Open source software security

What is Fast Flux Hosting?

30 November -0001

Fast flux hosting (or fast-flux service networks), commonly utilized amongst malware bot herds and spammers, is a method used to hide servers or content behind an almost dynamic domain name. This allows attackers to keep content online and avoid a single point of failure. Traditionally, once a malicious host is detected, and ISP can be contacted and the machine can be pulled offline. This means that phishing sites or bot command and control machines could be pulled down as soon as they were identified.

Of course, attackers soon learned to overcome this single point of failure deficiency. Fast flux networks generally consist of multiple compromised machines. Each of these compromised computers serves as a reverse proxy for the real host. The linchpin in the operation is how DNS is utilized to provide a rotating pool of machines that respond to a query for a specific DNS name.

With multiple hosts, even if one machine is pulled offline, the DNS records will list other servers that will host the content. With fast flux, these records are set to expire rather quickly, meaning that querying the DNS for a fast flux from one moment to the next could result in different results. This means that as long as DNS is serving the address, the entry can be changed to point to a different node on the flux network. Pulling down the node only stops the presentation of content for a short time.

The nodes themselves will usually act as proxies. When a request is made to the node the node will, rather than responding, query a command server for content and pass that content back to the requestor. This setup means that content can be stored and maintained in one location, but constantly served out through the flux nodes to requestors. This also means that the disposable nodes can be cycled through quickly, and because they are usually compromised machines, logging can be suspended or turned off, making tracing the attacker very difficult. Since the nodes don't actually host any content and they may have limited capabilities to retain information for forensics (not to mention being spread all over the world), the nodes are very difficult to analyze to find the actual content host. These hosts are more valuable, and usually place in some sort of 'bullet proof' hosting environment (like the Russian Business Network).

Fast flux hosting works because a DNS query for a domain name can return multiple IP addresses. This is useful for load balancing, but it also means that a client can request a URL and cycle through IP's until finding one that answers. This set up means that attackers can proxy content through several machines, each of which must be disabled in order to take down the host. Not only that, if the DNS record is updated, new proxies can be added, meaning that the good guys have to disable the entire fast flux node network in order to prevent access to content. This is a much more robust deployment than the single point of failure.

Of course, DNS is very important to this scheme. Most of the time the DNS records for the fast flux network are also hosted in some sort of bullet proof environment, or sometimes there are multiple DNS servers listed for a domain. Ultimately it is probably easier to go after DNS servers in hopes that this avenue would lead to shutting down a fast flux much faster.

For more fascinating reading about fast flux networks check out the HoneyNet Project paper on it at http://www.honeynet.org/papers/ff/fast-flux.html.