If not redirected, please click here https://www.thesecuritybuddy.com/dos-ddos-prevention/what-is-fast-flux-network/
A Fast Flux Network is
a network of compromised computers and some public DNS records that
change frequently. As a result, the IP address associated with the
corresponding domain name changes frequently. This technique is often
used by the attackers to hide their malicious websites from
detection.
Why Fast Flux
Networks
Attackers typically
compromise one or more victim computer systems with malware and
exploit those to establish a fraudulent website like a Phishing
website. The problem of the attackers with this approach is, these
websites can be easily tracked down by public DNS name and IP address
to shut them down immediately.
So, the attackers
started using server address obfuscation. They often use a group of
proxy servers to redirect network. But, this approach also does not
prove to be much convenient for them because of limited scalability.
Moreover, these websites can still be tracked down quickly by
international cooperation.
So, the attackers
started using Fast Flux Networks.
The basic idea behind a
Fast Flux Network is to associate multiple IP addresses to a
malicious domain name. These IP addresses are swapped in and out with
extremely high frequency, may be in every 3 minutes, with the help of
changing DNS records. As a result, a browser connecting to the same
malicious website in every three minutes will see different IP
address each time and connect to the actual malicious website via
different infected computers every time.
How Fast Flux
Network works
In Fast Flux Networks,
attackers compromise a number of computer systems with malware and
then exploit their bandwidth and computation power to build the Fast
Flux Network.
In Fast Flux Networks,
attackers often use a number of compromised computers as front end
systems. These front end systems get the requests from the victims to
connect to the malicious website and redirect those requests to the
back-end servers.
So, the large pool of
rotating IP addresses do not correspond to the actual back-end
servers. Instead, they fluctuate among many front end servers which
in turn funnel the requests and redirect them to the actual back-end
servers.
Fast Flux motherships
are the main controlling elements behind the front end servers. They
are similar to Command & Control or C & C servers, though
they have much more features compared to the C & C servers.
This mothership node is
hidden by the front end servers, which make them extremely difficult
to track down. They often host both DNS and HTTP services and use web
server virtual hosting configuration to manage content availability.
Types of Fast Flux
Networks
There are two types of
Fast Flux Networks that are widely used by the attackers :
- Single Flux Network
- Double Flux Network
Single Flux
Network
In a Single Flux
Network, when a victim makes a request to the attacker's website, the
request first reaches a front end redirector. This redirector
redirects the request to the target website. There are typically a
number of nodes that are used as front end redirectors. So, if one
node gets detected and shut down, many other compromised hosts can
take its position. Using this Single Flux Network, the DNS
record corresponding to resolving the IP address of the attacker's
website change frequently, may be in every 3 minutes.
Let's understand this
with an example.
Suppose, a victim makes
a request to access the website malicious.attacker.com using a URL
published by the attackers. So, the victim's computer will first
make a request to resolve the domain name for malicious.attacker.com.
At this point, the DNS
root nameserver will be queried first and it would return the
nameserver responsible for the top level domain .com. Next, .com
nameserver will be queried to get the nameserver responsible for
attacker.com, say ns.attacker.com. Now, ns.attacker.com will be
queried to get the IP address for malicious.attacker.com.
For normal DNS lookup,
this DNS record usually remains constant. But, in Single Flux
Network, this DNS record change frequently to contain multiple IP
addresses in round robin fashion.
Double Flux
Network
For a Double Flux
Network, the victim sends similar DNS query to resolve the IP address
for malicious.attacker.com and queries are made in similar fashion to
get nameserver of .com and then ns.attacker.com.
But, here the
nameserver ns.attacker.com is actually a part of the Double Flux
Network and its own IP address itself changes frequently. When a DNS
request reaches ns.attacker.com, the nameserver forwards the queries
to corresponding mothership node and then a connection is made to the
target system.
Advantages of Fast
Flux Networks for attackers
There are a couple of
reasons because of which the attackers use Fast Flux Networks for
their fraudulent activities.
Easy to operate
Fast Flux Networks are
easy to operate for the attackers. They just need one powerful
back-end server to serve the actual contents and DNS information. The
published URL first points to the front end servers which redirect
the requests to the actual back-end server. So, the attackers need to
maintain only a few number of core systems to host their malicious
website, instead of maintaining many servers to host their fraudulent
website.
Difficult to
investigate
Fast Flux Networks make
criminal investigations much difficult. Security experts typically
recover a handful of IP addresses corresponding to the disposable
front end servers. They are, in most of the cases, spread across
multiple jurisdiction, continents, regional languages and time zones.
And, that complicates the investigation to a large extent.
Hidden back end
servers
Back end servers are
hidden by the front end nodes. As a result, it takes much longer to
identify and shut down those core back end servers.
Applications of Fast
Flux Networks
Fast Flux Networks are
responsible for many illegal practices like online pharmacy shops,
money mule recruitment sites, phishing websites, illegal adult
contents, distribution of malware etc. Even other services like SMTP,
POP, IMAP etc can be delivered using Fast Flux Networks.
This article intended
to give an introductory information on Fast Flux Networks. Hope you
liked this.
No comments:
Post a Comment