Fast Flux and Advanced Fast Flux in Cyber Security
Fast flux is a DNS technique used by botnets to phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also be referred to as peer-to-peer networking, distributed command and control, web-based load, and balancing proxy redirection used to make malware networks more resistant to delivery and countermeasures. The Storm Worm is the most recent malware variant to make use of this technique.
Advanced Fast Flux
The basic idea behind advanced fast flux is to have numerous IP addresses associated with a single fully qualified domain name, where the IP addresses are swapped in and out with extremely high frequency through changing DNS records. Internet users may see fast flux used in phishing attacks linked to criminal organizations, including attacks on social networking services.
Types of Fast Flux
- Single Fast Flux
- Double Fast Flux
1. Single Fast Flux: It is the simplest type of fast flux characterized by multiple individual nodes within the registering and de-registering of their addresses as a part of the DNS A (address) record list for a single DNS name. This combines with round-robin DNS with very short- usually less than 5 minutes. TTL (Time to Leave) values to create a constantly changing list of the destination address for that single DNS name, The list can be hundreds or thousands of entries long.
2. Double Fast Flux: It is the sophisticated type of fast flux referred to as Double fast flux characterized by multiple nodes within the network registering and de-registering their addresses as part of the DNS name server record list for the DNS Zone. This provides an additional layer for redundancy and survivability within the malware network.
In fast-flux hosting the fast-flux service networks are used for two purposes:
1. To host referral websites: Bots in this service network typically do not host the fast flux customer’s content but will redirect the web traffic to the web server where the fast flux customer host unauthorized or illegal activities. When this is the only network operated for fast flux hosting, the term single flux hosting is applied here.
2. To host name servers: Bots in this service network run name server referrers for the fast flux customers. These name servers forward DNS requests to hidden name servers that host zones containing DNS A resource records for a set of referral websites. The hidden name server does not relay responses back through the referring name server but replies directly to the querying host. When this second network is operated with a conjunction that enhances deception the term used is “Double flux”.
Fast Flux Watch is a mechanism for the online detection of fast flux agents. It is envisioned to exist as a software agent at leaf routers that connect stub networks to the internet.
The core mechanism of the fast flux watch is based on the inherent features of the fast flux network: flux agents within stub networks take the role of relaying client requests to point-of-sale websites of spam campaigns.
Please Login to comment...