Re: [gnso-ff-pdp-may08] Jump start on answering GNSO questions regarding fast flux
Joe St Sauver wrote:
Dave mentioned:#If there are legitimate uses of low TTLs,And of course there *are* legitimate uses, including the ability to rapidly ...
I appreciate the non-assumption of correctness or "legitmacy".I renumbered hq.af.mil and before that, parts of sri.arpa. I appreciate the value of using a domain names.
#then monitoring "low TTL" alone is not sufficient. Correct, although that *IS* something that should be noted as part of building an aggregate "score" for a potential fast flux domain.I would suggest adding some additional factors for automated analysis:-- How *many* dotted quads are returned?
Agree. There are properties intrinsic to the RR set.
-- If you look at the in-addr's for those dotted quads, ...
Agree. There are properties intrinsic to the addrs.
-- If you map the dotted quads to ASNs ...
Agree. There are properties intrinsic to the routing.
-- If you look at the headers returned by the site, ...
Agree. There may be signal in the HTTP header.
-- If you look at the name servers used ...
Agree. There may be shared fate or detected similarity.
-- If you look at the domain whois ...
Agree. However, likely to be less useful, and significantly encumbered as a PDP area of work.
-- if you look at the age of the domain, ...
Agree. However the obvious work-around is to acquire names and exploit them after any temporal huristic threshold is passed. If 50% of .com is now tasting, and each tasted domain need only presently generate $6/yr and change to be maintained, any that yeild less than the renewal cost have an acquisition cost of less than $6, and are arbitrarily aged. My point being that the universe of names which remain after such a test is applied is as effectively infinite and as effectively free to an attacker as the number of compromised Windows machines and ipv4 addrs. I suppose I should have gone to the Domainer meeting in Paris last Friday and offered $1/domain and seen how many people would have rather unloaded their poorly performing portfolios at that price or let them disapear into the drop pool. Instead I attended Egeni, where we could hear them chanting in worship through the wall that separated us ... um, conducting auctions.
#SSAC also suggested rate limiting. I'm not crazy about this option. It #seems like it could be circumvented by the attackers if they simply used #many more domains for name servers.Require static glue records for name servers, and require a fee for changes made to those glue records. Voila, fastflux per se disappears.
A change in the cost of acquisition modified the tasting practice, so a change here may have the same outcome. However, it is worth pointing out that cost of asset is important, and that free or low-cost domains (registry, or registrar promotions) cause problems. Registrars and registries that charge a lot simply offer lower ROI for the attacker.
#We also need to consider whether any policy that focuses on TTL will #simply incent the attackers to adopt a different strategy.You're really asking, "*Why* do the bad guys publish records with short TTLs?" The answer is, "Having short TTLs allows them to delete dotted quads which are associated with systems that are no longer accessible/usable,while also making it possible for them to avoid staying on any one system long enough for the ISP or law enforcement to do lawful intercept, thereby identifying the upstream connection coming out of that compromised host.""Assuming that analysis is correct, and short TTLs magically becomeimpossible, the bad guys are then likely to look for dotted quads which have a proven track record of being relatively static, on providers with poor network instrumentation, in countries with glacial cyber law enforcement.And if that's impossible, and everything suddenly becomes crazy efficient,I *think* the bad guys would just multiplex their cr*p over more domain names, getting survivability and redundancy by mapping more domains to a wider range of FQDNs (all still hosted on compromised consumer systems)Short TTLs are *convenient* for the bad guys/gals, but short TTLs are by no means *required* to enable website hosting or DNS hosting on compromised PCs...
I hope I made the same point earlier, but I may have had less coffee and I generally tend towards incoherence while writing for a hetro-geneous readership.
Regards, Joe Disclaimer: all opinions strictly my own