[gnso-ff-pdp-may08] a study of fast flux and double flux at Indiana University

[Minaxi Gupta <minaxi@xxxxxxxxxxxxxx>]

Hi,

My students and I just finished a study of fast flux and double flux  
in phishing using three different real-time feeds of phishing URLs.   
Here are the key findings:
- 11% of the Web servers hosting phishing sites exhibited fast flux

- 70% of these servers were also a part of a double flux infrastructure

- The largest clusters of Web servers and DNS servers that exhibited  
flux had their domains registered in a handful of TLDs.  Their host  
names also bore remarkable similarity in the name convention and  
number of dots present.  They even shared machines!  Clearly, a small  
set of miscreants are behind most of the flux seen in phishing.
- DNS servers that exhibit flux correspond to a rather small number of  
IP addresses.  In contrast, Web servers that exhibit fast flux are  
hosted on a much larger number of IP addresses.  This implies that a  
take-down of DNS servers is a more fruitful avenue in anti-phishing  
efforts than a take-down of Web servers that host phishing sites.
We used statistical classification and clustering techniques to arrive  
at these and other conclusions.  I am happy to send the technical  
report detailing the findings of our study.  (It is currently under  
submission at a conference.)  We are continuing to collect data.  I am  
happy to share the data with this group.
For folks who have read the Holz paper on fast flux from University of  
Mannheim: They looked only at fast flux (not double flux) and that  
too, only in the context of spam-hosting-sites.  They found a higher  
percentage of fast flux.  On their data, our models find the same  
percentage of fast flux as they found.  This means than spam-hosting- 
sites in general exhibit more fast flux than phishing sites.
Best,
Minaxi