Years ago, attackers would often have one or two really important machines that were the centerpiece of their criminal money-making schemes. The bad guys, thus, often faced one or more single points of failure in their criminal infrastructures. A phisher’s imposter Web site could be taken out. A spammer’s mail server could be added to a blacklist. And for bot-herders, an IRC server, historically used by many botnets to distribute commands to all of the bot-infected hosts, could be shut down. So, how have today’s enterprising bot-herders, making millions of dollars from their criminal empires, responded to the single points of failure? Two words: fast flux.

Since the summer of 2007, there has been an explosion of large-scale fast-flux botnets. With this technique, bad guys can leverage thousands of disposable drone machines as intermediaries, rapidly swapping among different systems, confounding investigators who try to trace back a constantly fluctuating set of targets.

Fast flux in action
Let’s focus on a phishing scenario, in which data thieves have a Web server that pretends to be a big bank. We’ll call this machine “EvilServer,” with an IP address of w.x.y.z.

To solicit customers to this fake bank, the attacker dupes users to click on a link distributed in email, one that’s associated with some domain name that the attacker controls. Let’s call this domain name www.fakebank.com. (I know that name isn’t convincing, but stick with me.)

In normal phishing attacks, the name in the link (www.fakebank.com) will resolve to w.x.y.z, the address of EvilServer. Thus, if users click on the link, they’ll connect directly to it. But, with fast flux, www.fakebank.com will not refer in any way to EvilServer.

Instead, the DNS server associated with www.fakebank.com uses a technique called round-robin DNS. Round-robin DNS allows numerous IP addresses, often five or more, in a response to a single DNS query for a single name. Round robin DNS isn’t evil; it was created for load balancing across multiple servers. Fast-fluxers, however, can abuse round-robin DNS, sending responses for www.fakebank.com and mapping the site to several IP addresses, which we’ll call a.b.c.d, e.f.g.h, i.j.k.l, and so on.

If users then click on the www.fakebank.com link, their browser will try to connect to a Web server at one of these IP addresses. The machines at those addresses, however, are actually bot-infected victim machines, and they are running a transparent Web proxy. When a Web request is received, each Web proxy running on a victim machine sends the Web request to the EvilServer at w.x.y.z.

But, it doesn’t stop there — after all, this technique is called “Fast Flux.” An attacker can set the round-robin DNS records to have very short Time To Live (TTL) values. The DNS TTL indicates how long the DNS client should hold on to a record before it is discarded. With fast flux, the bad guys time-out their DNS records quickly, often setting the TTL between 3 and 10 minutes. What’s more, they constantly stuff new DNS entries with the IP address of other bot-infected machines that act as a proxy.

[Full Story…]

Posted: 01|3|08 at 12:36 pm. Filed under: DNS, Domains, Network Architecture, System Architecture.
Comment | Trackback