NF Post 8 : Fast Flux DNS
Fast-flux is a service networks designed to dynamically change and obscure central malware server IP addresses. It makes blocking malicious traffic harder to defend and it harder for defenders to block malicious traffic tracking the central attacker servers.
Usually, to detect and block malware, network administrator built and distribute blacklist “bad IP” addresses known to be hosting malware or acting as control systems for botnets.
After a network compromise, investigators could identify other infected systems by looking for additional connections to the same known “bad” IP addresses. When a malware sample was analyzed, a list of central C&C IP addresses could be retrieved and blocked.
Fast flux enables botnets to hide behind rapidly shifting network of compromised hosts, acting as proxies. Using the fast flux, botnets quickly shift among these IP addresses, enabling cybercriminals to delay or evade detection. So, with fast flux , the botnets shift among these IP addresses, enabling cyber criminals to delay or evade detection.
There are 2 types of fast-flux networks:
1.Single Flux Networks
Dynamically change the DNS “A” records of a domain.
2.Double Flux Networks
Add an extra layer of indirection by dynamically changing both the DNS “A” records and the “NS” (name server) records as well.
Here’s an example of fast-flux taken from the research paper “Fast-Flux Bot Detection in Real Time” by Ching-Hsiang Hsu, Chun-Ying Huang, and Kuan-Ta Chen
References:
- “Fast-Flux Bot Detection in Real Time” by Ching-Hsiang Hsu, Chun-Ying Huang, and Kuan-Ta Chen (https://www.researchgate.net/publication/221427617_Fast-Flux_Bot_Detection_in_Real_Time)
- https://www.infoblox.com/glossary/fast-flux/
- https://www.welivesecurity.com/2017/01/12/fast-flux-networks-work/