ICANN ICANN Email List Archives

[gnso-ff-pdp-may08]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [gnso-ff-pdp-may08] a study of fast flux and double flux at Indiana University

  • To: Minaxi Gupta <minaxi@xxxxxxxxxxxxxx>, fast Flux Workgroup <gnso-ff-pdp-May08@xxxxxxxxx>
  • Subject: Re: [gnso-ff-pdp-may08] a study of fast flux and double flux at Indiana University
  • From: Dave Piscitello <dave.piscitello@xxxxxxxxx>
  • Date: Tue, 23 Sep 2008 08:10:20 -0700

Hi Minaxi,

Could you write this up as a proposed addition to the WG report, with 
appropriate citations? It would also be helpful if you could compare the what 
you used to characterize a fast flux attack network with the characteristics we 
have agreed to include in the report, to see if our lists match (and if not, to 
see if we should amplify the WG list).




On 9/23/08 10:28 AM, "Minaxi Gupta" <minaxi@xxxxxxxxxxxxxx> wrote:



Hi,

My students and I just finished a study of fast flux and double flux
in phishing using three different real-time feeds of phishing URLs.
Here are the key findings:

- 11% of the Web servers hosting phishing sites exhibited fast flux

- 70% of these servers were also a part of a double flux infrastructure

- The largest clusters of Web servers and DNS servers that exhibited
flux had their domains registered in a handful of TLDs.  Their host
names also bore remarkable similarity in the name convention and
number of dots present.  They even shared machines!  Clearly, a small
set of miscreants are behind most of the flux seen in phishing.

- DNS servers that exhibit flux correspond to a rather small number of
IP addresses.  In contrast, Web servers that exhibit fast flux are
hosted on a much larger number of IP addresses.  This implies that a
take-down of DNS servers is a more fruitful avenue in anti-phishing
efforts than a take-down of Web servers that host phishing sites.

We used statistical classification and clustering techniques to arrive
at these and other conclusions.  I am happy to send the technical
report detailing the findings of our study.  (It is currently under
submission at a conference.)  We are continuing to collect data.  I am
happy to share the data with this group.

For folks who have read the Holz paper on fast flux from University of
Mannheim: They looked only at fast flux (not double flux) and that
too, only in the context of spam-hosting-sites.  They found a higher
percentage of fast flux.  On their data, our models find the same
percentage of fast flux as they found.  This means than spam-hosting-
sites in general exhibit more fast flux than phishing sites.

Best,
Minaxi




<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy