Fast Flux Primer

In early January the article “Have a Spam Free Year” by Dan Blacharski, introduced the term “fast flux“.  Clicking on the image to the left provides an excellent visual of fast flux in action.   About 2 weeks after Dan’s article was published, the Generic Names Supporting Organisation (GNSO) Fast Flux Hosting Working Group published an initial report on January 26, 2009. This group was formulated by Internet Corporation for Assigned Names and Numbers (ICANN).  This report is obviously in response to a serious anticipation of increased spam and phishing attacks.

Fast flux is where botnet herders continuously move the location of a website, email source, or DNS server from one computer to next. This makes malicious spam and phishing activity extremely difficult to detect. IP blacklists become useless in finding fast flux-based botnets. This stymies law enforcement agencies in being able to locate the criminal elements in cyberspace.  The storm botnet was one of the first to deploy this technique of preserving its botnet infrastructure and hiding from investigators.

It gets worse. “Double-flux is another evasion technique applying two levels of deception as opposed to one,” says David Piscitello, a member of ICANN’s Security and Stability Advisory Committee (SSAC). David is also one of the authors of a SSAC advisory paper that addresses fast and double flux attacks. Dan Piscitello further explains  “It’s particularly troublesome because using domain names is a whole lot easier than using IP addresses. Before this, you could hone in on a domain server as a way of shutting down a malicious site. But now the bad guys have one more tool in their evasion toolkit.”

In addition to understanding what fast flux means, as described above, the SSAC advisory paper defines 2 more important terms email administrators should know.

Botnet – a network of compromised third-party computers running software (ro)bots. These bots can be remotely controlled – initially by the actual attacker, and subsequently by a party who pays the attacker for use of the botnet – for any number of unauthorized or illegal activities. The attacker is typically associated with an organized criminal element. The attacker will install “bot software” without notice or authorization on a PC via a spyware download or virus attached to an email message, and more commonly, through browser or other client-side exploits (e.g., compromised banner advertising). Once the bot is able to execute, it establishes a back-channel to a control infrastructure set up by the attacker. The traditional botnet design employed a centralized model, and all back-channels connected to an attacker’s command-and-control center (C&C). Recently, botnet operators have employed peer-to-peer models for back-channel operation to thwart detection of the C&C via traffic analysis. bot-herder.  Once a botnet is established, the bot-herder leases use of their botnet to a facilitate a Fast Flux service operator.

Fast Flux facilities – refers to a software agent that has been installed without consent onto large numbers of computers across the Internet.  Fast Flux service network – a service network refers to a subset of bots that the bot-herder assigns to a given Fast Flux service operator who in turn provides its customer with facilities for fast flux hosting or name service.  This service network is oftentimes operated by a “middleman”, not by the customer themselves.

Fast flux is a mounting problem that email administrators should throughly understand.  Consider developing reporting procedures to pass on identified spam and phishing emails to your web hosting and DNS registrars.  These are the entities that will be working closely with ICANN to thwart these types of attacks.