DNS Robtex Analysis of a Fastflux domain

Fast fluxFrom Wikipedia, the free encyclopedia

Fast flux is a DNS technique used by botnets to hide phishing and malwaredelivery sites behind an ever-changing network of compromised hosts acting asproxies. It can also refer to the combination of peer-to-peer networking, distributedcommand and control, web-based load balancing and proxy redirection used tomake malware networks more resistant to discovery and counter-measures. TheStorm Worm is one of the recent malware variants to make use of this technique.

The basic idea behind Fast flux is to have numerous IP addresses associated with asingle fully qualified domain name, where the IP addresses are swapped in and outwith extremely high frequency, through changing DNS records.[1]

Internet users may see fast flux used in phishing attacks linked to criminalorganizations, including attacks on social network services.

While security researchers have been aware of the technique since at leastNovember 2006, the technique has only received wider attention in the security trade press starting from July 2007.

Contents

1 Single-flux and double-flux2 See also3 References4 Sources

Single-flux and double-flux

The simplest type of fast flux, named "single-flux", is characterized by multiple individual nodes within the networkregistering and de-registering their addresses as part of the DNS A (address) record list for a single DNS name. Thiscombines round robin DNS with very shortusually less than five minutes (300s)[2] -- TTL (time to live) values tocreate a constantly changing list of destination addresses for that single DNS name. The list can be hundreds orthousands of entries long.

A more sophisticated type of fast flux, referred to itself as "double-flux", is characterized by multiple nodes within thenetwork registering and de-registering their addresses as part of the DNS Name Server record list for the DNS zone.This provides an additional layer of redundancy and survivability within the malware network.

Within a malware attack, the DNS records will normally point to a compromised system that will act as a proxy server.This method prevents some of the traditionally best defense mechanisms from working e.g., IP-based access controllists (ACLs). The method can also mask the systems of attackers, which will exploit the network through a series ofproxies and make it much more difficult to identify the attackers' network. The record will normally point to an IPwhere bots go for registration, to receive instructions, or to activate attacks. Because the IPs are proxified, it is possibleto disguise the originating source of these instructions, increasing the survival rate as IP-based block lists are put inplace.

The only effective measure against fast flux is to take down the domain name it uses. Registrars are, however, reluctantto do so because domain owners are legitimate customers for them and there's no worldwide-enforced policy of whatconstitutes an abuse. In addition to this, cybersquatters, including fast flux operators (who typically register new nameson demand), are their main source of income. Security experts keep working on measures to ease this process.

See also

Domain Generation Algorithm - A malware control technique where multiple domain names are generated by victimhosts.

References

1. ^ Danford; Salusky (2007). "The Honeynet Project: How Fast-Flux Service Networks Work"(http://www.honeynet.org/node/132). Retrieved 2010-08-23.

2. ^ http://www.spamhaus.org/faq/answers.lasso?section=ISP%20Spam%20Issues#164

Sources

Spamhaus explanation of Fast Flux hosting (http://www.spamhaus.org/faq/answers.lasso?section=ISP%20Spam%20Issues#164)Phishing by proxy (http://isc.sans.org/diary.html?storyid=1895) SANS Internet Storm Center diary from 2006-11-28 describes use of compromised hosts within botnets making use of fast flux techniques to deliver malware.MySpace Phish and Drive-by attack vector propagating Fast Flux network growth(http://isc.sans.org/diary.html?storyid=3060) SANS Internet Storm Center diary from 2007-06-26 with technicaldetails on FluxBot and fast flux techniques (warning: contains links to malicious code).Know Your Enemy: Fast-Flux Service Networks; An Ever Changing Enemy(http://www.honeynet.org/papers/ff/) honeynet.org technical article from July 2007 and additional informationon fast flux, including "single-flux" and "double-flux" techniques.Fast flux foils bot-net takedown (http://www.securityfocus.com/news/11473) SecurityFocus article from 2007-07-09 describing impact of fast flux on botnet counter-measures.Attackers Hide in Fast Flux (http://www.darkreading.com/document.asp?doc_id=129304&WT.svl=news1_1)darkreading article from 2007-07-17 on the use of fast flux by criminal organizations behind malware..Asia registry to crack down on phishy domains(http://www.arnnet.com.au/index.php/id;466962656;fp;4;fpid;1382389953) article from 2007-10-12 mentionsthe use of fast flux in phishing attacks..Asia registry to crack down on phishy domains(http://www.linuxworld.com.au/index.php/id;466962656;fp;2;fpid;1) alternate source for article above.CRYPTO-GRAM October 15, 2007 issue (http://www.schneier.com/crypto-gram-0710.html) mentions fast fluxas a DNS technique utilized by the Storm Worm.ATLAS Summary Report (http://atlas.arbor.net/summary/fastflux) - Real-time global report of fast flux activity.Spam Trackers Wiki Entry on Fast Flux (http://spamtrackers.eu/wiki/index.php?title=Fast-flux)SAC 025 SSAC Advisory on Fast Flux Hosting and DNS

(http://www.icann.org/committees/security/sac025.pdf)GNSO Issues Report on Fast Flux Hosting (http://gnso.icann.org/issues/fast-flux-hosting/gnso-issues-report-fast-flux-25mar08.pdf)FluXOR project from Computer and Network Security Lab (LaSeR) @ Universit degli Studi di Milano(http://fluxor.laser.dico.unimi.it/) (down as 07/27/2012)abuse.ch FastFlux Tracker (http://dnsbl.abuse.ch/fastfluxtracker.php)RemovingMalware's Guide to Fast Flux DNS (http://www.removingmalware.org/fast-flux-dns-how-online-criminals-stay-hidden/) - How Criminals are using Fast Flux DNS to stay hidden

Retrieved from "http://en.wikipedia.org/w/index.php?title=Fast_flux&oldid=625601054"Categories: Domain name system Internet advertising

This page was last modified on 15 September 2014 at 01:27.Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. Byusing this site, you agree to the Terms of Use and Privacy Policy. Wikipedia is a registered trademark of theWikimedia Foundation, Inc., a non-profit organization.