[gnso-ff-pdp-may08] Chapter 8 - Interim conclusions

[Marika Konings <marika.konings@xxxxxxxxx>]

Please provide your feedback if/how chapter 8 (see current text below) should 
be modified.

=============================

8            Interim Conclusions

During the study of fast flux hosting, the working group quickly came to 
appreciate that the subject area that originally formed the basis of the study 
had changed rapidly from the time of publication of the SSAC report that 
stimulated GNSO interest to the issuance of the PDP. Flux hosting, flux 
techniques and flux facilitated attacks continued to evolve even during the 
WG's study period.


8.1          Conclusions

Fast flux hosting has numerous applications. Some experts have focused on the 
applications of fast flux hosting that are self-beneficial but publicly 
detrimental and consider it to be an effective technique for keeping fraudulent 
sites active on the Internet for the longest period of time, and it requires 
domain registrations as a component for success. At the same time, a number of 
the characteristics that experts ascribe to fast flux hosting have been 
identified as self-beneficial without being harmful to others, or indeed, both 
self- and publicly beneficial. In these latter applications, the goals of fast 
flux hosting are to make networks survivable or highly reliable, but the 
motives are quite different.

Gaining a common appreciation and broad understanding of the motivations behind 
the employment of fast flux or adaptive networking techniques proved to be a 
particularly thorny problem for the WG. Attempts to associate an intent other 
than criminal and characterizing fast flux hosting as legitimate or illegal, 
good or bad, stimulated considerable debate.

Study by members of the WG also revealed that flux hosting is necessarily, 
accurately characterized as "fast flux" but more generally, that flux hosting 
encompasses several variations and adaptations of event-sensitive, responsive, 
or volatile networking techniques.

The WG studied many of the methods of detecting fast flux activities and 
thwarting fast flux hosting. The WG also studied whether certain data could be 
monitored, collected, and made available by various parties (e.g., registries, 
registrars, and ISPs) to facilitate detection and intervention in circumstances 
where fast flux hosting was publicly detrimental. These studies merit further 
attention, particularly in areas where an unacceptable level of false positives 
would prove detrimental to registrants affected by intervention. Measures are 
needed to ensure that parties reporting fast flux activity are to be trusted.

The WG also acknowledges that fast flux and similar techniques are merely 
components in the larger issue of Internet fraud and abuse. The techniques 
described in this report are only part of a vast and constantly evolving 
toolkit for attackers: mitigating any one technique would not eliminate 
Internet fraud and abuse. Every attack that is enhanced by the use of one or 
more fast flux techniques could be pursued without them, possibly at higher 
cost or effort for the attacker.

These various and highly interrelated issues must all be taken into account in 
any potential policy development process and/or next steps. Careful 
consideration will need to be given as to which role ICANN can and should play 
in this process.