Fast Flux is a DNS technique first introduced in 2006 which can be used by botnets to disguise different types of malicious activities (including malware delivery and communication, phishing and web proxying) behind a continuously shifting network of compromised hosts acting as proxies. This means that someone hosts a domain employing multiple IP addresses and rapidly switches the domain from one IP to another, hence the domain goes through a “fast flux” of IPs, which of course makes detection very difficult.
The first malware to use fast fluxing was the Storm Worm, which hid IP addresses for its command and control (C&C) servers. Malware Distribution Network “Avalanche” also used fast fluxing to hide its infrastructure, which it rented out to malware authors worldwide to send spam, spread malware, host C&C servers and launder stolen funds.
Security researchers at CDN and cloud services provider Akamai recently conducted an analysis over several months of a sophisticated similar “Avalanche-like” botnet that makes use of Fast Flux techniques comprised of over 14,000 IP addresses. They haven’t yet given the 14,000 IP strong fast flux botnet a name, nor do they have specific information on the exact impact of the botnet in terms of financial losses or number of victims; however, they have listed the behaviours they’ve seen evident in this new botnet. The botnet IP addresses host everything from web proxies to carder shops to C&C servers used for malware campaigns. In addition, the botnet was employed to carry out automated attacks including SQL injections, web scraping and brute-force dictionary attacks, which test publicly leaked credentials.
Researchers believe that devices infected with malware allowed the botnet to install a proxy package on each host that exposes the machine to the Internet and relays traffic for cyber-criminals. When someone tried to connect to a malicious site, DNS servers give out the IP of an infected host that is “hosting” the domain. The infected IP (via the proxy package) then redirects incoming traffic to the actual malicious site, hosted elsewhere. Security researchers can’t take DNS records as the real host of that specific site. They also realized that the infrastructure consisted of two different parts – the hosting sub-network and the C&C sub-network. Each had its own set of IPs used to temporarily host domains before being moved to another.
In writing about the incident, Bleeping Computer noted “a shift in the IoT botnet market from IoT botnets tooled for launching DDoS attacks to IoT botnets equipped to re-route malicious traffic”.
Most of the Akamai-identified Fast Flux Botnet IP addresses originate in Eastern Europe (the Ukraine, Romania and Russia); however, some of the associated IP addresses sit in address space assigned to Fortune 100 companies. Even though these addresses are likely “spoofed entities”, they allow the Fast Flux botnet to “borrow” the reputation linked to the IP address to perform its malicious activities.
Principal Lead Researcher at Akamai, Or Katz, notes that “the increasing complexity of enterprise networks and dependencies on public networks make it more difficult than ever to maintain an accurate picture of what is really happening on your networks. At the same time, the increasing sophistication of the obfuscation techniques used by hackers to hide their malicious activities makes it even more important to maintain granular insights into network activity.” Katz did note, however, that, “while tracking fast flux botnet is challenging, it is possible to do so by using algorithms that capture the fluxing behavior by looking on the relevant features, and this can lead to detecting such networks out-of-the-box”.
Akamai’s White Paper on the subject can be accessed here: