Blog        Forum        Spam        Check & Secure                      
Articles > Monitoring DNS traffic for Security Threats

Monitoring DNS traffic for Security Threats

Fast flux

The goal of fast-flux is for a fully qualified domain name (such as www.example.com) to have multiple (hundreds or even thousands) IP addresses assigned to it. These IP addresses are swapped in and out of flux with extreme frequency, using a combination of round-robin IP addresses and a very short Time-To-Live (TTL) for any given particular DNS Resource Record (RR). Website hostnames may be associated with a new set of IP addresses as often as every 3 minutes. A browser connecting to the same website every 3 minutes would actually be connecting to a different infected computer each time.

Fast-flux networks are responsible for many illegal practices, including online pharmacy shops, money mule recruitment sites, phishing websites, extreme/illegal adult content, malicious browser exploit websites, and the distribution of malware downloads. Beyond our regular observation of new DNS and HTTP services, other services such as SMTP, POP, and IMAP can be delivered via fast-flux service networks.

Blind proxy redirection

A second layer is often added for security and fail-over: blind proxy redirection. Redirection disrupts attempts to track down and mitigate fast-flux service network nodes. What happens is the large pool of rotating IP addresses are not the final destination of the request for the content (or other network service). Instead, compromised front end systems are merely deployed as redirectors that funnel requests and data to and from other backend servers, which actually serve the content. Essentially the domain names and URLs for advertised content no longer resolve to the IP address of a specific server, but instead fluctuate amongst many front end redirectors or proxies, which then in turn forward content to another group of backend servers.

Motherships

Fast-flux “motherships” are the controlling element behind fast-flux service networks, and are similar to the command and control (C&C) systems found in conventional botnets. However, compared to typical botnet IRC servers, fast-flux motherships have many more features. It is the upstream fast-flux mothership node, which is hidden by the front end fast-flux proxy network nodes, that actually delivers content back to the victim client who requests it. Flux-herder mothership nodes have been observed to operate successfully for extended periods of time in the wild. These nodes are often observed hosting both DNS and HTTP services, with web server virtual hosting configurations able to manage the content availability for thousands of domains simultaneously on a single host.

Single and double flux

In Figure 1 below we demonstrate a single-flux network. We compare a normal web browser communicating directly with a typical website against the case of a single-flux service network, where the end user’s browser communication is proxied via a redirector (the flux-bot or flux-agent).

When a victim believes that they are browsing http://flux.example.com, their browser is actually communicating with the fast-flux service network redirector which redirects the requests to the target website. Single-flux service networks change the DNS records for their front end node IP address as often as every 3-10 minutes, so even if one flux-agent redirector node is shut down, many other infected redirector hosts are standing by and available to quickly take its place. We have found these fast-flux networks to be composed of primarily compromised home computers.

Because fast-flux techniques utilize blind TCP and UDP redirects, any directional service protocol with a single target port would likely encounter few problems being served via a fast-flux service network.

Double-flux networks are a more complex technique providing an additional layer of redundancy. Specifically, both the DNS A record sets and the authoritative NS records for a malicious domain are continually changed in a round robin manner and advertised into the fast-flux service network. From our observations of double-flux networks active in the wild, DNS and HTTP services are both served from the same upstream mothership node. Figure 2 below demonstrates the difference between a single-flux service network and double-flux service network. Please note that in the figure below that request caching is not taken into account and that the outbound request would usually emanate from the client's preferred nameserver instead of the client itself.

On the left-hand side, we depict a single-flux lookup: the client wants to resolve the address http://flux.example.com/ flux.example.com. First, it asks the DNS root nameserver which name server is responsible for the top-level domain .com and receives an answer (omitted in the picture). In a second step, the client queries the .com nameserver for the domain example.com and receives as an answer a referral to the nameserver ns.example.com. Now the client can query the authoritative DNS server ns.example.com for the actual IP address of the address flux.example.com. The authoritative nameserver answers with an IP address that the client can then attempt to initiate direct communication with. For a normal DNS lookup, the answer IP address usually remains constant over a certain period of time, whereas for single-flux nodes, the answer changes frequently.

At the right hand side, we depict a DNS lookup for an address within a double-flux domain. Again, the client wants to look up the address flux.example.com. Once again, the first step (lookup at root nameserver) is omitted for sake of brevity. Next, the client queries the nameserver responsible for the top-level domain .com for the authoritative nameserver for the domain example.com. In a third step, the client then queries the authoritative DNS server ns.example.com for the address flux.example.com. However, this authoritative nameserver is actually part of the double-flux scheme itself and its own IP address changes frequently. When a DNS request for flux.example.com is received from the client, the current authoritative nameserver forwards the queries to the mothership node for the required information. The client can them attempt to initiate direct communication with the target system (although this target system will itself be a dynamically changing front end flux-agent node).

Fast Flux DNS and Botnets

You may be wondering how all this is possible, how can a hacker or criminal have access to this many hosts to serve content from? They must have thousands of systems to make this kind of system effective, right? This is where botnets come into play. A botnet is essentially a number of “zombie” computers. These are regular computers, home or office, that are infected with a virus and have become part of the botnet. In most cases, people won’t even realise their computer is being used to serve malicious content. It is in the criminal’s best interests to be as inconspicuous as possible and as such, the virus is usually well hidden, hard to detect and does not make itself noticed easily.

Sometimes, criminals can have access to botnets that consist of hundreds of thousands of infected computers (in some cases a million plus) which are located all over the world. This can make them even harder to detect since there is often no geographical pattern. The other issue here is that these hosts cannot be shut down in the normal sense, since they are merely victims of a computer virus and usually have no idea that they are an accessory to a crime.

The entire fast flux DNS system for an online criminal is usually built upon computers that are part of the botnet. The domain names may be registered from infected computers, the NS records (NS means name server, these are the ‘top level’ records that govern all the other DNS records for a given domain name) themselves point to infected hosts, and the end hosts serving the content are also part of the botnet.

Fast Flux DNS – The Weak Spot

Ultimately, the weak spot in this entire system is usually the domain name, this is the top level. There might be hundreds or thousands of hosts underneath the domain name which are ready to serve content for it, however, with the domain name gone, none of this is achievable. Most sophisticated online criminals have realised that the domain name is the weak spot, and as a result, they will register many (sometimes hundreds or thousands) and use a system of distributing their malicious content through them.

References

Regarding the security of your computer please consider the following basic rules:

  1. Check your computer for infection.
  2. Install current Service Packs and Security Updates for your system. Activate automatic updates.
  3. Check your internet browser and the embedded plugins (e.g. Java, Flash, Shockwave, Quicktime) regularly for Actuality.
  4. Install a virus scanner and update it regularly.
  5. Use a Firewall e.g. Windows built-in Firewall or a Router.

Good to know

Inform
Find out what botnets are, the damage they cause, and how they threaten the data on your computer.

Clean
Here you can find small programs and tutorials which enable you to remove a botnet infection from your computer.

Protect
In this section you will find many tips on how to protect your computer from infection.

Copyright © 2014-2015 CERT-RO. All rights reserved.