ICANN's Fast Flux Working Group recently announced an Initial Report. In fact, it also offered a 20 day window for submitting comments on the report, but I missed that, as I was travelling and didn't read that particular email. Perhaps you did better, in which case you probably won't be much interested in this blog.

Fast flux is a major issue in Internet security, because criminals make much use of it to cover their tracks, and we've mentioned it from time to time here before: for example, Pierre mentioned in his recent blog on Waledec and Valentine's Day that "The Waledac botnet has been using fast flux for some time now.  This means that the IP addresses of the websites used to distribute this malware are changed rapidly in an effort to avoid tracking of malicious servers."

ICANN (Internet Corporation for Assigned Names and Numbers) established a working group, according to the announcement here, in order to address the following questions like these (there's a lot more which is specifically concerned with the interests of registrars and registrants:

  • Who benefits from fast flux, and who is harmed?
  • Who would benefit from cessation of the practice and who would be harmed?
  • How are Internet users affected by fast flux hosting?
  • What technical (e.g. changes to the way in which DNS updates operate) and policy ... measures could be implemented by registries and registrars to mitigate the negative effects of fast flux?
  • What would be the impact of these limitations, guidelines, or restrictions to product and service innovation? hat are some of the best practices available with regard to protection from fast flux?

The Group was also asked to obtain expert opinion on which areas of fast flux are in/out of scope and out of scope for GNSO (Generic Names Supporting Organization) policy making.

So, is ICANN about to save us from criminals and malicious botnets? I'm afraid not.

The report does provide some ideas for discussion and feedback during the public comment period (which has apparently already passed), but the WG has not reached consensus on any of those ideas so far. The report states that "The objective of the Working Group will be to review the input received during the public comment period and determine which, if any, recommendations receive the support of the Working Group for inclusion in the final report. Perhaps the most positive aspect of the report is that it will explore the possibility of involving other stakeholders in the fast flux policy development process: not only other ICANN entities, but also external entities such as APWG (Anti-Phishing Working Group), MAAWG (Messaging Anti-Abuse Working Group), StopBadware.org, the FTC (Federal Trade Commission) and law enforcement.

It seems to me that this is currently (mainly) a data collecting exercise, with the intention of establishing a foundation for future analysis. A worthy aim and possibly a useful long-term initiative, but no quick fix, and while the document is interesting, it's a long way from presenting anything authoritative. However, if you'd like to understand the problem better,a useful summary was published by ICANN's Security and Stability Advisory Committee (SAC 025: SSAC Advisory on Fast Flux Hosting and DNS)

David Harley B
Director of Malware Intelligence