[gnso-ff-pdp-may08] Chunked 18b

[Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>]

Following is based on forum.icann.org/lists/gnso-ff-pdp-may08/msg00055.html
as currently shown in the changes document at 18.b

The following shows how 18.b can be broken out into individual chunks.

18.b.1 -----------------------------------------------------------------------

After 

#"Who is harmed by fast flux activities?"
#
#1. Individuals whose computers are infected by attackers and subsequently
#used to host name servers or web sites for a fast flux phishing attack. The
#individual may have his Internet connection blocked. In the extreme, should
#the computer be suspected of hosting illegal material, the computer may be
#seized by law enforcement agents (LEAs) and the individual may be subjected
#to a criminal investigation.

add:

-- even if their connection doesn't end up completely blocked, users may 
   experience degraded performance (as computer or network resources get
   consumed by the parasitic miscreant user(s) of their system)

-- also, even if the ISP doesn't block the infected user, remote ISPs
   may end up blocking all or some traffic from the user, e.g., as a result
   of the user's IP being listed on a DNS block list

-- the user may be (repeatedly) diverted from a normal connection to a walled
   garden where the only resources they can access are remediation sites
   or tools

-- a user's systems may become unstable as a result of malware which was
   installed to enable fast fluxing (even some *vendors* have trouble 
   building patches that are safe for *all* version/patch permutations,
   so it shouldn't be surprising if some malware also causes stability issues)

Some specific examples of how users can be harmed by this, beyond what's 
already been mentioned, can be seen in things like:

-- increased operational complexity and loss of Internet transparency as
   operators implement increasingly draconian measures in an effort to 
   control abuse from potentially compromised users

-- costs associated with the prophylactic purchase of antivirus products,
   home firewall "routers" and other security products meant to keep bots
   and other security threats at bay

-- clean up costs when prophylactic measures fail (e.g., when a non-technical 
   user needs to hire a technician to help them try to get uninfected)

-- in the case of users who get dropped by their ISP, or who become so 
   disgusted with their ISP that they leave, the costs associated with 
   moving from one ISP to another, including both direct contractual costs 
   (such as potentially overlapping subscription costs, or disconnection
   and connection fees), as well as indirect costs such as changes in 
   email addresses (with attendent lost or delayed email), time spent
   learning the ins-and-outs of a new ISP, time spent reconfiguring 
   systems to use the new ISP, etc.

18.b.2 -----------------------------------------------------------------------

Following 

#2. Businesses and organizations whose computers are infected may have
#Internet connections blocked, which may result in loss of connectivity for
#all users as well as the possible loss of connectivity for any Internet
#services also hosted via the blocked connection (e.g., mail, web, e-merchant
#or ecommerce sites). Again, in the extreme, should the computer be suspected
#to host illegal material, the computer may be seized by LEAs and the
#individual may be subjected to a criminal investigation. If this computer
#were hosting web and other services for the business/organization, the
#seizure could also result in an interruption of service, loss of income or
#"web presence".

add

A compromised system in a business environment also immediately raises the
dreaded spectre of a breach of personally identifiable information (PII).

If PII was present on the compromised machine, notification may be mandated
by statute, which may result in substantial direct costs to affected
organization (my understanding is that a dollar a notification is a very
conservative floor for notification costs, and obviously some PII incidents
involve millions of affected individuals). PII-related worries also drive
the substantial costs associated with deployment of whole disk encryption. 

Some businesses may also be affected by additional legislation specific to
their discipline, e.g., here in the States, things like GLBA or HIPAA apply
to financial institutions or health care institutions, respectively.

Employees may also be subject to non-criminal consequences, including
sanctions up to and including dismisal if they are found to be, or are
simply *believed to be*, at least partially responsible for their 
company-supplied system being compromised. 

18.b.3 -----------------------------------------------------------------------

Following 

#3. Individuals who receive phishing emails and are lured to a phishing site
#hosted on a bot used by the miscreants/criminals who run the phishing attack
#may have their identities stolen or suffer financial loss from credit card,
#securities or bank fraud. 

add

Those losses may include both direct losses which a financial institution
declines to make whole, as well as indirect costs (potentially higher 
interest rates, reduced credit lines, declined credit applications, etc.)

Identity theft can also touch on national security issues, if stolen 
identity information is used to illegally cross borders, to illegally 
remain in country or to work without permission, or to purchase items or 
services (such as weapons or airline travel) that might not otherwise be 
available if a person used their real identity. 

18.b.4 -----------------------------------------------------------------------

Following 

#They may unwittingly disclose medical or personal
#information that could be used for blackmail or coersion. 

add

or for discriminatory treatment by employers concerned with potential
costs associated with identified (but latent) genetic conditions, for 
example. 

Fear that medical record systems are porus may also deter some individuals
from even seeking help ("I'd like to find out what's causing my condition,
but I'm afraid that if I go in, the whole town will know I have <whatever>")

18.b.5 ---------------------------------------------------------------------

Delete 

#They may infect
#their computers with malicious software that would "enlist" their computers
#into a bot herd. 

Rationale:

It seems odd to have this item pop up here -- this feels more like something
that belongs in an introductory paragraph explaining how fastflux works

18.b.6 ---------------------------------------------------------------------

Below 

#Individuals who purchase bogus products, especially
#pharmaceuticals, may be  physically harmed from using such products.

strike the trailing period and add

... and in a variety of ways. For example:

-- teenagers might have uncontrolled access to narcotics, steroids or other 
   dangerous controlled substances, with potentially tragic consequences,

-- women attempting to purchase birth control patches online might be sold
   adhesive bandages with no active ingredient whatsoever instead

-- cancer patients, rather than receiving efficacious treatment from a
   licensed physician, might rely on bogus online herbal "cures" that 
   actually do nothing to treat their disease, again, potentially resulting
   in deaths or serious complications

Illegal generic drugs also undercut the incentive for pharmaceutical firms 
to invest in new drug research by cutting into their earning stream while 
their discovery is, or should be protected by patents.

Sale of counterfeit products is another example of how fast flux networks 
can result in users and businesses being harmed. Counterfeit products may 
undermine the value of carefully nurtured brand names, leave consumers with 
shoddy or disfunctional products, deny nations legitimate customs revenues 
associated with the importation of premium brand-name products, or result in 
unsafe products (for example as a result of counterfeit UL-listed electrical 
appliances cords).

18.b.7 ----------------------------------------------------------------------

#4. Internet access operators 

Replace

"Internet access operators"

with

"Internet service providers"

Rationale: "Internet service providers" is the commonly used term for the
service being referred to; "Internet access operators" would be an uncommon
and potentially confusing usage

18.b.8 ----------------------------------------------------------------------

Below 

#are harmed when their IP address blocks 

add 

and their domain names

Rationale: reputation damage accrues not just to IP addresses but also to
domain names.

18.b.9 ----------------------------------------------------------------------

Below:

#are associated with bot nets and phishing attacks that are linked to fast flux
#activities. These operators also bear the burden of switching the
#unauthorized traffic that phishing attacks generate and they may also incur
#the cost of diverting staff and resources to respond to abuse reports or
#legal inquiries.

strike the final period and add:

or helping users to get cleaned up, or purchasing antivirus products
to hand out to users, or deploying network-based remediation solutions.

ISPs are harmed when spammers send spam spamvertising fastflux hosted
sites, and the ISP get deluged with that fastflux-enabled spam.

ISPs may also experience excess DNS-related traffic as a result of 
fastflux, resulting in the need for them to deploy additional
recursive resolver capacity.

ISPs may also be forced to deploy deep packet inspection equipment or
other networking equipment to detect and respond to fastflux hosted 
sites on customer systems. (Because fast flux web sites can be easily 
hosted on arbitrary ports, port-based blocking solutions won't work 
to control fastflux hosting, unlike port 25 blocks depoloyed to 
control direct-to-MX spam). 

