ICANN ICANN Email List Archives

[gnso-ff-pdp-may08]

<<< Chronological Index >>>    <<< Thread Index >>>

[gnso-ff-pdp-may08] Mannheim's "Measuring and Detecting Fast-Flux Service Networks"

  • To: gnso-ff-pdp-May08@xxxxxxxxx
  • Subject: [gnso-ff-pdp-may08] Mannheim's "Measuring and Detecting Fast-Flux Service Networks"
  • From: Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>
  • Date: Fri, 1 Aug 2008 16:14:56 -0700
Although "Measuring and Detecting Fast-Flux Service Networks" was mentioned 
once in passing (in fact, I think it may have been by you, Mike), I think 
it really deserves more attention. If others on the list haven't had a 
chance to read that paper, it is available online at 
http://pi1.informatik.uni-mannheim.de/filepool/research/publications/fa
st-flux-ndss08.pdf (URL wrapped due to its length)

For example, the authors of that paper recount a method for separating FF 
and non-FF domains with a very low false positive rate ("the best model
achieves an averge detection accuracy of 99.98%")

Equation (2) in that paper reads:

f(x)= 1.32*n(A) + 18.54*n(ASN) + 0 * n(NS) with b=142.38

where

n(A) = "the number of unique A records returned in all DNS
       lookups"

and 

n(ASN) = "the number of unique ASNs for all A records"

(yes, that's a zero for the n(NS) term so it does drop out, and yes
the 18.54 coefficient on the ASN term does make that term strongly
drive the ultimate value of the equation).

If, after computing f(x), you find that f(x) > b, then you've got 
"an instance of a fast flux service network, while lower scores 
correspond to benign domains" accoding to the paper's authors.

So by way of example, consider yes2-quality-meds.com:

yes2-quality-meds.com.  172800  IN      NS      ns0.bcrqhro.com.
yes2-quality-meds.com.  172800  IN      NS      ns0.cnogaira.com.
yes2-quality-meds.com.  172800  IN      NS      ns0.rehogonro.com.
yes2-quality-meds.com.  172800  IN      NS      ns0.wkakekod.com.
;; Received 211 bytes from 192.43.172.30#53(I.GTLD-SERVERS.NET) in 183 ms

yes2-quality-meds.com.  120     IN      A       85.216.214.249
                                                AS6830

yes2-quality-meds.com.  120     IN      A       87.123.186.241
                                                AS8881

yes2-quality-meds.com.  120     IN      A       87.228.66.14
                                                AS31514

yes2-quality-meds.com.  120     IN      A       89.208.196.46
                                                AS12695

yes2-quality-meds.com.  120     IN      A       90.184.33.198
                                                AS39554

yes2-quality-meds.com.  120     IN      A       91.67.118.9
                                                AS31334

yes2-quality-meds.com.  120     IN      A       93.80.26.145
                                                AS4802

yes2-quality-meds.com.  120     IN      A       123.192.214.49
                                                AS4780

yes2-quality-meds.com.  120     IN      A       123.203.32.77
                                                AS9269

yes2-quality-meds.com.  120     IN      A       202.126.117.42
                                                AS4766

yes2-quality-meds.com.  120     IN      A       218.190.85.230
                                                AS9304

yes2-quality-meds.com.  120     IN      A       218.254.228.85
                                                AS9908

yes2-quality-meds.com.  120     IN      A       61.18.221.154
                                                AS9908

yes2-quality-meds.com.  120     IN      A       61.224.207.108
                                                AS3462

yes2-quality-meds.com.  120     IN      A       69.245.174.253
                                                AS33491

yes2-quality-meds.com.  120     IN      A       75.139.130.32
                                                AS20115

yes2-quality-meds.com.  120     IN      A       78.53.155.176
                                                AS13184

yes2-quality-meds.com.  120     IN      A       79.120.53.160
                                                AS12714

yes2-quality-meds.com.  120     IN      A       82.119.105.151
                                                AS6830

yes2-quality-meds.com.  120     IN      A       85.179.105.123
                                                AS13184

.                       120     IN      NS      ns0.renewwdns1.com.
.                       120     IN      NS      ns0.nameedns.com.
.                       120     IN      NS      ns0.renewwdns.com.
.                       120     IN      NS      ns0.nameedns1.com.
;; Received 467 bytes from 69.245.174.253#53(ns0.wkakekod.com) in 76 ms

[to get an ASN values for an IP such as 85.179.105.123, you can issue a 
query such as:

% host -t txt 123.105.179.85.asn.routeviews.org
123.105.179.85.asn.routeviews.org text "13184" "85.176.0.0" "13" ]

By my count, we've got 17 unique ASN's for that one resolutions of our
example domain name:

 1 AS3462
 2 AS4766
 3 AS4780
 4 AS4802
 5 AS6830
 6 AS8881
 7 AS9269
 8 AS9304
 9 AS9908
10 AS12695
11 AS12714
12 AS13184
13 AS20115
14 AS31334
15 AS31514
16 AS33491
17 AS39554

so we'd compute:

f(x)= (1.32*20) + (17*18.54) = 341.58 for that single resolution of this FQDN,
a score which *easily* surpasses the threshold value of 142.38 reported in
the paper. 

If that score had been a "wobbler," waiting and then re-resolving the FQDN
would likely return additional A records and associated ASNs, which would
help to drive the score higher (yes, that's how it is supposed to work in this 
method), thereby removing any ambiguity about the status of the domain based 
on this approach. 

I'm hoping that looking at this equation fron that paper will help at least
a little to explain why I'm so ASN obsessed, :-), and why ASN diversity is 
ultimately such an important consideration when it comes to identifying 
fastflux domains. 

Regards,

Joe

Disclaimer: all opinions strictly my own
<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy