Re: [gnso-ff-pdp-may08] Re: Mannheim score concerns (minority view)

[Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>]

George mentioned

#The authors of the paper itself seemed to feel it's not game-proof, e.g.
#
#http://www.isoc.org/isoc/conferences/ndss/08/papers/16_measuring_and_detecting.pdf
#
#"The values of w1, w2 and w3 as well as the threshold should be
#adjusted periodically since attackers could try to mimic CDNs in order
#to evade our metric" (page 6 of the PDF, right column)

Already stipulated that the coefficients and thresholds may need to be 
renormed from time to time, no argument from me there. But that's a tiny 
tweak, it is not an indication that the model itself needs to be jettisoned 
and replaced with something else. 

#The weights themselves were a result of a one-time statistical
#procedure, and would change as the number of sites in the Alexa Top
#500 and DMOZ change their technologies to possibly employ legitimate
#fast flux.

Actually, I *don't* think changes on the legitimate side of things would
evolve to look more flux-like -- you simply wouldn't see that many 
distinct ASNs in use, for example. (But I continue to be very interested
in actual examples of this sort of thing that I can eyeball and analyze)

#Here's a simple way to possibly game it. Suppose you have a central
#agency (ICANN) that is being used to report malicious fast flux. If an
#attacker used "directional DNS" (where the responses can be varied
#depending on who is making the query), e.g.
#
#http://www.ultradns.com/downloads/DirectionalDNS.pdf

<waves to Rodney :-)>

#wouldn't they be able to create DNS responses that always beat the
#Mannheim score for certain groups of people (e.g. police, ICANN, big
#corporates where researchers work, etc.), but fail the test for other
#people? i.e. the answer to the question "Are you a fast flux host?"
#depends on who is doing the asking? 

Hypothetically, sure. Practically, no. At least the anti-spam and anti-phish
researchers I know use different publicly available name servers (open
recursive name servers are still so prevelant as to be a cliche, 
unfortunately), to say nothing of Tor and comparably non-attributable
anonymity services.

#A registrar might say "No, they
#look like a legit site", but a researcher might say "Wrong, you have
#to use the following nameservers in order to see what I see!" and then
#the registrar/ICANN might say "How do I trust your nameservers?" etc.

Publicly verifiable data is a must I think.

#Of course, this is a "game" that took me 2 minutes to think up, and I
#assume the professional malefactors who benefit from crime can spend a
#lot more time than me to think up ways to evade detection. 

If so, they typically don't demonstrate it. As one individual I know put
it, the bad guys don't need to invent time travel if they can just get
on an airplane instead. In my experience, they use what they need to use,
and what's cost effective and available. The amount of material innovation
(ala fast flux) is quite low. 

#One would
#think that since they can continue registering new domains easily, the
#malefactors could use statistical techniques across their domains
#(i.e. logging DNS requests) to figure out to a high degree of
#certainty which nameservers/IP blocks are used by researchers. Just
#like search engine spammers engage in cloaking to give one set of
#pages to Googlebot, and another to regular users.

In order to do that, they'd need to forsake some pretty big customer pools.
Researchers routinely work from major ISP broadband pools, among other
spaces.

#Right now, IP addresses are a scare resource under IPv4. What happens
#under IPv6, when IP address availability soars? I would think that as
#IP addresses become cheap (or essentially free), the economic ability
#to "flux" goes up, and the formula will need to be recalibrated.

New coefficients, sure. New model? Not at all clear that's true. 

Oh, and when it comes to IPv6, I strongly suspect that folks will simply 
list network ranges rather than individual v6 addresses, much as some 
folks already list /24's rather than single v4 addresses at a time.

But you know, I'd be *thrilled* to have someone else propose a formula
that is both simple and efficient for screening fast flux domains, 
particularly one that's backed up by empirical research the way the 
Mannheim formula is. I just haven't seen that sort of alternative pop
up yet, which is why I continue to ride the horse that's currently in 
the corral. :-)

Regards,

Joe

Disclaimer: all opinions strictly my own