
#2. Content distribution networks such as Akamai, where "add, drop, change"
#of servers are common activities to complement existing servers with
#additional capacity, to load balance or location-adjust servers to meet
#performance metrics (latency, for example, can be reduced by making servers
#available that are fewer hops from the current most active locus of users
#and by avoiding lower capacity or higher cost international/intercontinental
#transmission links).
add
Some providers may also selectively return different IP addresses in response
to DNS queries from different audiences -- e.g., you might get German content
if you're connecting from what appears to be a German IP address, or French
content if you're connecting from what appears to be a French IP address.
18.b.15 --------------------------------------------------------------------
After
#3. Organizations that provide channels for free speech, minority advocacies,
#and activities, revolutionary thinking may use short TTLs and operate
#fast-flux like networks to avoid detection.
add
Some members of the working group note that they haven't observed this.
Free speech organizations and activist entities may offer or use
encrypted, non-attributable, or covert communication channels, such as
PGP/Gnu Privacy Guard, remailers, steganographic methods, Tor/"onion
routing," anonymous VPN services, etc., but an example of genuine fast
flux hosting (including operation on involuntarily botted hosts) has
not be identified to date.
Fast flux methods, when they've been observed in use, have been used to
enable hosting of spamvertised or illegal web sites.
Those spamvertised and/or illegal web sites may be phishing web sites,
or malware web dropping sites, or child porn sites, or warez sites, or
carding sites, or whatever, but to date working group participants have
not identified even a single case where political, religious or other
dissident web sites have been found to be hosted on fast flux.
Dissident web sites don't need fast flux. They can simply purchase
legitimate extraterritorial web hosting, so that even if one country
won't allow their web site to be hosted, someone abroad typically
will do so.
The sites which do end up on fastflux web hosting are those which are so
far beyond the pale that NO ONE will host them *anywhere* in the world.
That category is generally limited to spammers and egregious types of
content such as child pornography, phishing, malware, carding, etc.
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|