Understanding the basics concept of fast flux dns

One of the most active threats we face today on the Internet is cyber-crime. It’s a profitable business where IT capable criminals try to control the computers of the naive. They do this by infecting them with malware. There are various ways of introducing these malicious codes into the target systems, but that part is out of scope for this post.

The goal of fast-flux is decrease the detection chances/rate when doing a malicous action. This can fluctuate from a spam mailing to a denial-of-service attack. The basic concept of the “fast flux” is to have a fully qualified domain name with multiple IP addresses assigned to it. These IP addresses are swapped in and out of flux with extreme frequency, using a combination of round-robin IP addresses and a very short Time-To-Live. The hostname of a certain website may change as often as every three minutes.

single flux diagram

The ip address used here are those of infected machines. So a browser connecting to the same website every 3 minutes would actually be connecting to a different infected computer each time. So the computer of your grandparents may simply be used to provide resources to the latest phishing attack.

It’s a common practice to build in load-distribution schemes which also do a health-check. This is useful so that the nodes (the computer from for example the grandparents) that are offline can be taken out of the flux. Enabling an always maintained content availability. A second layer is often added for security and fail-over: blind proxy redirection. Actually… a lot of techniques used in the world of legitimate webserver operations are used by these criminal computer networks.

The fast-flux it’s controlling element is often refered to as “mothership”. It’s simpilar to the control mechanisms used in the older botnets. But it has more features compared to the more conventional botnets. These mostly provide the basic backend infrastructure for the botnet (dns & http) as it serves the content towards the infected nodes.

Interesting readups:
Know Your Enemy: Fast-Flux Service Networks @ Honeynet.org (main reference)
the future of botnets : fast flux bot nets (tip!)
Darkreading: here & here
Securityfocus article

2 thoughts on “Understanding the basics concept of fast flux dns

  1. I didn’t really look at the double fast flux features until today. I’m looking at the presentation live at Hack.lu from Lance Spitzner himself.

    I know Lance from his “Know your enemy” series from years ago. He’s much younger then I expected. šŸ˜‰

  2. Hi,
    I am now doing my master’s degree and really interested in Fast Flux.
    I’ve searched and found less information about Fast-flux.

    Do share some links on this topic.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.