<<<
Chronological Index
>>> <<<
Thread Index
>>>
RE: [gnso-ff-pdp-may08] About "fingerprinting"
- To: dave.piscitello@xxxxxxxxx
- Subject: RE: [gnso-ff-pdp-may08] About "fingerprinting"
- From: Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>
- Date: Fri, 17 Oct 2008 13:48:09 -0700
Dave mentioned:
#When reviewing the FF report, especially in the context of characteristics
#that we describe as part of a "fingerprint", please bear in mind that the
#practice of matching fingerprints relies on achieving as many possible
#matches as possible. A fingerprint match with only 5 points is very
#borderline, whereas a fingerprint match with 12-15 points is very
#convincing/conclusive.
#
#In the context of our report, I have tried, with others, to identify as many
#markers fast flux investigators have identified as being associated with a
#fast flux attack as possible. In no way am I suggesting that any single of
#these characteristics is cause to conclude you've identified a FF attack
Well said, Dave. I support this statement.
At the same time, if folks do dislike having a plethora of potential
"markers" or "characteristics" associated with identifying fast flux,
recall that the Mannheim formula looks solely at the number of unique
IPs associated with a given fully qualified domain name, plus the
number of distinct autonomous systems associated with those dotted
quads, weighting those two counts and comparing them to a cut off
value:
mannheim = (18.54*uniqueAsns) + (1.32*uniqueIps)
A score on that forumula of over 142.38 is indicative of a fast flux domain.
For example, testing the domain bieqwi.com (currently flagged by Firefox
as a suspected web forgery domain) using the non-iterative/one-time-through
only tester at http://www.uoregon.edu/~joe/fastflux/simple.cgi we see:
The domainname is bieqwi.com
Found 10 IPs:
76.19.164.47 --> AS7015
89.36.135.102 --> AS30890
82.31.198.142 --> AS5089
89.114.232.197 --> AS30890
89.137.100.68 --> AS6746
85.250.154.234 --> AS1680
71.116.93.120 --> AS19262
92.72.52.96 --> AS3209
82.40.128.124 --> AS5462
89.32.153.76 --> AS39226
9 unique ASNs
Mannheim score = 180.06
A Mannheim score of 180.06 is greater than the cutoff score of 142.38
==> FASTFLUX!
Are there other characteristics that add credence to the notion that
this is a problematic domain? Well, you can check the whois, noting:
Registrant Contact:
GG White
Gregory White white@xxxxxxxxx
9998810555 fax: 9998810555
999 Road
Los Angeles MN 65474
us
http://zip4.usps.com/zip4/welcome.jsp confirms that 999 Road
Los Angeles MN 65474 is not a valid address.
9998810555 is also not a valid phone number.
The bieqwi.com domain has the name servers:
ns1.nitrosprint.com
ns2.nitrosprint.com
Checking nitrosprint.com, I see further prima facie invalid whois information:
Domain name: nitrosprint.com
Registrant Contact:
reserve
Federal Reserve reserve@xxxxxxxxx
5544810844 fax: 5544810844
544 Ins Dr
Dik City MA 44405
us
So if we want more than just the simple approach of the Mannheim formula,
we certainly can find examples supporting the "poor quality whois data"
is associated with Fast flux domains, just to mention one additional
characteristic.
Regards,
Joe
Disclaimer: all opinions strictly my own.
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|