Fast flux
Encyclopedia
Fast flux is a DNS
technique used by botnet
s to hide phishing
and malware
delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing
and proxy
redirection used to make malware networks more resistant to discovery and counter-measures. The Storm Worm
is one of the recent malware variants to make use of this technique.
The basic idea behind Fast flux is to have numerous IP addresses associated with a single fully qualified domain name, where the IP addresses are swapped in and out with extremely high frequency, through changing DNS records.
Internet users may see fast flux used in phishing attacks linked to criminal organizations, including attacks on MySpace
.
While security researchers have been aware of the technique since at least November 2006, the technique has only received wider attention in the security trade press starting from July 2007.
with very short TTL (time to live
) values to create a constantly changing list of destination addresses for that single DNS name. The list can be hundreds or thousands of entries long.
A more sophisticated type of fast flux, referred to itself as "double-flux", is characterized by multiple nodes within the network registering and de-registering their addresses as part of the DNS Name Server record
list for the DNS zone
. This provides an additional layer of redundancy and survivability within the malware network.
Within a malware attack, the DNS records will normally point to a compromised system that will act as a proxy server
. This method prevents some of the traditionally best defense mechanisms from working — e.g., IP-based access control lists (ACLs). The method can also mask the systems of attackers, which will exploit the network through a series of proxies and make it much more difficult to identify the attackers' network. The record will normally point to an IP where bots go for registration, to receive instructions, or to activate attacks. Because the IPs are proxified, it is possible to disguise the originating source of these instructions, increasing the survival rate as IP-based block lists are put in place.
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
technique used by botnet
Botnet
A botnet is a collection of compromised computers connected to the Internet. Termed "bots," they are generally used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet...
s to hide phishing
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
and malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing
Load balancing (computing)
Load balancing is a computer networking methodology to distribute workload across multiple computers or a computer cluster, network links, central processing units, disk drives, or other resources, to achieve optimal resource utilization, maximize throughput, minimize response time, and avoid...
and proxy
Proxy server
In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...
redirection used to make malware networks more resistant to discovery and counter-measures. The Storm Worm
Storm Worm
The Storm Worm is a backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007...
is one of the recent malware variants to make use of this technique.
The basic idea behind Fast flux is to have numerous IP addresses associated with a single fully qualified domain name, where the IP addresses are swapped in and out with extremely high frequency, through changing DNS records.
Internet users may see fast flux used in phishing attacks linked to criminal organizations, including attacks on MySpace
MySpace
Myspace is a social networking service owned by Specific Media LLC and pop star Justin Timberlake. Myspace launched in August 2003 and is headquartered in Beverly Hills, California. In August 2011, Myspace had 33.1 million unique U.S. visitors....
.
While security researchers have been aware of the technique since at least November 2006, the technique has only received wider attention in the security trade press starting from July 2007.
Single-flux and double-flux
The simplest type of fast flux, referred to itself as "single-flux", is characterized by multiple individual nodes within the network registering and de-registering their addresses as part of the DNS A (address) record list for a single DNS name. This combines round robin DNSRound robin DNS
Round robin DNSis a technique of load distribution, load balancing, or fault-tolerance provisioning multiple, redundant Internet Protocol service hosts, e.g., Web servers, FTP servers, by managing the Domain Name System's responses to address requests from client computers according to an...
with very short TTL (time to live
Time to live
Time to live is a mechanism that limits the lifespan of data in a computer or network. TTL may be implemented as a counter or timestamp attached to or embedded in the data. Once the prescribed event count or timespan has elapsed, data is discarded. In computer networking, TTL prevents a data...
) values to create a constantly changing list of destination addresses for that single DNS name. The list can be hundreds or thousands of entries long.
A more sophisticated type of fast flux, referred to itself as "double-flux", is characterized by multiple nodes within the network registering and de-registering their addresses as part of the DNS Name Server record
NS
NS as an abbreviation can mean:In geography:* Negeri Sembilan, one of the fourteen states in Malaysia* Novi Sad, a city in Serbia* Nova Scotia, as the official Canadian postal abbreviation for the provinceIn government and politics:...
list for the DNS zone
DNS zone
A DNS zone is a portion of the global Domain Name System namespace for which administrative responsibility has been delegated.-Definition:...
. This provides an additional layer of redundancy and survivability within the malware network.
Within a malware attack, the DNS records will normally point to a compromised system that will act as a proxy server
Proxy server
In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...
. This method prevents some of the traditionally best defense mechanisms from working — e.g., IP-based access control lists (ACLs). The method can also mask the systems of attackers, which will exploit the network through a series of proxies and make it much more difficult to identify the attackers' network. The record will normally point to an IP where bots go for registration, to receive instructions, or to activate attacks. Because the IPs are proxified, it is possible to disguise the originating source of these instructions, increasing the survival rate as IP-based block lists are put in place.
Sources
- Spamhaus explanation of Fast Flux hosting
- Phishing by proxy SANS Internet Storm Center diary from 2006-11-28 describes use of compromised hosts within botnets making use of fast flux techniques to deliver malware.
- MySpace Phish and Drive-by attack vector propagating Fast Flux network growth SANS Internet Storm Center diary from 2007-06-26 with technical details on FluxBot and fast flux techniques (warning: contains links to malicious code).
- Know Your Enemy: Fast-Flux Service Networks; An Ever Changing Enemy honeynet.org technical article from July 2007 and additional information on fast flux, including "single-flux" and "double-flux" techniques.
- Fast flux foils bot-net takedown SecurityFocus article from 2007-07-09 describing impact of fast flux on botnet counter-measures.
- Attackers Hide in Fast Flux darkreading article from 2007-07-17 on the use of fast flux by criminal organizations behind malware.
- .Asia registry to crack down on phishy domains article from 2007-10-12 mentions the use of fast flux in phishing attacks.
- .Asia registry to crack down on phishy domains alternate source for article above.
- CRYPTO-GRAM October 15, 2007 issue mentions fast flux as a DNS technique utilized by the Storm Worm.
- ATLAS Summary Report - Real-time global report of fast flux activity.
- Spam Trackers Wiki Entry on Fast Flux
- SAC 025 SSAC Advisory on Fast Flux Hosting and DNS
- GNSO Issues Report on Fast Flux Hosting
- FluXOR project from Computer and Network Security Lab (LaSeR) @ Università degli Studi di Milano
- abuse.ch FastFlux Tracker
- Fast Flux Monitor - automated, real-time fast flux detection