- Fast flux
Fast flux is a DNS technique used by
botnet s to hidephishing andmalware delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load-balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures. TheStorm Worm is one of the recent malware variants to make use of this technique.Internet users may see fast flux used in phishing attacks linked to criminal organizations, including attacks on
MySpace .While security researchers have been aware of the technique since at least November 2006, the technique has only received wider attention in the security trade press starting from July 2007.
ingle-flux and double-flux
The simplest type of fast flux, referred to as "single-flux", is characterized by multiple individual nodes within the network registering and de-registering their addresses as part of the DNS A (address) record list for a single DNS name. This combines
round robin DNS with very short TTL (time to live ) values to create a constantly changing list of destination addresses for that single DNS name. The list can be hundreds or thousands of entries long.A more sophisticated type of fast flux, referred to as "double-flux", is characterized by multiple nodes within the network registering and de-registering their addresses as part of the DNS
NS record list for theDNS zone . This provides an additional layer of redundancy and survivability within the malware network.Within a malware attack, the DNS records will normally point to a compromised system that will act as a proxy. This method prevents some of the traditionally best defense mechanisms from working — e.g., IP-based ACLs. The method can also mask the attackers' systems, which will exploit the network through a series of proxies and make it much more difficult to identify the attackers' network. The record will normally point to an IP where bots go for registration, to receive instructions, or to activate attacks. Because the IPs are proxied, it is possible to disguise the originating source of these instructions, increasing the survival rate as IP-based block lists are put in place.
Controls
In order to combat “fast flux”, the new
Internet Draft document “Double Flux Defense in the DNS Protocol”, by John Bambenek of the University of Illinois, proposes material changes to the DNS. [ [http://tools.ietf.org/html/draft-bambenek-doubleflux Double Flux Defense in the DNS Protocol] ]References
ee also
* DNS
*Malware
*Botnet
*Storm Worm
*List of DNS record types
*Round robin DNS
*Time to live ources
* [http://www.spamhaus.org/faq/answers.lasso?section=ISP%20Spam%20Issues#164 Spamhaus explanation of Fast Flux hosting]
* [http://isc.sans.org/diary.html?storyid=1895 Phishing by proxy] SANS Internet Storm Center diary from 2006-11-28 describes use of compromised hosts withinbotnets making use of fast flux techniques to delivermalware .
* [http://isc.sans.org/diary.html?storyid=3060 MySpace Phish and Drive-by attack vector propagating Fast Flux network growth] SANS Internet Storm Center diary from 2007-06-26 with technical details on FluxBot and fast flux techniques (warning: contains links to malicious code).
* [http://www.honeynet.org/papers/ff/ Know Your Enemy: Fast-Flux Service Networks; An Ever Changing Enemy] honeynet.org technical article from July 2007 and additional information on fast flux, including "single-flux" and "double-flux" techniques.
* [http://www.securityfocus.com/news/11473 Fast flux foils bot-net takedown] SecurityFocus article from 2007-07-09 describing impact of fast flux onbotnet counter-measures.
* [http://www.darkreading.com/document.asp?doc_id=129304&WT.svl=news1_1 Attackers Hide in Fast Flux] darkreading article from 2007-07-17 on the use of fast flux by criminal organizations behind malware.
* [http://www.arnnet.com.au/index.php/id;466962656;fp;4;fpid;1382389953 .Asia registry to crack down on phishy domains] article from 2007-10-12 mentions the use of fast flux inphishing attacks.
* [http://www.linuxworld.com.au/index.php/id;466962656;fp;2;fpid;1 .Asia registry to crack down on phishy domains] alternate source for article above.
* [http://www.schneier.com/crypto-gram-0710.html CRYPTO-GRAM October 15, 2007 issue] mentions fast flux as a DNS technique utilized by theStorm worm .
* [http://atlas.arbor.net/summary/fastflux ATLAS Summary Report] - Real-time global report of fast flux activity.
* [http://spamtrackers.eu/wiki/index.php?title=Fast-flux Spam Trackers Wiki Entry on Fast Flux]
* [http://www.icann.org/committees/security/sac025.pdf SAC 025 SSAC Advisory on Fast Flux Hosting and DNS]
* [http://gnso.icann.org/issues/fast-flux-hosting/gnso-issues-report-fast-flux-25mar08.pdf GNSO Issues Report on Fast Flux Hosting]
* [http://fluxor.laser.dico.unimi.it/ FluXOR project from Computer and Network Security Lab (LaSeR) @ Università degli Studi di Milano]
Wikimedia Foundation. 2010.
