How hackers pull a fast flux on security enforcers

In the continuing computer security arms race, a technique called fast flux is the bad guys’ latest way of thwarting attempts to shut down phishing scams and other Web nasties.

Fast flux was first seen around two years ago, according to Derek Manky, security researcher with Fortinet Inc. in Vancouver. Around a year ago it became popular with operators of botnets – networks of computers belonging to unsuspecting users and infected with bots, allowing them to be controlled remotely and used for phishing and other scams.

Tom Slodichak, chief security officer at security specialist WhiteHat Inc. in Burlington, Ont., says fast flux is a response to security enforcers getting better at finding and shutting down Web servers offering undesirable content.

The idea is to move the criminal sites around so fast that it’s next to impossible to catch up with them.

In its simplest form, this means that the name server controlling the domain constantly changes its response to attempts to look up the Web page. Before anyone can identify the IP address of an offending site and take it offline, the URL will be pointing to a different IP address.

It’s as if “the cops are trying to serve me a search warrant but every two minutes my address changes,” says Randy Abrams, director of technical education at ESET LLC, a San Diego Calif., security software firm.

The weakness of this simple approach, known as single flux, is that the authoritative name server for the domain remains the same. Take that name server offline, and the offending site goes down.

Double flux gets around that by cycling the name server itself among multiple machines with multiple IP addresses. It continues to return constantly changing server addresses as well. The resulting blur of addresses is nearly impossible to shut down.

While locating all the machines in a fast flux operation is virtually impossible, there are ways to fight back.

Don’t allow short TTL values. The Domain Name Server (DNS) record for a Web domain includes a value called the Time to Live (TTL). This determines how long a particular IP address remains active. Fast flux works by setting the TTL to a few minutes.

In a paper on solutions to fast flux, submitted to the Internet Engineering Task Force (IETF), John Bambenek of the University of Illinois has proposed that domain name registrars refuse to accept TTL values of less than 24 hours. Any TTL lower than that would automatically be reset to 72 hours.

Block URLs with short TTL values. Only domain name registrars can reset TTL values for domains they control, but any server can check the TTL value on each DNS record it retrieves. Many large organizations run their own internal DNS servers, and Slodichak suggests they set their servers to block access to any site whose DNS record has a very short TTL. That will mean anyone on their network who tries to connect to a site using fast flux will get a message saying the site wasn’t found.

One problem — there are some legitimate uses for short TTLs, says Manky. For instance, some sites use fairly short TTL values as part of a “bulletproof hosting” model so that if a Web server fails, traffic can be redirected quickly to another one.

Block repeated changes to DNS servers. Bambenek’s other proposal is that domain registrars should only allow one set of changes per domain in any 72-hour period. To avoid erroneous changes causing trouble, he suggests allowing any change to be cancelled with the record reverting to its previous values and no further changes allowed for 72 hours.

Use intrusion detection. Botnets using fast flux are often employed in distributed denial of service attacks aimed at taking down high-profile Web sites. Intrusion detection systems (IDS) can help block those attacks, Manky says.

Use Web filtering.By subscribing to services that provide real-time updates to lists of fraudulent Web sites, Manky says, companies can stop their computers from connecting to undesirable sites before fast flux comes into play. The real-time updates are important because in addition to using fast flux, Manky says, fraudsters also like to register new domain names constantly to stay ahead of the law.

Employ good standard security practices. Fast flux is just one more technique phishers and other black hats are using in their attempt to undermine internet security.

Most organizations that aren’t domain registrars can’t do very much to combat fast flux in particular, but the best way they can protect themselves against malicious net activity in general is with layers of security and – Abrams stresses this in particular – user education.

Because fast-flux botnets are often used in phishing attacks, Manky adds, anti-spam and anti-phishing protection are important ways to avoid becoming a victim.

While these security measures could go a long way to defeating fast flux, security researchers aren’t optimistic they will be widely employed. Some steps, like restricting TTL values, could inconvenience legitimate businesses. “If there’s a watershed event that causes billions and billions of dollars of loss in a short time,” Abrams says, “that might provide the drive to say okay, we’re going to bite the bullet.”

But neutralizing fast flux would be a temporary victory. “The dark side will come up with something else,” Slodichak warns.

Share on LinkedIn Share with Google+
More Articles