<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [gnso-ff-pdp-may08] DTeam - framework for proposal
- To: "gnso-ff-pdp-May08@xxxxxxxxx" <gnso-ff-pdp-May08@xxxxxxxxx>
- Subject: Re: [gnso-ff-pdp-may08] DTeam - framework for proposal
- From: "George Kirikos" <fastflux@xxxxxxxx>
- Date: Thu, 7 Aug 2008 12:38:33 -0400
Hello,
On Thu, Aug 7, 2008 at 11:38 AM, Dave Piscitello
<dave.piscitello@xxxxxxxxx> wrote:
> quantify the attack. This answers the question, "What is it that we want to
> detect?"
>
> develop a methodology/tool that has a very high probability of detecting the
> attack and a very low probability of reporting a false positive (Joe's tool,
> TMF, etc. are examples of detection methods and tools). This answers the
> question, "How can we detect it?"
Just following up on Dave's email, and other posts which have focused
on technological solutions/detection/etc., is it possible to diagram
out an anatomy of negative uses of fast flux, from start to finish, to
see whether there are any "choke points", loopholes, "free" things or
other ways to create signals/signatures that differentiate between
good and bad uses of the technique.
Just to give some counterexamples, in the case of Domain Tasting, the
choke point was that the registrations were completely free during the
add-grace period (save for having a deposit of funds / letter of
credit with the registry operator, which is essentially free for most
entities). Making the ICANN fee non-refundable destroys those
economics, and has very little collateral damage (and that collateral
damage was mitigated by allowing registrars to continue to have some
free domains up to a certain threshhold during the add-grace period,
to detect credit card fraud, etc.). In the case of spam, spammers are
really taking advantage of essentially free bandwidth to send
unlimited emails (and it costs nothing to send an email, unlike a
postal email).
Fast flux can be considered a technique to create a highly resilient
network, which in itself is a great thing! i.e. we all want resilient
networks when we talk about cloud computing (e.g. services like Amazon
S3 or EC2), or telemedicine or other services we've not even heard
about yet (certainly the inventors of the telephone didn't anticipate
services like telebanking, etc. when a technique/technology was first
invented). Just like how the porn industry is often an "early adopter"
of new techniques (web banners), criminal elements also are early
adopters of "best technology" (in this techniques to ensure high
availabilibity of their network) that might later find mainstream use.
So, what do abusers/attackers have that is "free" or in unlimited
supply? I'd start the list as follows:
- bandwidth (compromised machines, etc.)
- computing power (compromised machines, can crack captchas, can
submit infinite password requests, etc.)
- "throwaway" identities -- ability to create an infinite supply of
fake identities
In shorter supply would include:
- stolen identities (stolen credit cards, SSNs, etc.)
- stolen money (stolen credit cards)
In finite supply (real chokepoints) would include:
- real/verified identities (e.g. they obviously don't want law
enforcement knocking on their door)
- real money
If we are able to diagram out a flowchart of a criminal/abusive
attack, we can try to see exactly where to stop things. Because I
don't deal with crime on a day to day basis, perhaps I'm not the best
person to diagram it out. However, here are things that I see as
possible chokepoints:
- for double-flux, are all attackers taking advantage of "free"
nameserver changes at the registry level? (e.g. if they are
adding/deleting thousands of nameservers per day on an automated basis
through the registrar/registry interface, is that a choke point where
a fee can be imposed that won't affect legitimate users)
- what percentage of the attacks are from "new domains" where the
domains instantly resolve upon the creation date, get abused, and then
get deleted within the add-grace period, at "no cost" to the
registrar? If, for example, a domain name doesn't resolve for 6 days
(until after the add-grace period is over), what percentage of attacks
would that stop? Refining the concept further, if the attack is coming
from a "throwaway" identity on a new domain, is it ok to permit new
domains of "verified" registrants (i.e. they previously had a good
domain name) to resolve instantly, but not allow them to resolve
immediately for a fresh (as yet unverified) identity?
- what positive actions can registrants engage in to whitelist
themselves and/or "signal" that they are different from abusers, that
are relatively costless to themselves, but costly (in finite supply)
for attackers? Just as a simple example, suppose that to use Fast
Flux, I had to show a bond/deposit with my registrar/bank of $10,000.
With interest rates of around 3%, that has a "real" cost to legitimate
users of $300/yr, insignificant for Akamai, Amazon, etc., but to an
attacker starts to become very significant (i.e. $10,000 per attack,
as the funds would be seized when malicious use is detected). Other
potential ways to whitelist oneself might be through a verification
system, e.g mail a physical authenticator to a real address, as PayPal
does:
https://www.paypal.com/securitykey
(or how .uk registry and some online casinos physically mail a PIN
code to new registrants/customers)
In looking at the anatomy of an attack, one also needs to "follow the
money." e.g. in a bank phishing attack, funds have to somehow move
from a Kansas farmer's bank account into the bank account of someone
overseas. Perhaps a choke point would be a bank calling their customer
before they wire a large sum to a Nigerian bank. Or, adding a fob key
(2nd factor) like the PayPal Security Key above, so that stolen/broken
passwords aren't sufficient to enable an attacker to complete the
theft (indeed, the fact that all banks DON'T use the two-factor
security means that they've shifted the costs of their insecurity to
"us"; perhaps it's time to shift it back to them, if they're in the
best position to create the choke points, at lowest costs and with the
highest efficiency).
In this "anatomy" of an attack, say on "XYZ Bank", how are the
attackers getting their traffic in the first place? Suppose they
register xyz-phishing-site.info -- that's not a domain name that
anyone would type in to their browser (typos of good domains are in
finite supply. If they're getting traffic from search engines (Google,
Yahoo, Microsoft, etc.), and it's mostly from the first 6 days (i.e.
still in the add-grace period as above), the attacks can be thwarted
by search engines not placing them in their index immediately (unless
they jump through a bigger hoop, e.g. linking a domain to other
verified domains, say in the Google Webmaster Tools, etc).
If they're spamvertising their URLs to get traffic, using the creation
date of the domain name can be another tool that anti-spam filters use
to push a domain into the "junk" folder (or even make the link
unclickable, as Gmail/Google Apps seems to do for some "bad" URLs).
In conclusion, if we can have a detailed anatomy of an attack from
start to finish (i.e. step 1: person targets a bank ........ step 42:
attacker picks up money from his Russian bank account), I think we'd
be in a stronger position to find those choke points, which can
combine economics, technical factors, and perhaps ways to use
"signalling" to alleviate the behaviours we don't want, while still
allowing things to go on as normal for good actors.
Criminals are smart and economically rational. If we're just able to
destroy the economics of their behaviour, they'll rationally move on
to something else.
Sincerely,
George Kirikos
www.LEAP.com
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|