18.b.10 ---------------------------------------------------------------------

Below 

#5. Registrars are harmed when their registration and DNS hosting services
#are used to abet "double flux" attacks. Like Internet access providers, they
#may also incur the cost of diverting staff and resources to monitor abuse,
#or to respond to abuse reports or legal inquiries.

add

Registrars currently see wdprs.internic.net complaints in conjunction with 
fast flux domain simply because that's the sole complaint mechanism
currently available which potentially reaches fastflux domain name abuse.

Antispam activists have thus become very good at carefully scrutinizing 
spamvertised fastflux domain names for whois problems. 

Dealing with those WDPRS reports represents an additional registrar-specific 
cost.

Providing a reporting channel that focusses on the actual issue (a domain 
has been detected which is engaged in criminal activity) rather than the 
substitute issue (there's a problem with the domain's whois data), will
clarify the problem at hand.

18.b.11 --------------------------------------------------------------------

After 

7. Individuals or businesses whose lives or livelihoods are affected by the
#illegal activities abetted through fast flux networks, as are persons who
#are defrauded of funds or identities, whose products are imitated or brands
#infringed upon, and persons who are exploited emotionally or physically by
#the distribution of images or enslavement.

add

Examples of these ills can be seen in things such as child pornography, 
unauthorized distribution of proprietary software ("warez"), unauthorized 
distribution of copyrighted music and movies, unauthorized distribution of 
counterfeit "knock-off" trademarked merchandise, etc.

18.b.12 --------------------------------------------------------------------

After

#8. Registries may incur the cost of diverting staff and resources to monitor
#abuse or to respond to abuse reports or legal inquiries.

add

Uptake/legitimate use of some TLDs may also be impacted by fast flux abuse.
If the public perceives that sheer use of a domain from a particular TLD
may result in negative scoring by anti-spam software such as SpamAssassin, 
that can be a powerful disincentive hindering the adoption and use of that 
registry's TLD. 

18.b.13 --------------------------------------------------------------------

After 

#Who benefits from the use of short TTLs?

add

"Short TTLs" per se are NOT synonymous with "fastflux." Short TTLs are 
only one characteristic associated with fastflux domains.

18.b.14 --------------------------------------------------------------------

After 

#2. Content distribution networks such as Akamai, where "add, drop, change"
#of servers are common activities to complement existing servers with
#additional capacity, to load balance or location-adjust servers to meet
#performance metrics (latency, for example, can be reduced by making servers
#available that are fewer hops from the current most active locus of users
#and by avoiding lower capacity or higher cost international/intercontinental
#transmission links).

add

Some providers may also selectively return different IP addresses in response
to DNS queries from different audiences -- e.g., you might get German content 
if you're connecting from what appears to be a German IP address, or French
content if you're connecting from what appears to be a French IP address. 

18.b.15 --------------------------------------------------------------------

After 

#3. Organizations that provide channels for free speech, minority advocacies,
#and activities, revolutionary thinking may use short TTLs and operate
#fast-flux like networks to avoid detection.

add

Some members of the working group note that they haven't observed this.

Free speech organizations and activist entities may offer or use
encrypted, non-attributable, or covert communication channels, such as 
PGP/Gnu Privacy Guard, remailers, steganographic methods, Tor/"onion 
routing," anonymous VPN services, etc., but an example of genuine fast
flux hosting (including operation on involuntarily botted hosts) has
not be identified to date.

Fast flux methods, when they've been observed in use, have been used to 
enable hosting of spamvertised or illegal web sites.

Those spamvertised and/or illegal web sites may be phishing web sites, 
or malware web dropping sites, or child porn sites, or warez sites, or 
carding sites, or whatever, but to date working group participants have 
not identified even a single case where political, religious or other 
dissident web sites have been found to be hosted on fast flux.

Dissident web sites don't need fast flux. They can simply purchase 
legitimate extraterritorial web hosting, so that even if one country
won't allow their web site to be hosted, someone abroad typically 
will do so.

The sites which do end up on fastflux web hosting are those which are so 
far beyond the pale that NO ONE will host them *anywhere* in the world.
That category is generally limited to spammers and egregious types of
content such as child pornography, phishing, malware, carding, etc.