Re: FW: [gnso-ff-pdp-may08] Introduction and Statement of Interest: Jose Nazario (Arbor Networks)

["George Kirikos" <fastflux@xxxxxxxx>]

Hello,

On Thu, Oct 9, 2008 at 12:56 PM, Mike Rodenbaugh wrote:
>
> Attached is some dialogue between Jose and me re the report that Greg just
> cited to this list, fyi.
> -----Original Message-----
> From: jose nazario [mailto:jose@xxxxxxxxx]
> Sent: Wednesday, October 08, 2008 12:41 PM
> To: mike@xxxxxxxxxxxxxx
> Subject: [Bulk] Re: [gnso-ff-pdp-may08] Introduction and Statement of
> Interest: Jose Nazario (Arbor Networks)
>
> On 10/7/08 6:10 PM, "Mike Rodenbaugh" <mike@xxxxxxxxxxxxxx> wrote:
>> -- finding malice when in fact it is benign.  Some in the group continue
> to
>> argue that there is no acceptable remedy so long as there are some false
>> positives.  Of course that is ridiculous, but if we can show an extremely
>> low rate of false positives that could be extremely helpful to the cause
> of
>> stopping malicious fast flux exploits at the registry level.  Do you have
>> any data on that point specifically?

It's not a ridiculous concern when one's site is, without cause, shut
down because one is falsely accused of abuse. Who is going to pay the
damages when that occurs?

> The heuristic described on our paper, "As the Net Churns", is the one we use
> in ATLAS to qualify domain names as fluxy for monitoring purposes. We do
> have a whitelist function as several large provides are groups use DNS round
> robin techniques to provide load balancing.
>
> The white list includes names like Yahoo (mainly european Yahoo properties),
> ICQ, ClamAV, and a few others. The full list is here:
>
> WHITELIST = ('ebay.com', 'paypal.com', 'aol.com', 'yahoo.com',
>             'amazon.com', 'mailscanner.com',  'wellsfargo.com',
>             'cnn.com', 'geocities.com', 'myspace.com', 'yahoo.fr',
>             'yahoo.es', 'yahoo.it', 'rapidshare.com', 'icq.com',
>             'naver.com')

The fact that you have to have a whitelist demonstrates that the
heuristic is weak, as it would otherwise capture innocent sites like
Yahoo.com or eBay.com by default. Why would ICANN single out Yahoo.com
to be whitelisted, and not any of my company's websites? We each pay
ICANN 20 cents/year per domain.

> The frequency with which we see these appear, however, is rare. Out of tens
> of thousands of fast flux names we have seen, fewer than 100 distinct (based
> on our techniques mining for names through spamvertised and
> malcode-associated URLs and such) have been falsely accused. This is well

And exactly how many hours/days/weeks did it take for those falsely
accused websites to be removed from the blacklist? If they were
falsely accused, but didn't report anything to you (i.e. silent
victims), would they even appear in your dataset as false positives?
And what financial damages were paid to the victimized websites?

Sincerely,

George Kirikos
www.LEAP.com