Roll Call

Revise the agenda

Status Report

Briefly review status of Action Items from last week

  • Continue to reach out for data -- Dave, Greg, Rod
  • Continue to reach out for legitimate users -- Mikes, Wendy, Greg
  • Launch constituency input cycle -- all constituency reps
  • Edit the Internet Users impact section of the wiki -- Mike
  • Post a followup thread to the email list about the Definition of FastFlux conversation -- Mike
  • Focus on Questions 7, 8 and 9 for the email conversation -- Mike
  • Launch "information vs policy based" email conversation -- Mike
  • Develop and initiate a weekly progress-reporting mechanism -- Mike

Briefly review the updates to the Interim-Report section of the wiki

Discussion topics

  • Definition of fastflux
    • Fast (eg low TTL) vs Volatile (eg hosts, routing, addressing, name-service are all in a state of flux and are masked)
    • Networks on compromised hosts
    • Networks where it is hard to contact the owner/operator of the resource (either due to numbers, or cloaking)
    • Networks that that are hard to deal with -- can only be disrupted by removing the domain name (by domain registration service provider)
    • Note - Registries may be quite limited in what they can do in a policy-based (vs best practices or information-based) solution
    • Note - Policy may make liberalization of practices (vs imposing restrictions)
    • Limit the problem to "within the scope of ICANN to address"
      • Operation of the DNS system
      • Registration services
      • Does NOT include; routing, end-point security,
  • Data needs -- is fastflux a problem that needs to be solved?
    • Several feeds have come back. The group is trying to figure out how to analyze the results.
    • Highlights of early data -- various lists point to a range of 10-14k fishing domains, number of addresses used per name range from 1 to 1700/month, another observation -- 15k rogue DNS servers in a single network. One host resolves in 350 different ASNs.
    • Uses of the information -- Is this a problem that needs addressing right now? Is this a problem that is bears watching? What is the rate of growth? How pervasive is this? Is there a threshold TTL number that identifies a name as "volatile" (for example 1700 changes/month = avg TTL of about 1500)? Are there clumps (loci) in the data that provide useful patterns in the use of various techniques (or could act as fingerprints)? Is there a relationship between the number of queries to a DNS record, and TTL? What is the distribution of TTLs for DNS servers vs that for the much larger set of public-facing hosts? Is there a reliable way to determine what proportion of total phishing can be characterized as FastFlux, so that we could extrapolate the dollar-cost of FastFlux from existing studies of the dollar-impact of phishing overall?
    •  
  • Legitimate users
    •  
  • Summary of “impact” discussion
    • Deferred to next meeting
  • Other topics in need of discussion

Plans for the upcoming week

  • Action Items
    • Get in touch with Team Camry (sp?), people who have a lot of data about Storm worm and others

Other business

  • No labels