Who is Using Fast Flux?

By Matthew Hines  |  Posted 2009-07-21 Print this article Print

Lots of bad guys, that's who.

In the latest version of their "Who and Why Show" podcast, posted here, experts with security researchers Team Cymru highlight the growing uptake and successful use of so-called fast flux botnet infrastructure among larger numbers of cyber-criminals.

Fast flux, which has been around for a good few years or so now, involves manipulation of DNS information by botnet operators to try to keep their command and control centers from getting cut off.

And with botnets sprawling seemingly everywhere, and people across the security industry trying to choke them off, the more advanced control model is proving very effective in helping attackers keep their zombie networks active, according to John Kristoff, an expert with the firm.

Through the tactic, botnet masters hide the machines they use for spam generation or malware delivery behind layers of other zombified PCs acting as proxies. The zombies in the network are advertised in DNS records managed by the botnet and act as Web proxies, handling the inbound request from a victim and relaying the data from a central machine, often dubbed the mothership. Most often, the botnet will advertise some small fraction of the bot population in this DNS map and use it to lure in new victims.

"Unlike traditional controller mechanisms that might be employed to find botnet command and control servers with DNS or HTTP, if that command and control is always changing, and it is changing rapidly, it makes the trail very difficult to follow; and in addition you have to follow that many more pieces of the architecture, that many more hosts that you have to investigate and tie back to some criminal," said Kristoff. "So it really does make it makes it nearly impossible for someone who is actually trying to uncover who is behind this if there is a lot of change involved."

As a result of these realities, it's making it very hard for anyone to quickly dismantle the fast flux networks, the expert said.

However, there may be some hope. By pushing people who control key pieces of the involved DNS infrastructure, namely registrars, to do a better job of mitigating the rapid changes needed to run fast flux networks and tightening domain name authentication, as well as responding to reports of abuse faster, these companies could go a long way toward thwarting the technique, said Kristoff.

Monitoring DNS names could also help, though doing so poses some interesting technical challenges for registrars, but nothing that is totally out of reach, he said. Some newer techniques, including those isolated by Team Cymru, have also made it possible to predict where fast flux networks might crop up and choke them off ahead of time, he said.

Fast flux networks might not be the most widespread model for controlling botnets, or the most truly complex, but the approach will continue to be in heavy use until registrars crack down, according to the expert.

"I'd always plan on expecting something new and improved, maybe not necessarily with the domain name system but certainly something, but it is quite an innovative and effective technique on the part of miscreants," said Kristoff. "So is it the holy grail perhaps not but it is certainly is one thing that [botnet masters] are taking advantage of and it's certainly making it much more difficult for investigators, analysts and law enforcement than they would otherwise like it."

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.

del.icio.us | digg.com

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel