Fast Flux Networks Working and Detection, Part 1
In this series of articles, we will learn about a not-so-new type of attack, but one of the most difficult attacks to control. Yes, we will lean about the demon Fast Flux!! In this article, we will learn about what exactly Fast Flux is, types of Fast Flux, and how Fast Flux works. In the next article of this series, we will learn about why it is difficult to detect Fast Flux in the environment, and then finally the recommended ways to detect Fast Flux.
What is Fast Flux?
The Fast Flux attack is generally used by bots around the world to hide their phishing and malware delivery sites behind an ever changing network of compromised hosts. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures.
How Fast Flux Works
The basic idea behind Fast Flux is to have numerous IP addresses associated with a single fully qualified domain name, where the IP addresses are swapped in and out with extremely high frequency through changing DNS records. These IP addresses are swapped in and out of flux with extreme frequency, using a combination of round-robin IP addresses and a very short Time-To-Live (TTL) for any given particular DNS Resource Record (RR). Website hostnames may be associated with a new set of IP addresses as often as every 3 minutes, which means that the end user client i.e. browser connecting to the same website every 3 minutes would actually be connecting to a different infected computer each time.
The large pool of rotating IP addresses are not the final destination of the request for the content. Instead, compromised front end systems are merely deployed as redirectors called as flux agents funnel requests and data to and from other backend servers, which actually serve the content. Essentially, the domain names and URLs for advertised content no longer resolve to the IP address of a specific server, but instead fluctuate amongst many front end redirectors or proxies, which then in turn forward content to another group of backend servers.
In addition, the attackers ensure that the compromised systems they are using to host their scams have the best possible bandwidth and service availability. They often use a load-distribution scheme which takes into account node health-check results, so that unresponsive nodes are taken out of flux and content availability is always maintained.
Types of Flux Networks
Fast Flux networks are classified under 2 major categories:
Single flux networks: These are networks in which a set of compromised nodes register and deregister their address as a part of DNS address record list for a single DNS name. For example, in the figure below we can see that in the case of normal client server communication, a normal end user agent like a web browser requests the server and the server fulfils the request of the client, whereas in a single flux network, the end user agent like a web browser communication with the server is proxied via a redirector normally called a flux-bot. For example, the below figure shows that the victim request for example.com and the browser are actually communicating with the flux network.
The request thus gets redirected to the target website. Single flux service networks change the DNS records for their front end node IP address as often as every 3-10 minutes, so even if one flux-agent redirector node is shut down, many other infected redirector hosts are standing by and available to quickly take its place. Because Fast Flux techniques utilize blind TCP and UDP redirects, any directional service protocol with a single target port would likely encounter few problems being served via a Fast Flux service network. For example, along with DNS and HTTP services, it also includes services such as SMTP, IMAP, POP, etc.
Double flux networks: These networks are characterized by multiple nodes registering and deregistering as a part of DNS NS records. Both the DNS A record sets and the authoritative NS records for a malicious domain are continually changed in a round robin manner and advertised into the Fast Flux service network. The below figure outlines how double flux networks actually work and how they are different from single flux networks.
First let’s just revise how the single flux networks work. Suppose the user is requesting a resource named http://abc.example.com so in the figure we can see that first the end user client i.e. browser asks the DNS root NS for resolution of top level domain i.e. com. Root NS then responds with the respective NS address.
In the next step, the browser queries the NS for the domain example.com and receives as an answer a referral to the nameserver ns.example.com. Then, the browser queries ns.example.com for the address abc.example.com. NS responds with an IP address, and since it is a single flux network, this IP address value changes frequently.
Now let’s see how the double flux networks works. Everything is same except for the last step, where the client asks the authoritative NS for the resolution of abc.example.com. In double flux networks, the IP of the authoritative NS itself is changing — frequently. When a DNS request for abc.example.com is received from the client, the current authoritative nameserver forwards the queries to the mothership node for the required information. The client can them attempt to initiate direct communication with the target system, although the target system will itself be a dynamically changing front end flux-agent node. This provides an additional layer of redundancy and survivability within the malware network.
I think readers will now have a better understanding of Fast Flux networks, what are their types and how they work. In the next article, we will see how an attacker can benefit from this type of attack, why it is difficult to detect Fast Flux networks, and then the recommended ways to detect them.