Re: [gnso-ff-pdp-may08] Re: Mannheim score concerns (minority view)

["George Kirikos" <fastflux@xxxxxxxx>]

Hello,

On Wed, Sep 17, 2008 at 2:10 PM, Joe St Sauver wrote:
> I'm not sure the sort of evolution you fear will happen in the case
> of the Mannheim formula. Remember that it is a very simple formula,
> and essentially only tracks/penalizes two things:
>
> -- the number of IPs mapped to a given IP address over time
> -- the number of ASNs to which those IPs map
>
> and it would be hard to "game."

The authors of the paper itself seemed to feel it's not game-proof, e.g.

http://www.isoc.org/isoc/conferences/ndss/08/papers/16_measuring_and_detecting.pdf

"The values of w1, w2 and w3 as well as the threshold should be
adjusted periodically since attackers could try to mimic CDNs in order
to evade our metric" (page 6 of the PDF, right column)

The weights themselves were a result of a one-time statistical
procedure, and would change as the number of sites in the Alexa Top
500 and DMOZ change their technologies to possibly employ legitimate
fast flux.

Here's a simple way to possibly game it. Suppose you have a central
agency (ICANN) that is being used to report malicious fast flux. If an
attacker used "directional DNS" (where the responses can be varied
depending on who is making the query), e.g.

http://www.ultradns.com/downloads/DirectionalDNS.pdf

"This database-driven service allows customers to choose specific DNS
answers to be given for a record based on the country, U.S. state, or
Canadian
province of the visitor's source IP address. The database used to
determine this information is updated monthly, is over 99% accurate at
a country level, and contains almost 500,000 IP ranges."

wouldn't they be able to create DNS responses that always beat the
Mannheim score for certain groups of people (e.g. police, ICANN, big
corporates where researchers work, etc.), but fail the test for other
people? i.e. the answer to the question "Are you a fast flux host?"
depends on who is doing the asking? A registrar might say "No, they
look like a legit site", but a researcher might say "Wrong, you have
to use the following nameservers in order to see what I see!" and then
the registrar/ICANN might say "How do I trust your nameservers?" etc.
What happens in a world where many individual PCs start querying
domain nameservers directly, instead of using their ISP's nameservers
(because, perhaps, their ISPs engage in DNS Response Modification,
e.g. http://www.icann.org/en/committees/security/sac032.pdf ), and
thus domain owners can tailor DNS responses to individual users on a
single IP by IP level?

Of course, this is a "game" that took me 2 minutes to think up, and I
assume the professional malefactors who benefit from crime can spend a
lot more time than me to think up ways to evade detection. One would
think that since they can continue registering new domains easily, the
malefactors could use statistical techniques across their domains
(i.e. logging DNS requests) to figure out to a high degree of
certainty which nameservers/IP blocks are used by researchers. Just
like search engine spammers engage in cloaking to give one set of
pages to Googlebot, and another to regular users.

Right now, IP addresses are a scare resource under IPv4. What happens
under IPv6, when IP address availability soars? I would think that as
IP addresses become cheap (or essentially free), the economic ability
to "flux" goes up, and the formula will need to be recalibrated.

Sincerely,

George Kirikos
www.LEAP.com