ICANN ICANN Email List Archives

[gnso-ff-pdp-may08]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [gnso-ff-pdp-may08] Choke points

  • To: George Kirikos <fastflux@xxxxxxxx>
  • Subject: Re: [gnso-ff-pdp-may08] Choke points
  • From: Marc Perkel <marc@xxxxxxxxxx>
  • Date: Thu, 07 Aug 2008 19:14:59 -0700



George Kirikos wrote:
Hi Mark,

Thanks for taking the time to respond and fill out the broad
brushstrokes. To identity more choke points, though, needs more and
more detail. Since the attackers already have those details and are
succeeding, to some extent, I don't think "security through obscurity"
is necessarily good, but disclosing a higher level of detail, say the
"Idiot's Guide" version can identify solutions.
Keep in mind that the definition of "choke point" is a place where the process can most easily be stopped. The real chokepoint is to disable the domain fakebank.com at the registry. That kills that fraud scheme. So the faster we can take out fakebank.com the faster we shout it down.
Assume I'm complete stupid (which some folks probably do!) and try to
fill in more of the steps here:

On Thu, Aug 7, 2008 at 1:02 PM, Marc Perkel <marc@xxxxxxxxxx> wrote:
A fraud operation starts with domain name tasting. It registers fakebank.com

So, to register a domain name, they need funds. Is it from a stolen
credit card? They also need an identity (for mandatory WHOIS). Is that
WHOIS completely fake, or a stolen one, or a borrowed one of a legit
registrant?
They have funds. If I'm stealing millions of dollars then I might invest $10 for a domain name. I would probably use a stolen card though so that the funds can't be traced to me. But that's not a barrier.
and establishes a FF network of virus infected or hacked web servers to
server web pages for fakebank.com. These web pages trick victims into giving

Ok, so one choke point is to eliminate/attack the network of virus
infected/hacked webservers. Of course, a tall task, given that no
security system is 100% secure (i.e. bugs appear in WordPress, Apache,
PHP, Perl, Windows, Linux, IIS, SQL server, MySQL, etc. from time to
time that are not the fault of a domain registrant). In the botnets,
how many are on residential ISP blocks (that conceivably block
incoming port 80, like many do for outgoing/incoming SMTP blocking)?

Can the webserver software (IIS, Apache) be adjusted or put into a
safe mode so that if example.com's server is hacked and has malware at
http://www.example.com/user/hidden/malware/gotcha.html it won't serve
up that content to a different domain, i.e. www.fakebank.com ? (i.e.
creating fewer vulnerable hosts that an attacker can find that are
usable)

That would not be a choke point. That's like damming a river at the widest point. Some of these servers are viruses that provide web services.
up their account numbers and passwords to their accounts on realbank.com ant

Ok, say I give you my bank account number and password for
realbank.com, but that realbank.com is protected by a 2nd factor, e.g.
a password sent by SMS to my cell phone, or to by that PayPal security
key ($5). Is the attack now completely thwarted, i.e. the
username/password is completely worthless to you, and once you login
with them and don't have the 2nd factor, I'm alerted (and so is the
bank) to your attack?
Most people don't have that kind of security. So they might not be able to rip you off but they can rip off some "little old lady" who doesn't know anything about the Internet or security issues.
More basic still, how are you logging in to my account? Are you
logging in via a Russian IP address? Or using one of the botnet PCs?
Or, through my own computer that you've taken over?
Probably through a bot net computer acting as a proxy for your realbank.com server. You type in your user name and password and they pass that through to realbank. Or the might email your login to someone in Russia or Nigeria who will log in manually and transfer your money out.
their money is stolen.

More detail here please. You have my bank account, and you're somehow
in to my account. How do you get the money from you to me? What can
the bank do to thwart that completely? (i.e. maybe this is the choke
point that is most effective, and we're wasting everyone's time trying
to implement a more complex system, a more expensive system, on a
different choke point).
When you get a spam saying "Your paypal account is locked" and you log into fakebank.com and give up your user name and password - they take that and they log into real paypal and send your money to their account.
Who loses the money here, the bank, or me? (i.e. if the responsibility
shifts to the bank, they might take security more seriously, or would
help cover the costs of internet improvements/safety, see below)
Depending on the situation either the account holder loses the money or the bank loses it. If the bank loses it then we all lose it through increased fees to pay for the losses.
In order to do this the fraud operation uses spam to drive people to the
fakebank.com site. The spam pretends to be realbank.com but has a link in
the message that takes the victim to fakebank.com.

Ok, when do they send out the spam, in relation to the domain
creation/registration date above? Immediately? What happens if that is
delayed for a week?
It's immediate. The faster they get it the more money they make before it gets shut down.
The spam "pretends" -- does this mean they are using a "from" of
realbank.com, which can be thwarted my most people through Domain Keys
email or Sender ID/SPF? Are only companies opting not to use these
email authentication methods vulnerable? Are email users opting not to
have up to date email clients vulnerable, but those using latest
versions are safe?
Yes - they are spoofing the from address. They also use the logos and graphics of the real site so it looks the same. An expert like myself can tell the difference but most people can't. As to SPF, Domain Keys, etc. People like me can use that to block spam, but most of the world isn't using my filters. And some banks do a sloppy job of protecting their email. Bank of America allows third party vendors to email on their domain making it not easy for me to figure out what's real and what's fake.

Also - SPF is a totally useless technology that is actually counterproductive. But if you want to debate that I'll do it in a separate thread.

How does one convert that link to a visitor? i.e. educating people not
to click links can thwart this attack vector? Does having the email
client actually remove the link (by filtering the HTML/mesage source)
thwart the attack? (i.e. compel people to type in the link in an
email, thereby also compelling banks, etc. either not to send links,
but to send "friendly" links that people can type in, e.g.
http://www.realbank.com/ or http://www.realbank.com/1234 instead of a
50 character URL.
I think someone should create free educational videos that people must watch to get an email account. That would take a bite out of the problem. However, as they say, "There's a sucker born every minute." So counting on people being smart isn't a solution in itself.
Going a step further, once I've clicked that link, why does the link
even resolve? If my ISP won't resolve that link, or if my browser
won't resolve that link, does that thwart the attack? In other words,
is the problem solved by having the ISP choose not to resolve things
(i.e. a "clean" ISP that automatically filters out phishing domains,
or a clean set of nameservers like OpenDNS that actively filters out
phishing domains, or modern browsers that warn/filter out phishing
domains?)?
How is the ISP going to know that fakebank.com is phishing? That technology doesn't exist. However - my suggestion about publishing registry data (some in whois) through DNS would provide the information that could lead to that kind of blocking. But I think it's better blocked at the spam level that the ISPs DNS level. Or ultimately the main choke point is to kill the domain at the registry level. That take it offline everywhere instantly. (Or near instantly)
These messages are easily detected by spam filtering operations. eal backs
don't send email through bot nets. If a bank is set up properly (some are,
others should be) then all real email from realbank.com comes from servers
whose FCrDNS points to *.realbank.com. Thus any email not from that hostname
is fraud and mail from it is good. There are also a lot of other indicators

If the messages are so easily detected, then that means I should never
actually see them, right? (i.e. you can leave the domain name up
forever, and no real person will visit it?)
If I'm doing your spam filtering this wouldn't be a problem for you. but I have the best filter on the planet. Most of the world has poor, little or no filtering.

that make this process nearly 100% accurate. (100% on positives, so no false
positives. Possibly a few slip through if they are very clever).
There are two choke points. Good spam filtering can stop most all of it, and
can report it to registrars. Geberally in such a system the registrar will

Back up a little, and assume I'm dumb/crazy. Why report it to the
registrars at all? If the system is 100% accurate, I should never see
the email to begin with, it ends up in my junk mail folder, or is
rejected by my incoming mail server before it even gets to me, or is
filtered by other opt-in non-centralized systems, besides the
registrar/registry?
The spam I block works for my customers which is a very small fraction of the world. most of this spam gets through. But if we report it to the registry then they can shut it down worldwide and kill it completely.

If the only people that are actually making reports to the
registrar/registry are automated bots, because they "perfectly detect
the spam and have eliminated the potential to be victimized, then
aren't these reports low priority? (i.e. if a phishing site gets 1000
visits from automated scanning tools, but 0 visits from real people,
then we've "won" already, right?)
I'm not reporting the bots. I'm reporting what the spam from the bots link to. They all limk to fakebank.com. So if we kill the domain fakebank.com then the fraud is stopped. If the spam gets through and they click on the link and fakebank.com has been disabled at the registry then nothing happens.

This is an important concept so everyone pay attention. Spam needs the victim to do something to communicate back to the spammer. So even if the spam gets through - and some will, if the victim can't get to the spammer's web site (fakebank.com) then the fraud is stopped. If the spam can't be stopped then the fraud can be if the communication back is stopped.


get thousand of complains from many reporting operation. The real choke
point is taking down the fakebank.com domain. Once that is done then the

See above (and below). That's not the only choke point.
Actually that is the choke point because in one place you can shut them down worldwide.
spam doesn't matter, the Fast Flux doesn't matter, the link becomes dead and
the victims are protected. Taking down that domain quickly is the key to
making this work.

Why does it work? The attacker then creates 10,000 new domains, and
the process starts all over again. But, if there's another choke
point, they don't even bother to register those domains, because the
attacks are thwarted.
If these domains are shut down in minutes after they are used then it becomes useless. If someone is registering domains that fast then the registrar sould disallow that. I don't think that a bot net can operate that quickly.

