Sunday, February 1, 2009

Fast Flux, ICANN Working Group Report

ICANN just released an initial report about Fast-Flux for public comments

The ICANN Fast Flux working group is trying to gather information that might help in initiating a formal policy development process or exploring other means to address this issue, in addition to explore the possibility to develop a Fast Flux Data Reporting System (FFDRS).

Fast Flux characteristics:
- Multiple IPs per NS, spanning multiple ASN
- Frequent NS changes (Double Fast-Flux)
- or IPs located within consumer broadband blocks
- Domain name age is short
- Fraudulent WHOIS records
- Usage of "nginx" proxy on infected machines

- Motherships are the controlling element of fast-flux network exactly like C&C servers to the botnets
- Motherships are hidden by front-end fast flux proxy nodes

Proxy Redirection:
- Fluxed hosts are typically proxies that re-direct traffic to the attacker's actual content
- Adds a 2nd layer of obfuscation to fast flux

Legitimate use of Fast Flux:
Fast Flux techniques using short dns TTL are used for:
- Load balancing high capacity systems
- Rapid update to propagate changes quickly
- Free-speech groups- dynamic DNS services


No comments: