Catching Up with Fast Flux

By Matthew Hines  |  Posted 2008-10-09 Print this article Print

Renowned botnet researcher Jose Nazario of Arbor Networks offers up some interesting new data in a recent blog posting over at CircleID on the fast-flux networks being used to prop up botnet activity.

One of the most interesting new angles is that there are actually not that many fast-flux nets in use, but they are apparently being used to generate sizable sums of money by the cyber-criminals using them.

As we all know, fast flux is a method that advanced botnetters have been utilizing heavily over the last few years to try to keep their command and control centers from getting cut off.

Through the tactic, botnet masters hide the machines they use for spam generation or malware delivery behind layers of other zombified PCs acting as proxies.

Common variants on the model have also incorporated P2P networking and IP address load balancing to help attackers move their operations around quickly to try to evade detection and potential compromise of their core farms of infected devices.

Nazario describes it as such:

"Fast-flux service networks utilize botnets to distribute the Web servers to the infected PCs. The zombies in the network are advertised in DNS records managed by the botnet and act as Web proxies, handling the inbound request from a victim and relaying the data from a central machine, often dubbed the mothership. The botnet will advertise some small fraction of the bot population in this DNS map and use it to lure in new victims."

And, as he points out, one of the most well-known fast-flux applications has been the Storm Worm botnet, which has been going strong for several years now.

So what's new? Well, what's new is that Arbor has begun using its ATLAS (Active Threat Level Analysis System) Web infrastructure monitoring resources to begin tracking fast-flux nets, with some intriguing results.

Arbor used six months of data gathered by ATLAS representing nearly 1000 unique domain names and 15 million unique IP address and domain name pairs, and here are some of its findings:

-Most fast-flux domains are dormant for more than 30 days before their use in a flux operation; domain name tasting, where a domain name is used for the five-day 100 percent refund grace period, does not appear to be a major factor in fast-flux domain name use.

-The global TLD distribution (such as .com and .cn) of fast-flux domain names is now wider than [indicated by] original reports; this issue now affects significantly more registrars.

-[Arbor] can identify clusters of IPs and associated host names, showing how many botnets use how many names. [Arbor] finds only a handful of distinct botnets using fast-flux methods.

-Fast-flux service networks support a wide variety of online crime activity, such as phishing, malcode delivery, casino advertisements, illegal or questionable pharmacy sites, and other activities.

-Fast flux is a smaller-scale problem than is widely assumed, and only a few thousand hosts globally are involved at any one time. The dollar value of these crimes, however, is significant.

-Hosts involved in fast-flux service networks are extremely promiscuous, sometimes having hundreds or even thousands of domain names associated with them, due to the large number of names used by many active fast-flux botnets.

-Active DNS probing, which is commonly used to investigate fast-flux botnet activities (and was used in our study), does not appear to be an effective, reliable measure of a botnet's size. [Arbor] found only about 1 percent visibility into the Storm Worm botnet, and [Arbor researchers] have not been able to get size estimates of other botnets for comparison.

-[Arbor] anticipates that the dormant period between the domain names' registration and activation can be used to identify domain names that are similar to other active fast-flux names and proactively disable them.

So, fast flux is still fairly nascent in terms of its adoption, but apparently it is effective and being advanced in terms of its execution.

That would lead me to believe that we're only going to see a lot more of this activity going forward.

Hats off to Arbor for the neat research.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel