Re: [gnso-ff-pdp-may08] Comment References, Interim Conclusions and Next Steps

[Dave Piscitello <dave.piscitello@xxxxxxxxx>]

The only comment I'd make is that "any" is rather open ended and suggests
that there is a zero probability of automation that would achieve a
satisfactory false-positive percentage.  In credit card and other fraud
detection situations, automation does meet the false-positive criteria that
are set. Would folks object to saying "known automated techniques require
human interpretation"?


On 6/3/09 4:43 AM  Jun 3, 2009, "Rod Rasmussen"
<rod.rasmussen@xxxxxxxxxxxxxxxxxxxx> wrote:

> 
> 
> I think Mike has done a good job of cleaning up some stuff here, but
> may have some more controversial deletes - nothing I see as a show
> stopper, but should be discussed.
> 
> I have a couple of thoughts to add in here.
> 
> In conclusions, I think we had an important consensus that, "any
> automated technique for detecting fast flux domains requires human
> interpretation of the results and examination of the evidence to
> confirm the presence of malicious or proscribed activities."
> 
> I would also add this thought to conclusions - perhaps right after
> Mike's comment about a neutral third party for determination of a
> malicious FFLUX domain:
> 
> Such a process could be devised to detect malicious FFLUX domains,
> however, those domains would still require some form of mitigation in
> order to end or prevent the undesired activity.  Depending on the
> nature of the fluxing configuration, many disparate providers could
> potentially be involved, from a domain registry or registrar, to DNS
> or hosting service providers.  The working group reached no consensus
> on which party or parties would be best suited to handle such
> mitigation work, but notes that in practical terms, such mitigations
> are already occurring in practice, but in an uncoordinated, uneven, or
> even arbitrary manner.  Some proposals do exist for creating a
> balanced process across-the-board for handling malicious domain
> registrations in general and merit further consideration for potential
> solutions to this particular issue.  <This last sentence may be better
> in the recommendations section>.
> 
> In the recommendations section, I think we should definitely point out
> that some domain name registries and registrars have already
> implemented contractual language that addresses the issue, and that is
> another way to attack the problem.  (no specific text here - just a
> thought extension that we need to cover, and there are a few places
> that could be added).
> 
> Also, please excuse the bit of APWG self-serving here, but I would
> point out that a specific mitigation framework has been proposed
> for .ASIA (and now others) in conjunction with the APWG that would
> allow for quick mitigation of malicious FFLUX domains and could be
> looked at as a general model for incident handling.
> 
> OK, please don't shoot me for a "new" thought here, but one role that
> ICANN could take on is the "best practices facilitator".  The idea
> being that ICANN (the formal company) keeps a current list of
> consensus-based best practices that could be used by various
> contracted parties, ensures that these are evangelized to those
> parties, and then does audits of if/how they are being used and
> reports findings based on those audits.  I'm just trying to think of
> ways to get past the old cliché of "everyone should follow best
> practices" and put some meaning/incentive to actually doing so.  I'm
> also trying to think of practical roles for ICANN itself to play in
> this.
> 
> Best,
> 
> Rod Rasmussen
> President and CTO
> Internet Identity
> 1 (253) 590-4088
> 
> On Jun 2, 2009, at 10:09 AM, Mike Rodenbaugh wrote:
> 
>> 
>> Hi Greg, that may depend on which version of Word you use, and what
>> view you
>> are in.  On my copy, my edits are in blue, James' in red.  When I
>> mouse over
>> the edits, it clearly shows who made them.
>> 
>> -Mike
>> 
>> -----Original Message-----
>> From: owner-gnso-ff-pdp-may08@xxxxxxxxx
>> [mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] On Behalf Of Greg Aaron
>> Sent: Tuesday, June 02, 2009 9:54 AM
>> To: icann@xxxxxxxxxxxxxx; 'fast flux fast flux'
>> Subject: RE: [gnso-ff-pdp-may08] Comment References, Interim
>> Conclusions and
>> Next Steps
>> 
>> 
>> Mike, I am not sure which edits are yours.  Can you give me an
>> example of
>> your changes, so I can distinguish them from the others?  I think
>> this doc
>> has edits by two or three hands?
>> 
>> All best,
>> --Greg
>> 
>> 
>> 
>> -----Original Message-----
>> From: Mike Rodenbaugh [mailto:icann@xxxxxxxxxxxxxx]
>> Sent: Tuesday, June 02, 2009 12:38 PM
>> To: 'fast flux fast flux'
>> Subject: RE: [gnso-ff-pdp-may08] Comment References, Interim
>> Conclusions and
>> Next Steps
>> 
>> I have suggested edits to James rework of Secs 8/9, on attached.
>> 
>> Thanks,
>> Mike
>> 
>> Mike Rodenbaugh
>> Rodenbaugh Law
>> 548 Market Street
>> San Francisco, CA  94104
>> +1.415.738.8087
>> www.rodenbaugh.com
>> 
>> 
>> 
>> -----Original Message-----
>> From: owner-gnso-ff-pdp-may08@xxxxxxxxx
>> [mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] On Behalf Of James M.
>> Bladel
>> Sent: Sunday, May 31, 2009 1:40 PM
>> To: marika konings; fast flux fast flux
>> Subject: [gnso-ff-pdp-may08] Comment References, Interim Conclusions
>> and
>> Next Steps
>> 
>> Team:
>> 
>> Apologies for the delay on these materials.My schedule got away from
>> me
>> beginning on Thursday, and so this task was pushed to the weekend.
>> 
>> In any event, please find attached two separate documents.  The first
>> (spreadsheet) attaches references for the views of the WG on comments
>> received in response to the Initial Report.  Please note that these
>> are in
>> no way an attempt to re-categorize the comments.  Instead, the goal
>> is to
>> find the smallest number of sections / topics that sufficiently
>> address
>> -all- comments.  I have included some sample language for each topic
>> (needs
>> further word-smithing), which can be used individually or worked
>> into the
>> comment analysis summary.
>> 
>> Next, I have made many changes to section 8 ("Interim Conclusions")
>> and
>> section 9 ("Next Steps"). Please note that if you believe the text
>> does not
>> accurately characterize the WG findings, or if there are significant
>> omissions, we can work through these on our call next Wednesday.
>> 
>> Thank you,
>> 
>> J.
>> 
> 
>