How Do We Stop Fast Flux Networks?

Botnets change quickly to avoid being taken down. Larry Seltzer assesses a move to combat them – and says more could be done

At least the report explicitly recognised the heart of the purpose of fast flux for illicit purposes: It prolongs the life of an attack. The report cites a paper by Tyler Moore and Richard Clayton of Cambridge as measuring that fast flux attacks last at least twice as long as non-flux attacks.

ICANN’s work in this is hardly the first attempt to study fast flux networking or how to stop it. The ubiquitous Gadi Evron started a conversation on the subject three years ago (work that was not credited in the ICANN report—for shame, for shame…). I was in on the discussions then and it was clear that the main obstacle in taking down such networks was lazy and/or complicit domain name registrars, although many registrars were and still are responsive to responsible reports of abuse from responsible agencies. Organisations Evron was involved with had success in taking down some networks, not so much others. The ICANN report states that “[N]o registrar has been prosecuted for facilitating criminal activities related to fast flux domains, but there have been reports linking one ICANN-accredited registrar to a large number of fraudulent domains including fast flux domains.” I’m not at all surprised.

The report may say that registrars and resellers only “have the appearance of facilitation of fast flux domain attacks”, but the fact is that they have created an environment that invites abuse. They too often simply do not maintain staff and policies adequate to prevent even the most blatant abuses from taking place.

Personally, I think it’s worse than this. I know from personal experience that some registrars ignore clear evidence of abuse unless they’re forced to react.

Absent any crackdown on registrars, it’s worth noting that the function of quick take-downs could be performed effectively at the registry level. I’ve always like this approach because it’s so efficient, but there doesn’t seem to be a lot of stomach for it. Ideally you’d only want to have a registry take down a domain when the registrar, the company with whom the registrant has a relationship, is unresponsive. If they’re that unresponsive to a clear policy process (none of which exists yet, of course) then things are bad and they deserve serious scrutiny.

I asked Gadi Evron about all this again and he reminded me that there are responsible registrars and registries out there: “I am pleased with ICANN’s continuing work on this subject, which I’ve had the pleasure to help initiate with Steve Crocker a couple of years ago. While their progress is essential, the part of the [registrar] industry which sees the need has not been waiting for consensus, and takes care of these issues under their own authority.” Unfortunately, one bad, unresponsive registrar can do a lot of damage.

The working group does list “accelerated domain suspension processing in collaboration with certified investigators/responders” as one of the possible ways to work on the problem. Staying conservative about things, as ICANN is often inclined to do, this is the best we could hope for. And if there are teeth in the policy to enforce these rules it could make a practical difference. This is what we were talking about three years ago with Gadi Evron’s group. But this approach was not the conclusion of the group; we’re still too early in the ICANN process to go that far. It’s just one of the proposed reactions. The “Interim Conclusions” of the report are (unsurprisingly) that more study is needed. That’s something that anyone can say if they don’t think that hardened networks of malicious systems are an urgent problem.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s blog Cheap Hack.