ICANN ICANN Email List Archives

[gnso-ff-pdp-may08]


<<< Chronological Index >>>    <<< Thread Index >>>

[gnso-ff-pdp-may08] Rasmussen/Piscitello action 4.f

  • To: Fast Flux Workgroup <gnso-ff-pdp-May08@xxxxxxxxx>
  • Subject: [gnso-ff-pdp-may08] Rasmussen/Piscitello action 4.f
  • From: Dave Piscitello <dave.piscitello@xxxxxxxxx>
  • Date: Wed, 6 May 2009 05:32:40 -0700

While discussing this comment, Rob noted that references to the Mannheim
formula seem to have completely disappeared from the paper. We think it
would be worth mentioning in at least passing here.


(4.f) Registrars need to build detecting mechanisms of a
technical nature that will detect when fast flux is evident and
then generate an email alert to CERT or law enforcement
agencies, contracted reporting agencies and ICANN staff

Proposed response: A good portion of the FF interim report discussed the
challenge with identifying criteria that distinguish fast flux attack
networks from production networks that use volatile networking techniques.
ICANN and registrars must strike a balance between aggressively detecting
and blocking fast flux activities that exploit "double flux" variants using
domain names registered in GTLDs and causing harm through "false positives
and preemptive takedowns" to registrants who apply volatile networking
techniques for survivability, mobility, and availability purposes.

The working group discussed several options for detecting malicious fast
flux domains but did not find one that could be universally adopted and used
in an automated fashion with a degree of reliability that all members of the
working group considered acceptable.  Of particular promise was the
"Mannheim formula" that was developed in a paper (need citation).  Even this
promising algorithm requires human interpretation for truly reliable
reporting, so an automated system based solely on it would likely result in
some false positives.

The FF WG recommends that the community continue to study FF hosting
behavior with a goal of finding detection algorithms with very small
probabilities of false positives and very high adaptability to changes in
attacker FF hosting behavior. When a satisfactory algorithm is found, ICANN
and registrars should be encouraged to consider deploying detection and
preventative measures to mitigate fast flux.





<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy