- Fast flux
Fast flux is a DNS technique used by
botnets to hide phishingand malwaredelivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load-balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures. The Storm Wormis one of the recent malware variants to make use of this technique.
Internet users may see fast flux used in phishing attacks linked to criminal organizations, including attacks on
While security researchers have been aware of the technique since at least November 2006, the technique has only received wider attention in the security trade press starting from July 2007.
ingle-flux and double-flux
The simplest type of fast flux, referred to as "single-flux", is characterized by multiple individual nodes within the network registering and de-registering their addresses as part of the DNS A (address) record list for a single DNS name. This combines
round robin DNSwith very short TTL ( time to live) values to create a constantly changing list of destination addresses for that single DNS name. The list can be hundreds or thousands of entries long.
A more sophisticated type of fast flux, referred to as "double-flux", is characterized by multiple nodes within the network registering and de-registering their addresses as part of the DNS
NS recordlist for the DNS zone. This provides an additional layer of redundancy and survivability within the malware network.
Within a malware attack, the DNS records will normally point to a compromised system that will act as a proxy. This method prevents some of the traditionally best defense mechanisms from working — e.g., IP-based ACLs. The method can also mask the attackers' systems, which will exploit the network through a series of proxies and make it much more difficult to identify the attackers' network. The record will normally point to an IP where bots go for registration, to receive instructions, or to activate attacks. Because the IPs are proxied, it is possible to disguise the originating source of these instructions, increasing the survival rate as IP-based block lists are put in place.
In order to combat “fast flux”, the new
Internet Draftdocument “Double Flux Defense in the DNS Protocol”, by John Bambenek of the University of Illinois, proposes material changes to the DNS. [ [http://tools.ietf.org/html/draft-bambenek-doubleflux Double Flux Defense in the DNS Protocol] ]
List of DNS record types
Round robin DNS
Time to live
* [http://www.spamhaus.org/faq/answers.lasso?section=ISP%20Spam%20Issues#164 Spamhaus explanation of Fast Flux hosting]
* [http://isc.sans.org/diary.html?storyid=1895 Phishing by proxy] SANS Internet Storm Center diary from 2006-11-28 describes use of compromised hosts within
botnetsmaking use of fast flux techniques to deliver malware.
* [http://isc.sans.org/diary.html?storyid=3060 MySpace Phish and Drive-by attack vector propagating Fast Flux network growth] SANS Internet Storm Center diary from 2007-06-26 with technical details on FluxBot and fast flux techniques (warning: contains links to malicious code).
* [http://www.honeynet.org/papers/ff/ Know Your Enemy: Fast-Flux Service Networks; An Ever Changing Enemy] honeynet.org technical article from July 2007 and additional information on fast flux, including "single-flux" and "double-flux" techniques.
* [http://www.securityfocus.com/news/11473 Fast flux foils bot-net takedown] SecurityFocus article from 2007-07-09 describing impact of fast flux on
* [http://www.darkreading.com/document.asp?doc_id=129304&WT.svl=news1_1 Attackers Hide in Fast Flux] darkreading article from 2007-07-17 on the use of fast flux by criminal organizations behind malware.
* [http://www.arnnet.com.au/index.php/id;466962656;fp;4;fpid;1382389953 .Asia registry to crack down on phishy domains] article from 2007-10-12 mentions the use of fast flux in
* [http://www.linuxworld.com.au/index.php/id;466962656;fp;2;fpid;1 .Asia registry to crack down on phishy domains] alternate source for article above.
* [http://www.schneier.com/crypto-gram-0710.html CRYPTO-GRAM October 15, 2007 issue] mentions fast flux as a DNS technique utilized by the
* [http://atlas.arbor.net/summary/fastflux ATLAS Summary Report] - Real-time global report of fast flux activity.
* [http://spamtrackers.eu/wiki/index.php?title=Fast-flux Spam Trackers Wiki Entry on Fast Flux]
* [http://www.icann.org/committees/security/sac025.pdf SAC 025 SSAC Advisory on Fast Flux Hosting and DNS]
* [http://gnso.icann.org/issues/fast-flux-hosting/gnso-issues-report-fast-flux-25mar08.pdf GNSO Issues Report on Fast Flux Hosting]
* [http://fluxor.laser.dico.unimi.it/ FluXOR project from Computer and Network Security Lab (LaSeR) @ Università degli Studi di Milano]
Wikimedia Foundation. 2010.
Look at other dictionaries:
Fast-Flux — Le Fast flux est une technique connue pour son utilisation pour dissimuler des sites de phishing et de disséminateur de malware. Cette technique utilise les caractéristiques techniques du protocole DNS (ou Domain Name system) permettant d… … Wikipédia en Français
Fast Flux — Le Fast flux est une technique connue pour son utilisation pour dissimuler des sites de phishing et de disséminateur de malware. Cette technique utilise les caractéristiques techniques du protocole DNS (ou Domain Name system) permettant d… … Wikipédia en Français
Fast Flux — Analyse einer Fast Flux Domain mit Robtex F … Deutsch Wikipedia
Fast flux — Le fast flux est une technique utilisée pour dissimuler des sites de hameçonnage (phishing) et de disséminateurs de logiciels malveillants. Cette technique utilise les caractéristiques techniques du protocole DNS (ou Domain Name System),… … Wikipédia en Français
Fast Flux Test Facility — f1 Fast Flux Test Facility Luftaufnahme der Fast Flux Test Facility Lage … Deutsch Wikipedia
Fast Flux Test Facility — The Fast Flux Test Facility is a 400 MW nuclear test reactor owned by the U.S. Department of Energy.It is situated in the 400 Area of the Hanford Site, which is located in the state of Washington.HistoryThe construction of the FFTF was completed… … Wikipedia
Flux — This article is about the concept of flux in science and mathematics. For other uses of the word, see Flux (disambiguation). In the various subfields of physics, there exist two common usages of the term flux, both with rigorous mathematical… … Wikipedia
Fast breeder reactor — The fast breeder or fast breeder reactor (FBR) is a fast neutron reactor designed to breed fuel by producing more fissile material than it consumes. The FBR is one possible type of breeder reactor. The reactors are used in nuclear power plants to … Wikipedia
Fast neutron reactor — [ Shevchenko BN350 nuclear fast reactor and desalination plant situated on the shore of the Caspian Sea. The plant generates 135 MWe and provides steam for an associated desalination plant. View of the interior of the reactor hall.] A fast… … Wikipedia
Flux (metallurgy) — Rosin used as flux for soldering A flux pen used f … Wikipedia