Fast Flux Domains

by Süleyman Petek 30. Kasım 2015 12:25
According to Wikipedia : "Fast flux is a DNS technique used by botnets to h

According to Wikipedia : "Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies." When a domain of a fast flux network is resolved, it returns more than one IP addresses. These domains continuously changes the IP address order that the domains are returned, this technic is called round-robin. The HoneyNet project provides a deep information about this issue : Know Your Enemy (http://www.honeynet.org/papers/ff)

It will be more effective to realize fast flux networks otherwise you will just waste your time blocking each IP address for them. Instead, blocking  the domain would be much more intelligent.

The fast flux domains will return several IP addresses when you resolve them or may return only one address but change it frequently.

How can we catch it ? 

A German security company BFK will help us at first step : http://www.bfk.de/bfk_dnslogger_en.html The BFK query page will allow us to query for passive DNS services.It is obvious that passive DNS search results will return many IP addresses for a fast flux network domain. If your search results contains dozens of different IP addresses, you can say that the domain you searched is a member of a fast flux domain.

We have another way  to check the status, that is checking the TTL value. If the TTL value is very low and the hostname is changing the IP address very quickly, it can be said that a fast flux domain. The value of TTL is zero means DNS server are not caching the IP addresses. You can use "dig" in Linux to find the TTL value of a domain.



Tags:

IT Security | Awareness | Malware | Malware Analysis | Web Defense

Add comment

Calendar

<<  Kasım 2018  >>
PztSalÇarPerCumCmtPaz
2930311234
567891011
12131415161718
19202122232425
262728293012
3456789

View posts in large calendar

RecentPosts