Re: [gnso-ff-pdp-may08] Jump start on answering GNSO questions regarding fast flux

[Eric Brunner-Williams <ebw@xxxxxxxxxxxxxxxxxxxx>]

Joe St Sauver wrote:
> Dave mentioned:
>
> #If there are legitimate uses of low TTLs, 
>
> And of course there *are* legitimate uses, including the ability to rapidly
> ...
I appreciate the non-assumption of correctness or "legitmacy".

I renumbered hq.af.mil and before that, parts of sri.arpa. I appreciate 
the value of using a domain names.
> #then monitoring "low TTL" alone is not sufficient. 
>
> Correct, although that *IS* something that should be noted as part of 
> building an aggregate "score" for a potential fast flux domain.
> I would suggest adding some additional factors for automated analysis:
>
> -- How *many* dotted quads are returned? 
>   
Agree. There are properties intrinsic to the RR set.

> -- If you look at the in-addr's for those dotted quads, ...
Agree. There are properties intrinsic to the addrs.

> -- If you map the dotted quads to ASNs ...
Agree. There are properties intrinsic to the routing.

> -- If you look at the headers returned by the site, ...
Agree. There may be signal in the HTTP header.

> -- If you look at the name servers used ...
>   
Agree. There may be shared fate or detected similarity.

> -- If you look at the domain whois ...
Agree. However, likely to be less useful, and significantly encumbered 
as a PDP area of work.
> -- if you look at the age of the domain, ...
Agree. However the obvious work-around is to acquire names and exploit 
them after any temporal huristic threshold is passed. If 50% of .com is 
now tasting, and each tasted domain need only presently generate $6/yr 
and change to be maintained, any that yeild less than the renewal cost 
have an acquisition cost of less than $6, and are arbitrarily aged. My 
point being that the universe of names which remain after such a test is 
applied is as effectively infinite and as effectively free to an 
attacker as the number of compromised Windows machines and ipv4 addrs. I 
suppose I should have gone to the Domainer meeting in Paris last Friday 
and offered $1/domain and seen how many people would have rather 
unloaded their poorly performing portfolios at that price or let them 
disapear into the drop pool. Instead I attended Egeni, where we could 
hear them chanting in worship through the wall that separated us ... um, 
conducting auctions.
> #SSAC also suggested rate limiting. I'm not crazy about this option. It 
> #seems like it could be circumvented by the attackers if they simply used 
> #many more domains for name servers.
> Require static glue records for name servers, and require a fee for changes
> made to those glue records. Voila, fastflux per se disappears.
A change in the cost of acquisition modified the tasting practice, so a 
change here may have the same outcome. However, it is worth pointing out 
that cost of asset is important, and that free or low-cost domains 
(registry, or registrar promotions) cause problems. Registrars and 
registries that charge a lot simply offer lower ROI for the attacker.
> #We also need to consider whether any policy that focuses on TTL will 
> #simply incent the attackers to adopt a different strategy. 
>
> You're really asking, "*Why* do the bad guys publish records with short
> TTLs?"
>
> The answer is, "Having short TTLs allows them to delete dotted quads
> which are associated with systems that are no longer accessible/usable,
> while also making it possible for them to avoid staying on any one 
> system long enough for the ISP or law enforcement to do lawful intercept,
> thereby identifying the upstream connection coming out of that compromised 
> host.""
> Assuming that analysis is correct, and short TTLs magically become
> impossible, the bad guys are then likely to look for dotted quads which 
> have a proven track record of being relatively static, on providers with 
> poor network instrumentation, in countries with glacial cyber law 
> enforcement.
> And if that's impossible, and everything suddenly becomes crazy efficient,
> I *think* the bad guys would just multiplex their cr*p over more domain 
> names, getting survivability and redundancy by mapping more domains to 
> a wider range of FQDNs (all still hosted on compromised consumer systems)
> Short TTLs are *convenient* for the bad guys/gals, but short TTLs are by 
> no means *required* to enable website hosting or DNS hosting on 
> compromised PCs...
>   
I hope I made the same point earlier, but I may have had less coffee and 
I generally tend towards incoherence while writing for a hetro-geneous 
readership.
> Regards,
>
> Joe
>
> Disclaimer: all opinions strictly my own
>   
Ditto,
Eric