Draft Final Report on Fast Flux Hosting Date: Deleted: Initial 1 2 3 22 Deleted: Initial 4 [Draft] Final Report of the 5 GNSO Fast Flux Hosting Working Group 6 7 8 9 10 STATUS OF THIS DOCUMENT 11 This is the [Draft] Final Report of the Working Group on fast flux hosting, for submission to the GNSO 23 Deleted: Initial 12 Council on [date] following public comments on the Initial Report of 26 January 2009. 24 Deleted: 26 January 2009 13 25 Deleted: A Final Report will be prepared 26 following public comment.¶ 14 15 16 17 18 SUMMARY 19 This report is submitted to the GNSO Council following public comments to the Initial Report as a 20 required step in the GNSO Policy Development Process on Fast Flux Hosting. 21 Deleted: Initial Draft Final Report on Fast Flux Hosting Author: Marika Konings Page 1 of 151 Draft Final Report on Fast Flux Hosting Date: Deleted: Initial 45 Deleted: ¶ 46 This report is submitted to the GNSO 27 TABLE OF CONTENTS 47 Council and posted for public comment as a 48 required step in this GNSO Policy 49 Development Process on Fast Flux Hosting. 50 Deleted: ¶ 28 1 EXECUTIVE SUMMARY 3 51 ¶ 52 ¶ 29 2 REPORT PROCESS AND NEXT STEPS 15 30 3 BACKGROUND 16 31 4 APPROACH TAKEN BY THE WORKING GROUP 22 32 5 DISCUSSION OF CHARTER QUESTIONS 25 33 6 PUBLIC COMMENT PERIOD 53 34 7 CHALLENGES 66 35 8 CONCLUSIONS 69 36 9 RECOMMENDED NEXT STEPS 71 37 ANNEX I – CONSTITUENCY INPUT TEMPLATE 74 38 ANNEX II - CONSTITUENCY STATEMENTS (SUMMARY)76 39 ANNEX III – CONSTITUENCY STATEMENTS (FULL) 78 40 ANNEX IV FAST FLUX CASE STUDY 105 41 ANNEX V – FAST FLUX METRICS 106 42 ANNEX VI THE MANNHEIM FORMULA 115 43 ANNEX VII– INDIVIDUAL STATEMENTS 124 44 ANNEX VIII – FAST FLUX WG ATTENDANCE SHEET 150 Deleted: Initial Draft Final Report on Fast Flux Hosting Author: Marika Konings Page 2 of 151 Draft Final Report on Fast Flux Hosting Date: Deleted: Initial 87 Deleted: Page Break 53 1 Executive summary 88 Deleted: Section Break (Continuous) 54 55 1.1. Background 56 . Following the publication of the SSAC Advisory on Fast Flux Hosting and DNS (SAC 57 025) in January 2008, the GNSO Council instructed ICANN staff on 6 March 2008 to 58 prepare and Issues Report which ‗shall consider the SAC Advisory [SAC 025], and shall 59 outline potential next steps for GNSO policy development designed to mitigate the 60 current ability for criminals to exploit the DNS via ‗fast flux‘ IP or nameserver changes‘. 61 . The issues report was published on 31 March 2008 and recommended ―the GNSO 62 sponsor further fact-finding and research concerning guidelines for industry best 63 practices before considering whether or not to initiate a formal policy development 64 process‖. 65 . At its 8 May 2008 meeting, the GNSO Council initiated a formal policy development 66 process (PDP) and called for the creation of a working group on fast flux. The working 67 group charter was approved on 29 May 2008 and asked the working group to consider 68 the following questions: 69 - Who benefits from fast flux, and who is harmed? 70 - Who would benefit from cessation of the practice and who would be harmed? 71 - Are registry operators involved, or could they be, in fast flux hosting activities? If so, 72 how? 73 - Are registrars involved in fast flux hosting activities? If so, how? 74 - How are registrants affected by fast flux hosting? 75 - How are Internet users affected by fast flux hosting? 76 - What technical (e.g. changes to the way in which DNS updates operate) and policy 77 (e.g. changes to registry/registrar agreements or rules governing permissible 78 registrant behavior) measures could be implemented by registries and registrars to 79 mitigate the negative effects of fast flux? 80 - What would be the impact (positive or negative) of establishing limitations, 81 guidelines, or restrictions on registrants, registrars and/or registries with respect to 82 practices that enable or facilitate fast flux hosting? 83 - What would be the impact of these limitations, guidelines, or restrictions to product 84 and service innovation? 85 - What are some of the best practices available with regard to protection from fast 86 flux? Deleted: Initial Draft Final Report on Fast Flux Hosting Author: Marika Konings Page 3 of 151 Draft Final Report on Fast Flux Hosting Date: Deleted: Initial 89 The Group was also tasked to obtain expert opinion, as appropriate, on which areas of fast 90 flux are in scope and out of scope for GNSO policy making. 91 92 1.2. Approach taken by the Working Group 93 . The Fast Flux Working Group started its deliberations on 26 June 2008 and decided to 94 start working on answering the charter questions in parallel to the preparation of 95 constituency statements on this topic. In order to facilitate the feedback from the 96 constituencies, a template was developed for responses (see Annex I). In addition to 97 weekly conference calls, extensive dialogue occurred through the fast flux mailing list 98 with over 800 messages posted. 