Sunday, February 1, 2009

Fast Flux, ICANN Working Group Report

ICANN just released an initial report about Fast-Flux for public comments
http://gnso.icann.org/issues/fast-flux-hosting/fast-flux-initial-report-26jan09.pdf

The ICANN Fast Flux working group is trying to gather information that might help in initiating a formal policy development process or exploring other means to address this issue, in addition to explore the possibility to develop a Fast Flux Data Reporting System (FFDRS).

Fast Flux characteristics:
- Multiple IPs per NS, spanning multiple ASN
- Frequent NS changes (Double Fast-Flux)
- in.addrs.arpa or IPs located within consumer broadband blocks
- Domain name age is short
- Fraudulent WHOIS records
- Usage of "nginx" proxy on infected machines

Motherships:
- Motherships are the controlling element of fast-flux network exactly like C&C servers to the botnets
- Motherships are hidden by front-end fast flux proxy nodes

Proxy Redirection:
- Fluxed hosts are typically proxies that re-direct traffic to the attacker's actual content
- Adds a 2nd layer of obfuscation to fast flux

Legitimate use of Fast Flux:
Fast Flux techniques using short dns TTL are used for:
- Load balancing high capacity systems
- Rapid update to propagate changes quickly
- Free-speech groups- dynamic DNS services

Resources:
http://www.honeynet.org/papers/ff/
http://en.wikipedia.org/wiki/Fast_flux
http://www.spamhaus.org/faq/answers.lasso?section=ISP%20Spam%20Issues#164


No comments: