Wednesday, April 20, 2016

Fast Flux Networks

A Fast Flux Network is a network of compromised computers and some public DNS records that change frequently. As a result, the IP address associated with the corresponding domain name changes frequently. This technique is often used by the attackers to hide their malicious websites from detection.

Why Fast Flux Networks

Attackers typically compromise one or more victim computer systems with malware and exploit those to establish a fraudulent website like a Phishing website. The problem of the attackers with this approach is, these websites can be easily tracked down by public DNS name and IP address to shut them down immediately.

So, the attackers started using server address obfuscation. They often use a group of proxy servers to redirect network. But, this approach also does not prove to be much convenient for them because of limited scalability. Moreover, these websites can still be tracked down quickly by international cooperation.

So, the attackers started using Fast Flux Networks.

The basic idea behind a Fast Flux Network is to associate multiple IP addresses to a malicious domain name. These IP addresses are swapped in and out with extremely high frequency, may be in every 3 minutes, with the help of changing DNS records. As a result, a browser connecting to the same malicious website in every three minutes will see different IP address each time and connect to the actual malicious website via different infected computers every time.

How Fast Flux Network works

In Fast Flux Networks, attackers compromise a number of computer systems with malware and then exploit their bandwidth and computation power to build the Fast Flux Network.

In Fast Flux Networks, attackers often use a number of compromised computers as front end systems. These front end systems get the requests from the victims to connect to the malicious website and redirect those requests to the back-end servers.

So, the large pool of rotating IP addresses do not correspond to the actual back-end servers. Instead, they fluctuate among many front end servers which in turn funnel the requests and redirect them to the actual back-end servers.

Fast Flux motherships are the main controlling elements behind the front end servers. They are similar to Command & Control or C & C servers, though they have much more features compared to the C & C servers.

This mothership node is hidden by the front end servers, which make them extremely difficult to track down. They often host both DNS and HTTP services and use web server virtual hosting configuration to manage content availability.

Types of Fast Flux Networks

There are two types of Fast Flux Networks that are widely used by the attackers :

  • Single Flux Network
  • Double Flux Network

Single Flux Network

In a Single Flux Network, when a victim makes a request to the attacker's website, the request first reaches a front end redirector. This redirector redirects the request to the target website. There are typically a number of nodes that are used as front end redirectors. So, if one node gets detected and shut down, many other compromised hosts can take its position. Using this Single Flux Network, the DNS record corresponding to resolving the IP address of the attacker's website change frequently, may be in every 3 minutes.

Let's understand this with an example.

Suppose, a victim makes a request to access the website using a URL published by the attackers. So, the victim's computer will first make a request to resolve the domain name for

At this point, the DNS root nameserver will be queried first and it would return the nameserver responsible for the top level domain .com. Next, .com nameserver will be queried to get the nameserver responsible for, say Now, will be queried to get the IP address for

For normal DNS lookup, this DNS record usually remains constant. But, in Single Flux Network, this DNS record change frequently to contain multiple IP addresses in round robin fashion.

Double Flux Network

For a Double Flux Network, the victim sends similar DNS query to resolve the IP address for and queries are made in similar fashion to get nameserver of .com and then

But, here the nameserver is actually a part of the Double Flux Network and its own IP address itself changes frequently. When a DNS request reaches, the nameserver forwards the queries to corresponding mothership node and then a connection is made to the target system.

Advantages of Fast Flux Networks for attackers

There are a couple of reasons because of which the attackers use Fast Flux Networks for their fraudulent activities.

Easy to operate

Fast Flux Networks are easy to operate for the attackers. They just need one powerful back-end server to serve the actual contents and DNS information. The published URL first points to the front end servers which redirect the requests to the actual back-end server. So, the attackers need to maintain only a few number of core systems to host their malicious website, instead of maintaining many servers to host their fraudulent website.

Difficult to investigate

Fast Flux Networks make criminal investigations much difficult. Security experts typically recover a handful of IP addresses corresponding to the disposable front end servers. They are, in most of the cases, spread across multiple jurisdiction, continents, regional languages and time zones. And, that complicates the investigation to a large extent.

Hidden back end servers

Back end servers are hidden by the front end nodes. As a result, it takes much longer to identify and shut down those core back end servers.

Applications of Fast Flux Networks

Fast Flux Networks are responsible for many illegal practices like online pharmacy shops, money mule recruitment sites, phishing websites, illegal adult contents, distribution of malware etc. Even other services like SMTP, POP, IMAP etc can be delivered using Fast Flux Networks.

This article intended to give an introductory information on Fast Flux Networks. Hope you liked this.

No comments:

Post a Comment