99 . Except where marked differently, the positions outlined in this document should be 100 considered in agreement by the Working Group. Where no broad agreement could be 101 reached, the following labels have been used to indicate the level of support for a certain 102 position: 103 - Support – there is some gathering of positive opinion, but competing positions may 104 exist and broad agreement has not been reached. 105 - Alternative view – a differing opinion that has been expressed, without garnering 106 enough following within the WG to merit the notion of either Support or Agreement. It 107 should be noted that an alternative view could be expressed where there is broad 108 agreement as well as support. 109 . The Initial Report was published on 26 January 2009 and was followed by a public 110 comment period as prescribed in the ICANN by-laws. 111 112 1.3. Discussion of Charter Questions 113 . After considerable deliberation, the working group was able to identify positive 114 applications of certain characteristics generally associated with the term fast flux hosting. 115 These adaptive networking characteristics, including short TTLs and frequent update of 116 DNS records, are present in production networking environments that are high profile, 117 support mobility, or are likely-targets of attacker, or network that must be adaptive and 118 resilient. Such self-beneficial or positive applications are described in the literature as 119 ‗volatile networking‘. Generally, additional, sufficiently different and suspicious 120 characteristics are present in malicious networking applications to distinguish positive, 121 volatile networks from fast flux attack networks. Deleted: Initial Draft Final Report on Fast Flux Hosting Author: Marika Konings Page 4 of 151 Draft Final Report on Fast Flux Hosting Date: Deleted: Initial 122 . A fast flux attack network, for the purposes of the working group exhibits the following 155 Deleted: 123 characteristics: 124 Some but not necessarily all of the network nodes are operated on compromised 125 hosts (i.e., using software that was installed on hosts without notice or consent to the 126 system operator/owner); 127 Is ‗volatile‘ in the sense that the active nodes of the network change in order to 128 sustain the network‘s lifetime, facilitate the spread of the network software 129 components, and to conduct other attacks; and 130 Uses a variety of techniques to achieve volatility including: 131 - rapid and repeated selection of systems from a pool of botted hosts, with those 132 systems being used for the purpose of serving malicious content, for use as 133 name servers, and for other purposes, all via DNS entries with low TTLs; 134 - dispersing network nodes across a wide number of consumer grade autonomous 135 systems; 136 - monitoring member nodes to determine/conclude that a host has been identified 137 and shut down; and 138 - time, or other metric-based, topology changes to network nodes, name server, 139 proxy targets or other components. 140 Additional characteristics that in combination or collectively have been used to 141 distinguish or ―fingerprint‖ a fast flux hosting attack include: 142 - multiple IPs per NS spanning multiple ASNs, 143 - frequent NS changes, 144 - in-addrs.arpa or IPs lying within consumer broadband allocation blocks, 145 - domain name age, 146 - poor quality WHOIS, 147 - determination that the nginx proxy is running on the addressed machine: nginx is 148 commonly used to hide/proxy illegal web servers, 149 - the domain name is one of possibly many domain names under the name of a 150 registrant whose domain administration account has been compromised, and the 151 attacker has altered domain name information without authorization. 152 . The distribution and use of software installed on hosts without notice to or consent of the 153 system operator/owner is a critically important characteristic of a fast flux attack network; 154 in particular, it is one among several characteristics that distinguish fast flux attack Deleted: Initial Draft Final Report on Fast Flux Hosting Author: Marika Konings Page 5 of 151 Draft Final Report on Fast Flux Hosting Date: Deleted: Initial 156 networks from production uses of fast flux techniques in applications such as content 157 distribution networking, high availability and resilient networking, etc. 158 . When used by criminals, the main goal of fast-flux hosting is to prolong the period of time 159 during which the attack continues to be effective. It is not an attack itself – it is a way for 160 an attacker to avoid detection and frustrate the response to the attack. 161 . The WG offers the following initial working answers to the charter questions but would 162 like to emphasize that continued work is required in the following areas: 163 - A robust technical, and process, definition of ―fast flux‖, 164 - Reliable techniques to detect fast flux networks while maintaining an acceptable rate 165 of false positives, 166 - Reliable information as to the scope and penetration of fast flux networks, 167 - Reliable information as to the financial and non-financial impact of fast flux networks 168 .
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages151 Page
-
File Size-