RE: [gnso-ff-pdp-may08] About "fingerprinting"

[Paul Stahura <Paul.Stahura@xxxxxxxx>]

I haven't read most of the messages on this list, but I want to say I agree 
that its technically possible to "fingerprint" the "bad" fast-flux domains, and 
that the number of unique ASNs is a much more significant factor in that 
fingerprinting than the number of IPs.

-----Original Message-----
From: owner-gnso-ff-pdp-may08@xxxxxxxxx 
[mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] On Behalf Of Joe St Sauver
Sent: Friday, October 17, 2008 1:48 PM
To: dave.piscitello@xxxxxxxxx
Cc: gnso-ff-pdp-May08@xxxxxxxxx
Subject: RE: [gnso-ff-pdp-may08] About "fingerprinting"


Dave mentioned:

#When reviewing the FF report, especially in the context of characteristics
#that we describe as part of a "fingerprint", please bear in mind that the
#practice of matching fingerprints relies on achieving as many possible
#matches as possible. A fingerprint match with only 5 points is very
#borderline, whereas a fingerprint match with 12-15 points is very
#convincing/conclusive.
#
#In the context of our report, I have tried, with others, to identify as many
#markers fast flux investigators have identified as being associated with a
#fast flux attack as possible. In no way am I suggesting that any single of
#these characteristics is cause to conclude you've identified a FF attack

Well said, Dave. I support this statement.

At the same time, if folks do dislike having a plethora of potential
"markers" or "characteristics" associated with identifying fast flux,
recall that the Mannheim formula looks solely at the number of unique
IPs associated with a given fully qualified domain name, plus the
number of distinct autonomous systems associated with those dotted
quads, weighting those two counts and comparing them to a cut off
value:

mannheim = (18.54*uniqueAsns) + (1.32*uniqueIps)

A score on that forumula of over 142.38 is indicative of a fast flux domain.

For example, testing the domain bieqwi.com (currently flagged by Firefox
as a suspected web forgery domain) using the non-iterative/one-time-through
only tester at http://www.uoregon.edu/~joe/fastflux/simple.cgi we see:

   The domainname is bieqwi.com

   Found 10 IPs:

   76.19.164.47 --> AS7015
   89.36.135.102 --> AS30890
   82.31.198.142 --> AS5089
   89.114.232.197 --> AS30890
   89.137.100.68 --> AS6746
   85.250.154.234 --> AS1680
   71.116.93.120 --> AS19262
   92.72.52.96 --> AS3209
   82.40.128.124 --> AS5462
   89.32.153.76 --> AS39226

   9 unique ASNs

   Mannheim score = 180.06

   A Mannheim score of 180.06 is greater than the cutoff score of 142.38
   ==> FASTFLUX!

Are there other characteristics that add credence to the notion that
this is a problematic domain? Well, you can check the whois, noting:

   Registrant Contact:
   GG White
   Gregory White white@xxxxxxxxx
   9998810555 fax: 9998810555
   999 Road
   Los Angeles MN 65474
   us

http://zip4.usps.com/zip4/welcome.jsp confirms that 999 Road
Los Angeles MN 65474 is not a valid address.

9998810555 is also not a valid phone number.

The bieqwi.com domain has the name servers:

   ns1.nitrosprint.com
   ns2.nitrosprint.com

Checking nitrosprint.com, I see further prima facie invalid whois information:

   Domain name: nitrosprint.com

   Registrant Contact:
   reserve
   Federal Reserve reserve@xxxxxxxxx
   5544810844 fax: 5544810844
   544 Ins Dr
   Dik City MA 44405
   us

So if we want more than just the simple approach of the Mannheim formula,
we certainly can find examples supporting the "poor quality whois data"
is associated with Fast flux domains, just to mention one additional
characteristic.

Regards,

Joe

Disclaimer: all opinions strictly my own.