Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fast Flux Hosting and DNS ICANN SSAC What is Fast Flux Hosting? An evasion technique Goal of all fast flux variants –Avoid detection and take down of.

Published byAdrian Hoover Modified over 8 years ago

Similar presentations

Presentation on theme: "Fast Flux Hosting and DNS ICANN SSAC What is Fast Flux Hosting? An evasion technique Goal of all fast flux variants –Avoid detection and take down of."— Presentation transcript:

1

2 Fast Flux Hosting and DNS ICANN SSAC

3 What is Fast Flux Hosting? An evasion technique Goal of all fast flux variants –Avoid detection and take down of web sites used for illegal purposes Technique –Host illegal content at many web sites –Send phishing email with links to web site's domain name –Rapidly change the locations of the web site so that no one site is used long enough to isolate and shut down

4 e-version of age-old scam 3 card monte, a classic street corner scam Bet on which card is the Ace of Diamonds! In basic fast flux attacks, the web site is the Ace of Diamonds

5 Eluding the beat cop In the brick-and-mortar world, 3 card Monte is run on a street corner Lookouts warn the scam artist when the beat cop is approaching The scam artist packs up his game and moved to another corner In the e-world, scammers alter the DNS to "change corners" –This is called Name Server Fluxing –Double flux combines basic and name server fluxing

6 Variations on a theme… Basic fast flux hosting –IP addresses of illegal web sites are fluxed Name Server (NS) fluxing –IP addresses of DNS name servers are fluxed Double flux –IP addresses of web sites and name servers are fluxed

7 bot herder "leases" botnet to "customer" 2 bot herder infects hosts, gathers herd into botnet 1 Customer "acquires" phishing kit from malware author 3 Via a registrar, customer registers nameserverservicenetwork.tld and boguswebsitesexample.tld 4 5 Via a registrar, customer fluxes NS records for nameserverservicenetwork.tld to TLD zone file with $TTL 180 Customer spams phishing email to lure victims to bogus web site 8 STEPS 5-7 repeat as TTLs expire… Anatomy of an attack 6 Customer uses C&C to load zone file onto selected bots; flux host A records for boguswebsitesexample.tld have $TTL 180 Customer uses botnet C&C channel to load bogus web site onto hosts identified in the zone file for boguswebsitesexample.tld 7

8 Mitigation Alternatives 1.Shut down the bots (botnets) that host fast flux 2.Shut down the fast flux hosts 3.Remove domains used in fast flux hosting from service

9 Bots number in the 100,000s or 1Ms Current mitigation techniques –Anti-malware on desktops and at gateways –Education and awareness –Current efforts not close to stemming the tide Possible additional techniques include –Process and executable white listing –Network access/admission controls for private networks and public Internet service –Inclusion of bot detection in “unified threat management” security Can we shut down the bots?

10 Can we shut down fast flux hosts? Today, –Responders and law enforcement collect information (and obtain court orders) to shut down fast flux hosts –The shut down process operates at a real world pace –Fast flux is designed to thwart these activities –Fast flux hosts remain operational well beyond the average illegal site lifetime of 4 days Possible additional measures –Accelerated domain name suspension procedures –Information sharing among responders, CERTS, LEAs –Accredited list of responders, acknowledged by registrars and registries

11 Can we remove domains used in fast flux hosting from service? Some domains are easier to delete than others –Obscure strings, WHOIS inaccuracies, rapidly changing TTLs, … Other domains are HARD to take down –Illegal sites hosted on legitimate but compromised servers on bulletproof hosts where other "safe harbor" conditions are available Overly simplistic detection methods may result in false positives

12 Additional practices we can consider Practiced today (but not uniformly) –Authenticate contacts before allowing NS record changes –Rate-limit NS record changes –Detect and block automated NS record changes –Enforce a minimum TTL (e.g., 30 minutes) Whitelist or exception handling for registrants with legitimate uses –Abuse monitoring systems to report excessive DNS configuration changes Domain name quarantining (and honeypotting) –Prohibit use of domains and hosting services to abet illegal activities Universal Terms of Service agreements –Resolve suspended domains to antiphishing education page

13 Who is "we"? More than SSAC, more than ICANN SSAC's role –Publish its findings –Share information with antiphishing and anticrime groups –Make recommendations to the ICANN Board ICANN –work with registries and registrars on aspects of domain name registration and DNS that abet double flux in matters of policy and common/best practices Constituencies and communities –Education and outreach to ISPs, broadband Internet users, businesses

14 SSAC Findings Fast flux hosting exploits domain name resolution and registration services to abet illegal activities Fast flux hosting hampers current methods to detect and shut down illegal web sites Current methods to thwart fast flux hosting by detecting and dismantling botnets are not effective Frequent modifications to NS records and short TTLs in NS A records in TLD zone files can be monitored to identify possible abuse Effective countermeasures against fast flux include enforcing a minimum TTL > 30 minutes and blocking, rate-limiting, and monitoring to detect automated changes to DNS info

Download ppt "Fast Flux Hosting and DNS ICANN SSAC What is Fast Flux Hosting? An evasion technique Goal of all fast flux variants –Avoid detection and take down of."

Similar presentations

Dynamics of Online Scam Hosting Infrastructure

Dynamics of Online Scam Hosting Infrastructure
11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.

11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.
1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.

1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.
ICANN SSAC, Cairo Nov 2008 Page 1 Summary of Fast Flux Dave Piscitello ICANN SSAC.

ICANN SSAC, Cairo Nov 2008 Page 1 Summary of Fast Flux Dave Piscitello ICANN SSAC.
Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.

Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.
© 2003 Public Interest Registry Whois Workshop Introduction to Registry/Registrar Issues Presented by Bruce W. Beckwith VP, Operations June 23, 2003 Serving.

© 2003 Public Interest Registry Whois Workshop Introduction to Registry/Registrar Issues Presented by Bruce W. Beckwith VP, Operations June 23, 2003 Serving.
Margie Milam Senior Policy Counselor ICANN 1 ( All views expressed are my own)

Margie Milam Senior Policy Counselor ICANN 1 ( All views expressed are my own)
Addressing spam email and enforcing a Do Not Email Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.

Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.
COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.

COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.
Phishing (pronounced “fishing”) is the process of sending e-mail messages to lure Internet users into revealing personal information such as credit card.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.
Trojan Horse Program Presented by : Lori Agrawal.

Trojan Horse Program Presented by : Lori Agrawal.
 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.

 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.
Introduction to Security Computer Networks Computer Networks Term B10.

Introduction to Security Computer Networks Computer Networks Term B10.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Registrars and Security Greg Rattray Chief Internet Security Advisor.

Registrars and Security Greg Rattray Chief Internet Security Advisor.
CSC586 Network Forensics IP Tracing/Domain Name Tracing.

CSC586 Network Forensics IP Tracing/Domain Name Tracing.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

Similar presentations

Ads by Google