Definitions - Initial Draft

A Fast Flux network is, for purposes of this working group:

• operated on one or more compromised hosts (i.e., using software that was installed on hosts without notice or consent to the system operator/owner)
• "volatile" in the sense that the active nodes of the network change in order to sustain the network's lifetime, facilitate spread of the network software components, and to conduct other attacks
• uses a variety of techniques to achieve volatility including:
  • (rapid) modification of IP addresses for malicious content hosts, name servers and other network components via DNS entries with low TTLs
  • dispersing network nodes across a wide number of consumer grade autonomous systems
  • monitoring member nodes to determine/conclude that a host has been identified and shut down **
  • time, or other metric-based, topology changes to network nodes, name server, proxy targets or other components

In order to limit the problem to "within the scope of ICANN to address" we will further restrict our focus to;

• Include -- operation of the DNS system
• Include -- registration services
• Exclude -- inaccurate WHOIS information -- this issue is being addressed in a broader ICANN conversation and is not restricted to Fast Flux
• Exclude -- criminal intent -- while frequently included in other definitions of Fast Flux, the definition of "criminal" presents problems for our analysis because it varies depending on point of view

For the chronology of this definition, CLICK HERE