Prolonging the Attack

 
 
By Larry Seltzer  |  Posted 2009-02-08 Print this article Print
 
 
 
 
 
 
 


 

At least the report explicitly recognized the heart of the purpose of fast flux for illicit purposes: It prolongs the life of an attack. The report cites a paper by Tyler Moore and Richard Clayton of Cambridge as measuring that fast flux attacks last at least twice as long as non-flux attacks.

ICANN's work in this is hardly the first attempt to study fast flux networking or how to stop it. The ubiquitous Gadi Evron started a conversation on the subject three years ago (work that was not credited in the ICANN report-for shame, for shame...). I was in on the discussions then and it was clear that the main obstacle in taking down such networks was lazy and/or complicit domain name registrars, although many registrars were and still are responsive to responsible reports of abuse from responsible agencies. Organizations Evron was involved with had success in taking down some networks, not so much others. The ICANN report states that "[N]o registrar has been prosecuted for facilitating criminal activities related to fast flux domains, but there have been reports linking one ICANN-accredited registrar to a large number of fraudulent domains including fast flux domains." I'm not at all surprised.

My own guess is that the best way to do this is at the domain level, and therefore faster response is required at the registrar level. ICANN has deaccredited a registrar or two recently for gross abuse, but in the main they have been indulgent of registrars and only reacted after problems have festered for years. As one observer noted, generously I think, in the public comments to the ICANN report:

The report may say that registrars and resellers only "have the appearance of facilitation of fast flux domain attacks", but the fact is that they have created an environment that invites abuse. They too often simply do not maintain staff and policies adequate to prevent even the most blatant abuses from taking place.
Personally, I think it's worse than this. I know from personal experience that some registrars ignore clear evidence of abuse unless they're forced to react.
Absent any crackdown on registrars, it's worth noting that the function of quick take-downs could be performed effectively at the registry level. I've always like this approach because it's so efficient, but there doesn't seem to be a lot of stomach for it. Ideally you'd only want to have a registry take down a domain when the registrar, the company with whom the registrant has a relationship, is unresponsive. If they're that unresponsive to a clear policy process (none of which exists yet, of course) then things are bad and they deserve serious scrutiny.

I asked Gadi Evron about all this again and he reminded me that there are responsible registrars and registries out there: "I am pleased with ICANN's continuing work on this subject, which I've had the pleasure to help initiate with Steve Crocker a couple of years ago. While their progress is essential, the part of the [registrar] industry which sees the need has not been waiting for consensus, and takes care of these issues under their own authority." Unfortunately, one bad, unresponsive registrar can do a lot of damage.

The working group does list "accelerated domain suspension processing in collaboration with certified investigators/responders" as one of the possible ways to work on the problem. Staying conservative about things, as ICANN is often inclined to do, this is the best we could hope for. And if there are teeth in the policy to enforce these rules it could make a practical difference. This is what we were talking about three years ago with Gadi Evron's group. But this approach was not the conclusion of the group; we're still too early in the ICANN process to go that far. It's just one of the proposed reactions. The "Interim Conclusions" of the report are (unsurprisingly) that more study is needed. That's something that anyone can say if they don't think that hardened networks of malicious systems are an urgent problem.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.



 
 
 
 
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel