RE: [gnso-ff-pdp-may08] Fast Flux Data Annex: Updated Draft

[Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>]

Hi Martin!

Nice work!

#Joe/Greg, I have responded to your input as best I can. I've made  
#tradeoffs based on time available and the likelihood of going insane  
#from Excel battles.

Yeah, it's quite the "tool", isn't it? :-;

#Throw comments at me and, if I get them in good time, I will produce a  
#revised version before Friday's call.

I'm not sure if it is intentional, but multiple fonts are in use in the
new draft; if that wasn't intentional, you may want to select all text 
and blast it all into whatever's standard (Times?) for the report.

At line 24, I think you actually have some dates where there were zero
new FF domains (rather than 1 as stated), true? Or were those days when
data wasn't available? (it can sometimes be hard to tease apart missing
data from a "real" zero value)

One of the most intriguing substantive issues (at least for me) is the
discrepancy in the number of domains KS sees vs. Arbor. For example,
at lines 24-25 you mention a peak of 6465 for Karmasphere vs. a peak
of 3695 for Arbor. That seems lika big variation, and I find myself
wondering where that discrepancy comes from. For example, could it
be that one of you are only looking at 2nd level domains, while the
other is looking at 3rd level domains (thus counting asdasdad.foo.com
and asdhafsghdd.foo.com as two domains in one case, but only one in 
the other?)

Or are there definitional or methodological differences present? (e.g.,
it would be good if each could describe how they operationally
identify what is and isn't a FF domain, for example)

Love to know anything more about the incident mentioned at 27-28 --
what's there is interesting, but something of a tease, leaving out
details that I suspect at least some folks would find interesting
(such as the subject of the FF efforts (if known), the registrars 
involved, the name servers used, or whatever you can share).

For 30-31, it would be great if we could get some measure of dispersion,
such as the standard deviation, or even the interquartile range. I also
note that we don't have the average and median number of domains for Arbor,
the same way we do for Karmasphere's data.

For graphs 1 and 2, having a log Y axis would allow far better 
representation of the graph (you should just be able to right click on
the left vertical axis, and then toggle it to use log axes in Excel).
To see why this is important, look at graph 2: one point (1), the big
spike around 10/8 or so, uses the full range of the y axis, but virtually
all the other bars are down in the weeds, not even making the 1000 mark.
Thus, that one odd spike completely dominates the presentation of that
data, and makes it very hard to see the pattern (if any) shown in the
rest of the dataset.

For graph 3, did you see any indication that the bad guys detected your
monitoring, and intentionally blocked resolution of their domains from
your monitoring point? Any possibility that some domains resolved, but
only to bogus values (e.g., sometimes you'll see things like 127.0.0.1 
show up, or 61.61.61.61, say)..

Do you want to talk at all (around line 78) about why dot cn domains
are popular? (for example, is it a matter of cost? (recall that dot cn
has previously offered dot cn domains for one yuan, about 14-15 cents US)
is it a matter of registry/registrar complaint handling procedures?
Something else?

For the chart following line 88 (should it be numbered?) given the ongoing 
issues handling the many tiny slivers, how about just listing those as 
"other" (so you'd have .cn, .com, .net and "other")

Likewise, for the chart at line 90, I'm thinking an "other" category would
again make sense, particularly if there's room to also have a table with
the raw data.

Speaking of tables, for the table beginning at line 108 (number it as well?),
you established a threshold of 10 domains for inclusion in the table, but
note that's four orders of magnitude! (24171-->10) Not to beat a dead horse,
but 21 (or even 42) domains are just dust in the wind relative to 24,171 or
20,488. I'd suggest omitting anything that's less than 1% of the top value
for that table (and for the table at line 110). 

Regards,

Joe