Re: [gnso-ff-pdp-may08] Jump start on answering GNSO questions regarding fast flux
- To: joe@xxxxxxxxxxxxxxxxxx
- Subject: Re: [gnso-ff-pdp-may08] Jump start on answering GNSO questions regarding fast flux
- From: Eric Brunner-Williams <ebw@xxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 02 Jul 2008 11:24:07 -0700
Joe St Sauver wrote:
#If there are legitimate uses of low TTLs,
And of course there *are* legitimate uses, including the ability to rapidly
I appreciate the non-assumption of correctness or "legitmacy".
I renumbered hq.af.mil and before that, parts of sri.arpa. I appreciate
the value of using a domain names.
#then monitoring "low TTL" alone is not sufficient.
Correct, although that *IS* something that should be noted as part of
building an aggregate "score" for a potential fast flux domain.
I would suggest adding some additional factors for automated analysis:
-- How *many* dotted quads are returned?
Agree. There are properties intrinsic to the RR set.
-- If you look at the in-addr's for those dotted quads, ...
Agree. There are properties intrinsic to the addrs.
-- If you map the dotted quads to ASNs ...
Agree. There are properties intrinsic to the routing.
-- If you look at the headers returned by the site, ...
Agree. There may be signal in the HTTP header.
-- If you look at the name servers used ...
Agree. There may be shared fate or detected similarity.
-- If you look at the domain whois ...
Agree. However, likely to be less useful, and significantly encumbered
as a PDP area of work.
-- if you look at the age of the domain, ...
Agree. However the obvious work-around is to acquire names and exploit
them after any temporal huristic threshold is passed. If 50% of .com is
now tasting, and each tasted domain need only presently generate $6/yr
and change to be maintained, any that yeild less than the renewal cost
have an acquisition cost of less than $6, and are arbitrarily aged. My
point being that the universe of names which remain after such a test is
applied is as effectively infinite and as effectively free to an
attacker as the number of compromised Windows machines and ipv4 addrs. I
suppose I should have gone to the Domainer meeting in Paris last Friday
and offered $1/domain and seen how many people would have rather
unloaded their poorly performing portfolios at that price or let them
disapear into the drop pool. Instead I attended Egeni, where we could
hear them chanting in worship through the wall that separated us ... um,
#SSAC also suggested rate limiting. I'm not crazy about this option. It
#seems like it could be circumvented by the attackers if they simply used
#many more domains for name servers.
Require static glue records for name servers, and require a fee for changes
made to those glue records. Voila, fastflux per se disappears.
A change in the cost of acquisition modified the tasting practice, so a
change here may have the same outcome. However, it is worth pointing out
that cost of asset is important, and that free or low-cost domains
(registry, or registrar promotions) cause problems. Registrars and
registries that charge a lot simply offer lower ROI for the attacker.
#We also need to consider whether any policy that focuses on TTL will
#simply incent the attackers to adopt a different strategy.
You're really asking, "*Why* do the bad guys publish records with short
The answer is, "Having short TTLs allows them to delete dotted quads
which are associated with systems that are no longer accessible/usable,
while also making it possible for them to avoid staying on any one
system long enough for the ISP or law enforcement to do lawful intercept,
thereby identifying the upstream connection coming out of that compromised
Assuming that analysis is correct, and short TTLs magically become
impossible, the bad guys are then likely to look for dotted quads which
have a proven track record of being relatively static, on providers with
poor network instrumentation, in countries with glacial cyber law
And if that's impossible, and everything suddenly becomes crazy efficient,
I *think* the bad guys would just multiplex their cr*p over more domain
names, getting survivability and redundancy by mapping more domains to
a wider range of FQDNs (all still hosted on compromised consumer systems)
Short TTLs are *convenient* for the bad guys/gals, but short TTLs are by
no means *required* to enable website hosting or DNS hosting on
I hope I made the same point earlier, but I may have had less coffee and
I generally tend towards incoherence while writing for a hetro-geneous
Disclaimer: all opinions strictly my own