Since 2006, security researchers have been watching a new technique used in cybercrime to hide malicious traffic behind an intricate network of proxies. This technique called fast-flux, was initially used by few people but lead to thousands of personal computers infected and criminal content like phishing sites and malwares successfully delivered to innocent users. Fast-flux networks are today the key to develop online criminal activities.
HOW DOES IT WORK ?
When you ask for a fully qualified domain name like www.innocentsite.com, you expect to receive a response from innocentsite’s servers. The scope of a fast-flux network, is to provide a great range of IP addresses for a fully qualified domain name. Using a TTL of 3 or 5 minutes, the IP addresses are fastly and periodically swapped from the list using round-robin. Round Robin DNS is a technique used for load distribution and load balancing that allows different users connecting to the same domain, to receive a response from different servers. Let’s say that user1 connects to google, he will then receive a response from google-server1. Then user2 connects and receives a response from google-server2 and so on. Every time a host answers a request, its IP goes at the bottom of the list, so at the top of the list there will be always the less loaded host. When it comes to fast-flux networks, the hosts are infected computers, so a network of zombies is created just to provide a proxy network for a malicious service. The response of the victim user is answered by the “mothership”. The mothership is the backend server hosting the malicious content. We can distinguish single-flux from double-flux.
SINGLE FLUX NETWORKS
The victim asks for his trusted www.innocentsite.com but his traffic is redirected to the zombie network and finally to the mothership. This zombie network is mostly made of infected home computers. The redirection is realized by the host called the flux-agent. The flux-agent’s DNS records are changed every 3 to 10 minutes so even if a redirector node is shut down, other nodes are ready to take its place in a very short time. Not only DNS and HTTP services are available through a fast-flux network, but also IMAP, SMTP and POP.
DOUBLE FLUX NETWORKS
This type of fast-flux is more complicated because both the DNS A record and NS record are changed with the Round Robin technique. DNS A record returns a 32 bit IPv4 usually used to link a host to its IP, while DNS NS record establishes that a certain authoritative server has to deal with a certain DNS zone; this means that in a double flux attack, not only hosts change their IP addresses as part of a single DNS name, but they do it for an entire DNS zone, making nearly an impossible understanding where the source of the attack is located. While in the traditional botnets, based on IRC servers, it was sufficient to find the central IRC server to take down the entire evil system, with a fast-flux network you should take down thousands of hosts located in a lot of different countries all over the world. The result is that of a fast-flux network and not a single point of weakness.
FAMOUS FAST-FLUX ATTACKS
Storm Worm was a backdoor trojan spreaded in 2007 targeting Microsoft systems of mostly private home hosts. The virus was spread with a spam email and after a few months accounted for 8% of all malware infections in the world. While for traditional botnets a central server could be found, Storm Worm was hidden by a network of zombies that acted as a peer to peer decentralized network. It was also difficult to understand the real size of the network because every host, connected to 30 other computers, had only the list of a subset of the entire network, not the complete list.
Samy was an XSS worm well known as the fastest spreading worm of all time. It was created to propagate through the social network MySpace and it was written by Samy Kamkar. The virus was released in 2005 and it infected over one million users in 20 hours. The virus was not dangerous, but it resulted in every infected user sending a friend request to Samy Kamkar and a message displayed on the screen saying “But most of all, samy is my hero”, and it showed a great vulnerability of the social network site.
While it is relatively easy to set up a fast-flux network for an expert cyber criminal, it is really complicated to trace these infrastructures and to take down the whole system. In fact investigators and network analyzers, have to deal with thousands of hosts infected, multiple nodes that make it difficult to understand how large is the real network, IP addresses changing randomly every five minutes, different laws for different countries that will not always cooperate and ISPs that will not always help them. Nonetheless, there’s a way in which a mothership can be detected, and it consists in sending probe packets to the flux-agent, tracing its path to the mothership itself.
There’s a strong return of investment for cyber criminals using fast-flux networks. Phishing, spam and malwares, are only few applications of this technique, so it is easy to understand that this kind of system will evolve over the years, resulting in a real chance of profit for hackers and a greater threat for users globally.