ICANN ICANN Email List Archives

[gnso-ff-pdp-may08]


<<< Chronological Index >>>    <<< Thread Index >>>

[gnso-ff-pdp-may08] Accommodating Ran Atkinson's comments

  • To: Fast Flux Workgroup <gnso-ff-pdp-May08@xxxxxxxxx>
  • Subject: [gnso-ff-pdp-may08] Accommodating Ran Atkinson's comments
  • From: Dave Piscitello <dave.piscitello@xxxxxxxxx>
  • Date: Tue, 28 Apr 2009 05:51:15 -0700

Hello FF WG,

As you know, Ran Atkinson had several major comments:

1) expand on the positive applications of fast flux techniques
2) make the distinction between positive and malicious uses of fast flux
clearer
3) invite comment from the IETF

I've sent a separate email to handle (3).

For (1) and (2) I think we need to begin by adjusting the executive summary
to acknowledge that the WG dissected the concept "fast flux" into two
distinct classes, then carry these changes through the main body of the
report. I walked through the newly posted draft final report and I think the
following sections and pages are affected (I may have missed some but
hopefully not many)

Again, I used the draft final report that Marika posted early today at
https://st.icann.org/data/workspaces/pdp-wg-ff/attachments/fast_flux_pdp_wg:
20090428080103-0-28575/original/Draft%20Fast%20Flux%20Final%20Report%20-%202
7%20April%202009.pdf
 

Executive Summary, PAGE 4, line 97

In the Executive Summary, we can do this by adding the following at the very
beginning of Section 1.3:

"After considerable deliberation, the working group was able to identify
positive applications of certain characteristics generally associated with
the term fast flux. These characteristics, including short TTLs and frequent
update of DNS records, are present in production networking environments
that are high profile, support mobility, or are likely-targets of attacker,
or network that must be adaptive and resilient. Such self-beneficial or
positive applications are described in the literature as <I>volatile
networking</I>. Generally, additional, sufficiently different and suspicious
characteristics are present in malicious networking applications to
distinguish positive, volatile networks from <I>fast flux attack
networks</I>."

The current text of Section 1.3, line 98, follows the above paragraph.

PAGE 6, line 143

It would be helpful to clarify that the WG elected to include the questions
posed by the GNSO "as is" rather than rephrase them and risk
misrepresentation or create confusion.

Under the bullet item "Charter Questions", following line 143, I suggest we
add:

"Note: The FF WG introduced the distinguishing terms volatile networks and
fast flux attack networks in section 1.3. The questions put before the WG by
the GNSO are reproduced throughout this report in their original
formulation. The WG elected to include the questions 'as posed' to avoid
confusion or misrepresentation."

Under "Who benefits from fast flux?" (line 147) add a bullet item "mobility
network providers", preferably between lines 148 and 149

Page 7, line 188

Under " Who benefits from the use of fast flux techniques?" add "mobility
network users and operators who offer services to mobile users", preferably
after line 190.

Page 16, line 426+

Under "How fast flux attacks work", edit the text to consistently refer to
fast flux attacks rather than the generic term "fast flux" - this is
probably a comment that must be applied throughout the report. An editing
team can do this more effectively than I can in a single email. In the Note,
add that the content only discusses fast flux attacks and that positive
applications are considered later.

Page 17, line 481: 

Perhaps the title here should be "Positive Applications of fast flux
techniques (Volatile Networking)"? In this section, we should add a summary
of Ran's description of mobility networking and how TTLs are used. I will
write this if the WG concurs.

Page 18, line 505:

Perhaps the title should change to "Illicit Uses: Fast Flux attack
networks"? Also, should we jettison "fast flux service networks" and align
on "fast flux attack networks"? Also, should we use Illicit uses or
Malicious uses throughout, or does it not matter?

Page 22, Section 5, line 565

I suggest that the WG begin this section with either the text I proposed in
the Executive Summary, or an expanded form. If members of the WG prefer an
expansion, please list the issues or observations you wish to make and I'll
take on the writing assignment.

Page 23, line 620: 

Under "Charter Questions", again, we may wish to make clear that the
questions are phrased as originally formulated by the GNSO.

Page 24, line 665: 

Before "3. Free speech / advocacy groups", insert "3. Mobility Support",
incorporate Ran's discussion of mobility support, and include the citations
he lists. Make "Free spech / advocacy groups" clause 4. Again, I will
compose the exact text if the WG agrees that the set of changes I'm
proposing are appropriate.

Page 27, line 749:

Replace the sentence following "The parties who benefit from the cessation
of the practice of fast flux attacks are the same
parties who are harmed when fast flux is used in support of attack
networks." with

"Again, the WG calls the readers' attention to the distinction we make
between volatile networking and fast flux attacks; here, we focus  attention
on identifying the harms inflicted on victims of fast flux attacks:"

Page 32, line 908: 

Suggest we re-word " The Working Group has previously explained that the use
of short TTLs is insufficient to characterize a network as a fast flux
network, and insufficient to characterize that fast flux
network as an attack or production network." As follows:

"The WG has previously explained that positive and malicious applications of
adaptive networking exist today. In particular, the use of short TTLs is
insufficient to distinguish a positive application of volatile networking
from a fast flux attack. The ... benefit from volatile network techniques,
including short TTLs, includes:"

<Keep the positive applications 1-3 and add mobility networks as 3, move
free speech to be item 4>

Then insert before the current item 4, and incorporate 4 as follows:

 "Short TTLs are one of several indicators of fast flux attacks. Criminals,
terrorists, and generally, any organization that operates a fast flux attack
network frequently benefit from the use of short TTLs along with other
volatile networking techniques, but at public expense, harm or detriment."

Here, again, edit text to use fast flux attack networks, not simply fast
flux.

----- Summary -----

Other sections may require some additional editing and minor corrections to
align correctly with the proposed changes. I realize there is more to do
here, but I want to be certain the WG agrees in principle with these
changes; if so, Marika and I can jointly edit a new draft.










<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy