paper

ICANN: Initial Report of the GNSO Fast Flux Hosting Working Group

Thursday, January 29. 2009

Fast-Flux Service Networks is a phenomenon I covered in this blog a couple of times earlier on. We als published two papers on this topic and made the data collected during our study available. Back in May 2008 ICANN had formed a working group to address this problem which should answer the following questions:

Who benefits from fast flux, and who is harmed?

Who would benefit from cessation of the practice and who would be harmed?

Are registry operators involved, or could they be, in fast flux hosting activities? If so, how?

Are registrars involved in fast flux hosting activities? If so, how?

How are registrants affected by fast flux hosting?

How are Internet users affected by fast flux hosting?

What technical (e.g. changes to the way in which DNS updates operate) and policy (e.g. changes to registry/registrar agreements or rules governing permissible registrant behavior) measures could be implemented by registries and registrars to mitigate the negative effects of fast flux?

What would be the impact (positive or negative) of establishing limitations, guidelines, or restrictions on registrants, registrars and/or registries with respect to practices that enable or facilitate fast flux hosting?

What would be the impact of these limitations, guidelines, or restrictions to product and service innovation?

What are some of the best practices available with regard to protection from fast flux?

Since a few days the initial report of this working group is available and the report is an interesting read. Public comments should be sent directly to ICANN until February 15, 2009 - so if you have comments, please send them to ICANN.

Posted by Thorsten Holz in malware, paper at 23:50 | Comments (0) | Trackbacks (0)

Call for Papers: LEET'09 and EuroSec'09

Saturday, January 10. 2009

Just a quick reminder of two upcoming deadlines for workshops I am involved with:

The Call for Papers for the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threat (LEET'09) ends on January 16, 2009. More information is available at http://www.usenix.org/events/leet09/.

The deadline for the 2009 European Workshop on System Security (EuroSec'09) is on January 19, 2009. More information is available at http://www.ics.forth.gr/dcs/eurosec09/.

Looking forward to your submissions!

Posted by Thorsten Holz in paper at 11:03 | Comments (0) | Trackbacks (0)

Fast-Flux Data from ATLAS

Friday, January 9. 2009

Yesterday Jose blogged about "2008 H2 Fast Flux Data Analysis" based on the information collected by ATLAS. They discover on average between 40 and 50 new fast-flux domains per day and found the following trends:

We’re seeing two trends of note with respect to 2008 with fast flux domain registrations and use. The first is the growth of .CN as a fast flux TLD. Most of the .CN domains we see registered and fluxing come through a registrar like BIZCN, whom we now treat with some suspicion. [...] The second big trend over 2008 is the migration away from .COM and .CN to a lot more TLDs.

It's interesting to see the new developments in this area compared to our paper from late 2007 and the measurement results from ATLAS. Our fast-flux tracking system will be online again in the next few days, I will also blog about some updates in the future.

Posted by Thorsten Holz in honeynets, malware, paper at 10:03 | Comments (0) | Trackbacks (0)