Fast flux


Fast flux

Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load-balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures. The Storm Worm is one of the recent malware variants to make use of this technique.

Internet users may see fast flux used in phishing attacks linked to criminal organizations, including attacks on MySpace.

While security researchers have been aware of the technique since at least November 2006, the technique has only received wider attention in the security trade press starting from July 2007.

ingle-flux and double-flux

The simplest type of fast flux, referred to as "single-flux", is characterized by multiple individual nodes within the network registering and de-registering their addresses as part of the DNS A (address) record list for a single DNS name. This combines round robin DNS with very short TTL (time to live) values to create a constantly changing list of destination addresses for that single DNS name. The list can be hundreds or thousands of entries long.

A more sophisticated type of fast flux, referred to as "double-flux", is characterized by multiple nodes within the network registering and de-registering their addresses as part of the DNS NS record list for the DNS zone. This provides an additional layer of redundancy and survivability within the malware network.

Within a malware attack, the DNS records will normally point to a compromised system that will act as a proxy. This method prevents some of the traditionally best defense mechanisms from working — e.g., IP-based ACLs. The method can also mask the attackers' systems, which will exploit the network through a series of proxies and make it much more difficult to identify the attackers' network. The record will normally point to an IP where bots go for registration, to receive instructions, or to activate attacks. Because the IPs are proxied, it is possible to disguise the originating source of these instructions, increasing the survival rate as IP-based block lists are put in place.

Controls

In order to combat “fast flux”, the new Internet Draft document “Double Flux Defense in the DNS Protocol”, by John Bambenek of the University of Illinois, proposes material changes to the DNS. [ [http://tools.ietf.org/html/draft-bambenek-doubleflux Double Flux Defense in the DNS Protocol] ]

References

ee also

* DNS
* Malware
* Botnet
* Storm Worm
* List of DNS record types
* Round robin DNS
* Time to live

ources

* [http://www.spamhaus.org/faq/answers.lasso?section=ISP%20Spam%20Issues#164 Spamhaus explanation of Fast Flux hosting]
* [http://isc.sans.org/diary.html?storyid=1895 Phishing by proxy] SANS Internet Storm Center diary from 2006-11-28 describes use of compromised hosts within botnets making use of fast flux techniques to deliver malware.
* [http://isc.sans.org/diary.html?storyid=3060 MySpace Phish and Drive-by attack vector propagating Fast Flux network growth] SANS Internet Storm Center diary from 2007-06-26 with technical details on FluxBot and fast flux techniques (warning: contains links to malicious code).
* [http://www.honeynet.org/papers/ff/ Know Your Enemy: Fast-Flux Service Networks; An Ever Changing Enemy] honeynet.org technical article from July 2007 and additional information on fast flux, including "single-flux" and "double-flux" techniques.
* [http://www.securityfocus.com/news/11473 Fast flux foils bot-net takedown] SecurityFocus article from 2007-07-09 describing impact of fast flux on botnet counter-measures.
* [http://www.darkreading.com/document.asp?doc_id=129304&WT.svl=news1_1 Attackers Hide in Fast Flux] darkreading article from 2007-07-17 on the use of fast flux by criminal organizations behind malware.
* [http://www.arnnet.com.au/index.php/id;466962656;fp;4;fpid;1382389953 .Asia registry to crack down on phishy domains] article from 2007-10-12 mentions the use of fast flux in phishing attacks.
* [http://www.linuxworld.com.au/index.php/id;466962656;fp;2;fpid;1 .Asia registry to crack down on phishy domains] alternate source for article above.
* [http://www.schneier.com/crypto-gram-0710.html CRYPTO-GRAM October 15, 2007 issue] mentions fast flux as a DNS technique utilized by the Storm worm.
* [http://atlas.arbor.net/summary/fastflux ATLAS Summary Report] - Real-time global report of fast flux activity.
* [http://spamtrackers.eu/wiki/index.php?title=Fast-flux Spam Trackers Wiki Entry on Fast Flux]
* [http://www.icann.org/committees/security/sac025.pdf SAC 025 SSAC Advisory on Fast Flux Hosting and DNS]
* [http://gnso.icann.org/issues/fast-flux-hosting/gnso-issues-report-fast-flux-25mar08.pdf GNSO Issues Report on Fast Flux Hosting]
* [http://fluxor.laser.dico.unimi.it/ FluXOR project from Computer and Network Security Lab (LaSeR) @ Università degli Studi di Milano]


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Fast-Flux — Le Fast flux est une technique connue pour son utilisation pour dissimuler des sites de phishing et de disséminateur de malware. Cette technique utilise les caractéristiques techniques du protocole DNS (ou Domain Name system) permettant d… …   Wikipédia en Français

  • Fast Flux — Le Fast flux est une technique connue pour son utilisation pour dissimuler des sites de phishing et de disséminateur de malware. Cette technique utilise les caractéristiques techniques du protocole DNS (ou Domain Name system) permettant d… …   Wikipédia en Français

  • Fast Flux — Analyse einer Fast Flux Domain mit Robtex F …   Deutsch Wikipedia

  • Fast flux — Le fast flux est une technique utilisée pour dissimuler des sites de hameçonnage (phishing) et de disséminateurs de logiciels malveillants. Cette technique utilise les caractéristiques techniques du protocole DNS (ou Domain Name System),… …   Wikipédia en Français

  • Fast Flux Test Facility — f1 Fast Flux Test Facility Luftaufnahme der Fast Flux Test Facility Lage …   Deutsch Wikipedia

  • Fast Flux Test Facility — The Fast Flux Test Facility is a 400 MW nuclear test reactor owned by the U.S. Department of Energy.It is situated in the 400 Area of the Hanford Site, which is located in the state of Washington.HistoryThe construction of the FFTF was completed… …   Wikipedia

  • Flux — This article is about the concept of flux in science and mathematics. For other uses of the word, see Flux (disambiguation). In the various subfields of physics, there exist two common usages of the term flux, both with rigorous mathematical… …   Wikipedia

  • Fast breeder reactor — The fast breeder or fast breeder reactor (FBR) is a fast neutron reactor designed to breed fuel by producing more fissile material than it consumes. The FBR is one possible type of breeder reactor. The reactors are used in nuclear power plants to …   Wikipedia

  • Fast neutron reactor — [ Shevchenko BN350 nuclear fast reactor and desalination plant situated on the shore of the Caspian Sea. The plant generates 135 MWe and provides steam for an associated desalination plant. View of the interior of the reactor hall.] A fast… …   Wikipedia

  • Flux (metallurgy) — Rosin used as flux for soldering A flux pen used f …   Wikipedia


Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”

We are using cookies for the best presentation of our site. Continuing to use this site, you agree with this.