In other words, when one's only tool is a hammer, you start to think
that every problem is a nail (i.e. taking down the domain quickly
being the hammer).
The registry is the only single point where they (fakebank.com) can be shut down globally with a single change.
So - if the registrar of the domain in question is getting thousands of
complains from many reporters about fakebank.com and fakebank.com is fluxing
and it's still in the tasting period it could be shut down through
automation within minutes of the fraud starting. If such a system were in
place then Fast Flux would stop working for fraud than the criminals would
abandon it's use and the problem would be solved.

Ok, suppose you have such a great system, why isn't every ISP using it
instead, or why isn't every user opting into it. Or if the system is
"perfect", why aren't those who are making reports willing to provide
a huge bond against liability should they take down a legitimate site
by mistake?
This system doesn't yet exist. I'm suggesting as a solution to create this system. ISPs don't need to do anything. This is a system that would involve the cooperation of filtering companies and registrars. It involvs registrars providing public data we need through DNS and us providing them with automated alters that they can run a manual and automated take down system to disable FF domains that are being used for fraud.

(FF domains not being used for fraud would not be affected because there wouldn't be a spam campaign driving it. So free speech is safe from this method.)
Remember, even Yahoo/McAfee classified Google as a malware site:

http://www.techcrunch.com/2008/05/11/google-is-a-malware-site-says-yahoo/
Getting it right means building in protections so that doesn't happen. And that's doable.
and that was only three months ago. Even the US government shut down
the California government's domain (ca.gov).

http://www.networkworld.com/community/node/20192

less than a year ago.

And we win - and without damage to and freedoms or liberties.

People - this war is winnable if we do it right. I think that we can take
out 90%+ of fraud with 100% accuracy within 5 minutes. And that's a
conservative guess.

We need to be cautious that we do things right, and that there is a
predictable process that has safeguards, rights and responsibilities,
and that can't be gamed. From the play/movie "A Man For All Seasons"
there was an apt quote:

"William Roper: So, now you give the Devil the benefit of law!
I don't know what kind of detail you all want but I think that safegaurds wouldn't be to hard to implement. For example, if you excluded all domains over 1 yeal old and all domains that are paid up 1 year in advance they you would eliminate false positives on almost all the important internet sites. To be caught they would have to be massively sending spam through bot nets, linking to a fast fluxing domain, pretending to be a bank, and doing a number of sins that real domains don't do in order to be accidentally shut down. It's not likely it's going to happen.

And if it does then you turn the domain back on, apologize profusely, and repair the flaw that caused the problem.



Hopefully we can come up with more choke points, before we start
picking the registry/registrars as "THE" solution (there might not
even be a solution, to play Devil's Advocate; is there a possibility
we are already at the best solution today?), and IF they *are* the
solution, how to effectively pick out the malefactors from the
responsible registrants.
If anyone knows of any other single choke point other than shutting down fakebank.com I'm interested. I agree that we need to identify and evaluate choke points.
And then when we start talking about solutions, once all of them are
visible, we'll have to start deciding how to pick amongst them, how to
pick the winners and losers (as there are certainly going to be some
losers, whether they be false positives, or folks that costs are
imposed upon, etc.). Economics can give us a guide, e.g. there are
notions of "Pareto Optimality" for example,

http://en.wikipedia.org/wiki/Pareto_efficiency

where a state is preferable to the current one if it makes some subset
better off, while making the remaining people no worse off. Of course,
Pareto optimality is a very weak standard (indeed, the starting point
of "I get 100% of the world's resources, and everyone else gets 0%" is
Pareto optimal by definition, and can't be improved upon. But, at some
point we'll have to start weighing pros and cons of various solutions,
and hopefully that will be done with economic costs/benefits in mind
as a metric as to whether a solution is "better" than doing nothing at
all. With the possibility of "side payments",  one can perhaps
directly help some of those people experiencing costs, if there are a
lot more "winners" or beneficiaries from an optimal policy choice.


I think if we do it right we can do it without losers. (Except of course for those committing fraud. I think that we can take down a huge number of fraud operations without taking down any good sites. It isn't going to get all the bad guys but it will get most of them. And I think most is a good start.

Also - many people think that this war isn't winnable. I think it is. And if you think about it you can see that this is actually doable in a way that doesn't have bad side effects and is not only cost effective but actually saves money.

But - I would like to ask for the reality standard here. Solutions that actually will work in the real world. So - if any ideas I come up with are flawed I'm willing to give it up immediately. No sense in wasting time on bad ideas. So if I'm wrong let me know and I'm off to work on a new/better idea.

Additionally if nothing we come up with actually will work then we'll accept failure and report the problem might not yet be solvable.



<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy