Re: [weirds] I-D Action: draft-hollenbeck-dnrd-ap-query-00.txt

[Eric Brunner-Williams <ebw@abenaki.wabanaki.net>]

On 4/30/12 12:01 PM, Dave Piscitello wrote:
> These would be interesting in a number of malicious registration/forensics scenarios. For example, think about DGAs that generate names across multiple registries (like Conficker). Now think about trying to pattern match to see if there is a common registrar being used or exploited. 

i made, or thought i made, the point during the .C response that the
.C author's attempt to generate an inventory of rendezvous points had
more utility demonstrating the aggregate complexity and cost the
author was willing to incur, imposed by both registry and registrar,
and if memory serves, ignoring the conjectured, but undiscovered
complexity/cost boundary the .C author was unwilling to cross, my
analysis of the registrar-to-rendezvous-points showed no significant
correlation to com/net/org/biz/info registrars other than market share.

the similarity of string sets has been a known feature of ip
exploiting registrations for almost all of the current iana contract
period, though iterative uni-quiry into arbitrary points into the
adjacent string space seems to be the state of the query art.

> Since many information flows identify IP addresses initially and either resolve to names later or not at all, I suspect that this, too, would be valuable for any investigator.
> 
> These would also be extremely valuable if consensus policy were to consider and add reseller objects to the data model. This is my personal opinion and speculative as well. My company and members of the broader community may think differently.

your company? that would be the rhs of "dave.piscitello@icann.org"?

-e