Fast flux
Fast flux is a
The fundamental idea behind fast-flux is to have numerous IP addresses associated with a single fully qualified domain name, where the IP addresses are swapped in and out with extremely high frequency, through changing DNS resource records, thus the authoritative name servers of the said fast-fluxing domain name is—in most cases—hosted by the criminal actor.[2]
Depending on the configuration and complexity of the infrastructure, fast-fluxing is generally classified into single, double, and domain fast-flux networks. Fast-fluxing remains an intricate problem in network security and current countermeasures remain ineffective.
History
Fast-fluxing was first reported by the security researchers William Salusky and Robert Danford of The Honeynet Project in 2007;[3] the following year, they released a systematic study of fast-flux service networks in 2008.[4] Rock Phish (2004) and Storm Worm (2007) were two notable fast-flux service networks which were used for malware distribution and phishing.[5]
Fast-flux service network
A fast-flux service network (FFSN) is a
The frontend bots, which act as an ephemeral host affixed to a control master, are called flux-agents whose network availability is indeterminate due to the dynamic nature of fast-fluxing.[1] The backend motherships do not establish direct communication with the user agents, rather every actions are reverse proxied through compromised frontend nodes,[8] effectively making the attack long-lasting and resilient against take down attempts.[9]
Types
Fast-fluxing is generally classified into two types: single fluxing and double fluxing, a build-on implementation over single fluxing. The phraseologies involved in fast-fluxing includes "flux-herder mothership nodes" and "fast-flux agent nodes", referred to the backend bulletproof botnet controller and the compromised host nodes involved in reverse proxying the traffic back-and-forth between the origin and clients respectively.[10][1] The compromised hosts used by the fast-flux herders typically includes residential broadband access circuits, such as DSL and cable modems.[11]
Single-flux network
In single-flux network, the
Double-flux network
Double-fluxing networks involve high-frequency permutation of the fluxing domain's authoritative name servers, along with DNS resource records such as A, AAAA, or CNAME pointing to frontend proxies.
Domain-flux network
Domain-flux network involves keeping a fast-fluxing network operational through continuously rotating the domain name of the flux-herder mothership nodes.
Security countermeasures
The detection and mitigation of fast-fluxing domain names remain an intricate challenge in network security due to the robust nature of fast-fluxing.
Other countermeasures against fast-fluxing domains include
See also
References
- ^ a b c Li & Wang 2017, p. 3.
- ^ Almomani 2016, p. 483.
- ^ Zhou 2015, p. 3.
- S2CID 182270258.
- ISBN 978-1-4244-3288-2.
- ^ Almomani 2016, p. 483-484.
- ^ Almomani 2016, p. 484.
- ^ Zhou 2015, p. 4.
- ^ Zhou 2015, p. 2-3.
- ^ Salusky & Daford 2007, p. 1.
- ^ Konte, Feamster & Jung 2008, p. 8.
- ^ Salusky & Daford 2007, p. 1-2.
- ^ Li & Wang 2017, p. 3-4.
- ^ "FAQ: Fast-fluxing". Andorra: The Spamhaus Project. Archived from the original on 29 April 2021. Retrieved 12 December 2021.
- ^ a b Salusky & Daford 2007, p. 2.
- ^ Zhou 2015, p. 5.
- ^ Li & Wang 2017, p. 3-5.
- ^ Zhou 2015, p. 5-6.
- ^ a b Li & Wang 2017, p. 4.
- ^ Salusky & Daford 2007, p. 2-3.
- ^ Konte, Feamster & Jung 2008, p. 4-6.
- ^ a b c Ollmann, Gunter (4 June 2009). "Botnet Communications Topologies: Understanding the intricacies of botnet Command-and-Control" (PDF). Core Security Technologies. Archived (PDF) from the original on 26 March 2020. Retrieved 3 March 2022.
- ^ .
- ^ Li & Wang 2017, p. 4-5.
- ^ Zhou 2015, p. 1-2.
- ^ Salusky & Daford 2007, p. 7.
- ^ Konte, Feamster & Jung 2008, p. 8-11.
- S2CID 2648522.
Bibliography
- Almomani, Ammar (24 August 2016). "Fast-flux hunter: a system for filtering online fast-flux botnet". Neural Comput & Applic. 29 (7). S2CID 4626895.
- Li, Xingguo; Wang, Junfeng (25 September 2017). "Botnet Detection Technology Based on DNS". Future Internet. 9 (4). .
- Salusky, William; Daford, Robert (13 July 2007). "Know Your Enemy: Fast-Flux Service Networks". The Honeynet Project. Archived from the original on 30 September 2012 – via Wayback Machine.
{{cite journal}}
: Cite journal requires|journal=
(help) - Konte, M.; Feamster, N.; Jung, J. (January 2008). "SAC 025: SSAC Advisory on Fast Flux Hosting and DNS" (PDF). Security and Stability Advisory Committee (SSAC) (1). Internet Corporation for Assigned Names and Numbers. Archived (PDF) from the original on 22 November 2021. Retrieved 12 December 2021.
- "SpamHaus: Frequently Asked Questions (FAQ)". The Spamhaus Project. Archived from the original on 22 February 2022. Retrieved 3 March 2022.
- "SAC 025 SSAC Advisory on Fast Flux Hosting and DNS" (PDF). Internet Corporation for Assigned Names and Numbers. January 2008. Archived from the original(PDF) on 2022-01-19.
- Zhou, Shijie (29 June 2015). "A Survey on Fast-flux Attacks". Information Security Journal: A Global Perspective. 24 (4–6). S2CID 34993719.