Fast flux



Fast flux is a domain name system (DNS) based evasion technique used by cyber criminals to hide phishing and malware delivery websites behind an ever-changing network of compromised hosts acting as reverse proxies to the backend botnet master—a bulletproof autonomous system. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures.

The fundamental idea behind fast-flux is to have numerous IP addresses associated with a single fully qualified domain name, where the IP addresses are swapped in and out with extremely high frequency, through changing DNS resource records, thus the authoritative name servers of the said fast-fluxing domain name is—in most cases—hosted by the criminal actor.

Depending on the configuration and complexity of the infrastructure, fast-fluxing is generally classified into single, double, and domain fast-flux networks. Fast-fluxing remains an intricate problem in network security and current countermeasures remain ineffective.

History
Fast-fluxing was first reported by the security researchers William Salusky and Robert Danford of The Honeynet Project in 2007; the following year, they released a systematic study of fast-flux service networks in 2008. Rock Phish (2004) and Storm Worm (2007) were two notable fast-flux service networks which were used for malware distribution and phishing.

Fast-flux service network
A fast-flux service network (FFSN) is a network infrastructure resultant of the fast-fluxed network of compromised hosts; the technique is also used by legitimate service providers such as content distribution networks (CDNs) where the dynamic IP address is converted to match the domain name of the internet host, usually for the purpose of load balancing using round-robin domain name system (RR-DNS). The purpose of using FFSN infrastructure for the botnets is to relay network requests and act as a proxy to the backend bulletproof content server which function as an "origin server".

The frontend bots, which act as an ephemeral host affixed to a control master, are called flux-agents whose network availability is indeterminate due to the dynamic nature of fast-fluxing. The backend motherships do not establish direct communication with the user agents, rather every actions are reverse proxied through compromised frontend nodes, effectively making the attack long-lasting and resilient against take down attempts.

Types
Fast-fluxing is generally classified into two types: single fluxing and double fluxing, a build-on implementation over single fluxing. The phraseologies involved in fast-fluxing includes "flux-herder mothership nodes" and "fast-flux agent nodes", referred to the backend bulletproof botnet controller and the compromised host nodes involved in reverse proxying the traffic back-and-forth between the origin and clients respectively. The compromised hosts used by the fast-flux herders typically includes residential broadband access circuits, such as DSL and cable modems.

Single-flux network
In single-flux network, the authoritative name server of a fast-fluxing domain name repeatedly permutes the DNS resource records with low time to live (TTL) values, conventionally between 180 and 600 seconds. The permuted record within the zone file includes A, AAAA and CNAME record, the disposition is usually done by means of round robin from a registry of exploited host's IP addresses and DDNS names. Although HTTP and DNS remain commonly proxied application protocols by the frontend flux-agents, protocols such as SMTP, IMAP and POP can also be delivered through transport layer (L4) TCP and UDP level port binding techniques between flux-agents and backend flux-herder nodes.

Double-flux network
Double-fluxing networks involve high-frequency permutation of the fluxing domain's authoritative name servers, along with DNS resource records such as A, AAAA, or CNAME pointing to frontend proxies. In this infrastructure, the authoritative name server of the fluxing domain points to a frontend redirector node, which forwards the DNS datagram to a backend mothership node that resolve the query. The DNS resource records, including the NS record, are set with a lower TTL value, therefore resulting in an additional level indirection. The NS records in a double-fluxing network usually point to a referrer host that listens on port 53, which forwards the query to a backend DNS resolver that is authoritative for the fluxing domain. Advanced level of resilience and redundancy is achieved through blind proxy redirection techniques of the frontend nodes; Fast-fluxing domains also abuse domain wildcarding specification for spam delivery and phishing, and use DNS covert channels for transferring application layer payloads of protocols such as HTTP, SFTP, and FTP encapsulated within a DNS datagram query.

Domain-flux network
Domain-flux network involves keeping a fast-fluxing network operational through continuously rotating the domain name of the flux-herder mothership nodes. The domain names are dynamically generated using a selected pseudorandom domain generation algorithm (DGA), and the flux operator mass-registers the domain names. An infected host repeatedly tries to initiate a flux-agent handshake by spontaneous generating, resolving and connecting to an IP address until an acknowledgment, to register itself to the flux-herder mothership node. A notable example includes Conficker, a botnet which was operational by generating 50,000 different domains in 110 top-level domains (TLDs).

Security countermeasures
The detection and mitigation of fast-fluxing domain names remain an intricate challenge in network security due to the robust nature of fast-fluxing. Although fingerprinting the backend fast-flux mothership node remains increasingly difficult, service providers could detect the upstream mothership nodes through probing the frontend flux-agents in a special way by sending a crafted HTTP request that would trigger an out-of-band network request from the backend fast-flux mothership node to the client in an independent channel, such that the client could deduce the mothership node's IP address by analyzing the logs of its network traffic. Various security researchers suggests that the effective measure against fast-fluxing is to take down the domain name from its use. However, the domain name registrars are reluctant in doing so, since there are not jurisdiction independent terms of service agreements that must be observed; in most cases, fast-flux operators and cybersquatters are the main source of income to those registrars.

Other countermeasures against fast-fluxing domains include deep packet inspection (DPI), host-based firewall, and IP-based access control lists (ACLs), although there are serious limitations in these approaches due to the dynamic nature of fast-fluxing.