Movatterモバイル変換

[0]ホーム
URL:

Jump to content
WikipediaThe Free Encyclopedia
Search

Fast flux

This is a good article. Click here for more information.
From Wikipedia, the free encyclopedia
DNS evasion technique against origin server fingerprinting.
For the nuclear breeder reactor, seeFast Flux Test Facility.

Robtex DNS Analysis of a fast fluxing domain.

Fast flux is adomain name system (DNS) basedevasion technique used bycyber criminals to hidephishing andmalware delivery websites behind an ever-changing network of compromised hosts acting asreverse proxies to the backendbotnet master—abulletproofautonomous system.[1] It can also refer to the combination ofpeer-to-peer networking, distributedcommand and control, web-basedload balancing andproxy redirection used to make malware networks more resistant to discovery and counter-measures.

The fundamental idea behind fast-flux is to have numerousIP addresses associated with a singlefully qualified domain name, where the IP addresses are swapped in and out with extremely high frequency, through changingDNS resource records, thus theauthoritative name servers of the said fast-fluxingdomain name is—in most cases—hosted by the criminal actor.[2]

Depending on the configuration and complexity of the infrastructure, fast-fluxing is generally classified into single, double, and domain fast-flux networks. Fast-fluxing remains an intricate problem innetwork security and current countermeasures remain ineffective.

History

[edit]

Fast-fluxing was first reported by the security researchers William Salusky and Robert Danford ofThe Honeynet Project in 2007;[3] the following year, they released a systematic study of fast-flux service networks in 2008.[4]Rock Phish (2004) andStorm Worm (2007) were two notable fast-flux service networks which were used for malware distribution and phishing.[5]

Fast-flux service network

[edit]

A fast-flux service network (FFSN) is anetwork infrastructure resultant of the fast-fluxed network of compromised hosts; the technique is also used by legitimate service providers such ascontent distribution networks (CDNs) where thedynamic IP address is converted to match the domain name of theinternet host, usually for the purpose of load balancing usinground-robin domain name system (RR-DNS).[6] The purpose of using FFSN infrastructure for the botnets is torelay network requests and act as a proxy to the backendbulletproof content server which function as an "origin server".[7]

Thefrontend bots, which act as an ephemeral host affixed to acontrol master, are called flux-agents whose network availability is indeterminate due to the dynamic nature of fast-fluxing.[1] The backend motherships do not establish direct communication with theuser agents, rather every actions are reverse proxied through compromised frontend nodes,[8] effectively making the attack long-lasting and resilient against take down attempts.[9]

Types

[edit]
An illustration of single and double DNS fast-fluxing networks.

Fast-fluxing is generally classified into two types: single fluxing and double fluxing, a build-on implementation over single fluxing. The phraseologies involved in fast-fluxing includes "flux-herder mothership nodes" and "fast-flux agent nodes", referred to the backendbulletproof botnet controller and the compromisedhost nodes involved in reverse proxying the traffic back-and-forth between theorigin and clients respectively.[10][1] The compromised hosts used by the fast-flux herders typically includesresidential broadband access circuits, such asDSL andcable modems.[11]

Single-flux network

[edit]

In single-flux network, theauthoritative name server of a fast-fluxing domain name repeatedlypermutes theDNS resource records with lowtime to live (TTL) values, conventionally between 180 and 600 seconds. The permuted record within thezone file includesA, AAAA andCNAME record, the disposition is usually done by means ofround robin from a registry of exploited host's IP addresses andDDNS names.[12][13][14] AlthoughHTTP andDNS remain commonly proxiedapplication protocols by the frontend flux-agents, protocols such asSMTP,IMAP andPOP can also be delivered throughtransport layer (L4)TCP andUDP levelport binding techniques between flux-agents and backend flux-herder nodes.[15]

Double-flux network

[edit]

Double-fluxing networks involve high-frequency permutation of the fluxing domain's authoritative name servers, along with DNS resource records such as A, AAAA, or CNAME pointing to frontend proxies.[15][16] In this infrastructure, the authoritative name server of the fluxing domain points to a frontend redirector node, which forwards theDNS datagram to a backend mothership node that resolve the query.[17][18] The DNS resource records, including the NS record, are set with a lower TTL value, therefore resulting in an additionallevel indirection.[19][20] The NS records in a double-fluxing network usually point to a referrer host that listens onport 53, which forwards the query to a backend DNS resolver that is authoritative for the fluxing domain.[21][22]: 6  Advanced level of resilience and redundancy is achieved throughblind proxy redirection techniques of the frontend nodes;[22]: 7  Fast-fluxing domains also abusedomain wildcardingRFC 1034 specification for spam delivery and phishing, and useDNS covert channels for transferring application layer payloads of protocols such as HTTP,SFTP, and FTP encapsulated within a DNS datagram query.[23][22]: 6-7 

Domain-flux network

[edit]

Domain-flux network involves keeping a fast-fluxing network operational through continuously rotating the domain name of the flux-herder mothership nodes.[23] The domain names are dynamically generated using a selectedpseudorandomdomain generation algorithm (DGA), and the flux operator mass-registers the domain names. An infected host repeatedly tries to initiate aflux-agent handshake by spontaneous generating, resolving and connecting to an IP address until anacknowledgment, to register itself to the flux-herder mothership node.[19] A notable example includesConficker, a botnet which was operational by generating 50,000 different domains in 110top-level domains (TLDs).[24]

Security countermeasures

[edit]

The detection and mitigation of fast-fluxing domain names remain an intricate challenge in network security due to the robust nature of fast-fluxing.[25] Althoughfingerprinting the backend fast-flux mothership node remains increasingly difficult, service providers could detect the upstream mothership nodes throughprobing the frontend flux-agents in a special way by sending acrafted HTTP request that would trigger anout-of-band network request from the backend fast-flux mothership node to the client in anindependent channel, such that the client could deduce the mothership node's IP address byanalyzing the logs of its network traffic.[26] Varioussecurity researchers suggests that the effective measure against fast-fluxing is to take down the domain name from its use. However, thedomain name registrars are reluctant in doing so, since there are not jurisdiction independentterms of service agreements that must be observed; in most cases, fast-flux operators andcybersquatters are the main source of income to those registrars.[27]

Other countermeasures against fast-fluxing domains includedeep packet inspection (DPI),host-based firewall, and IP-basedaccess control lists (ACLs), although there are serious limitations in these approaches due to the dynamic nature of fast-fluxing.[28]

See also

[edit]

References

[edit]
  1. ^abcLi & Wang 2017, p. 3.
  2. ^Almomani 2016, p. 483.
  3. ^Zhou 2015, p. 3.
  4. ^Saif Al-Marshadi; Mohamed Anbar; Shankar Karuppayah; Ahmed Al-Ani (17 May 2019)."A Review of Botnet Detection Approaches Based on DNS Traffic Analysis".Intelligent and Interactive Computing. Lecture Notes in Networks and Systems. Vol. 67.Singapore:Springer Publishing,Universiti Sains Malaysia. p. 308.doi:10.1007/978-981-13-6031-2_21.ISBN 978-981-13-6030-5.S2CID 182270258.
  5. ^Nazario, Josh; Holz, Thorsten (8 October 2008).As the net churns: Fast-flux botnet observations. 3rd International Conference on Malicious and Unwanted Software (MALWARE).Alexandria, Virginia:Institute of Electrical and Electronics Engineers. p. 24.doi:10.1109/MALWARE.2008.4690854.ISBN 978-1-4244-3288-2.
  6. ^Almomani 2016, p. 483-484.
  7. ^Almomani 2016, p. 484.
  8. ^Zhou 2015, p. 4.
  9. ^Zhou 2015, p. 2-3.
  10. ^Salusky & Daford 2007, p. 1.
  11. ^Konte, Feamster & Jung 2008, p. 8.
  12. ^Salusky & Daford 2007, p. 1-2.
  13. ^Li & Wang 2017, p. 3-4.
  14. ^"FAQ: Fast-fluxing".Andorra:The Spamhaus Project.Archived from the original on 29 April 2021. Retrieved12 December 2021.
  15. ^abSalusky & Daford 2007, p. 2.
  16. ^Zhou 2015, p. 5.
  17. ^Li & Wang 2017, p. 3-5.
  18. ^Zhou 2015, p. 5-6.
  19. ^abLi & Wang 2017, p. 4.
  20. ^Salusky & Daford 2007, p. 2-3.
  21. ^Konte, Feamster & Jung 2008, p. 4-6.
  22. ^abcOllmann, Gunter (4 June 2009)."Botnet Communications Topologies: Understanding the intricacies of botnet Command-and-Control"(PDF).Core Security Technologies.Archived(PDF) from the original on 26 March 2020. Retrieved3 March 2022.
  23. ^abHands, Nicole M.; Yang, Baijian; Hansen, Raymond A. (September 2015).A Study on Botnets Utilizing DNS. RIIT '15: Proceedings of the 4th Annual ACM Conference on Research in Information Technology,Purdue University.United States:Association for Computing Machinery. pp. 23–28.doi:10.1145/2808062.2808070.
  24. ^Li & Wang 2017, p. 4-5.
  25. ^Zhou 2015, p. 1-2.
  26. ^Salusky & Daford 2007, p. 7.
  27. ^Konte, Feamster & Jung 2008, p. 8-11.
  28. ^Florian Tegeler; Xiaoming Fu; Giovanni Vigna; Christoper Kruegel (10 December 2012). "BotFinder: Finding bots in network traffic without deep packet inspection".Proceedings of the 8th international conference on Emerging networking experiments and technologies.Association for Computing Machinery. pp. 349–360.doi:10.1145/2413176.2413217.ISBN 9781450317757.S2CID 2648522.

Bibliography

[edit]
Domain namespeculation andparking
General
Legal
Technical
Retrieved from "https://en.wikipedia.org/w/index.php?title=Fast_flux&oldid=1190304983"
Categories:
Hidden categories:
[8]ページ先頭
©2009-2025 Movatter.jp