Categories: Security

How Do We Stop Fast Flux Networks?

Even with all the mistakes that users make and all the effort put up by criminals, you might wonder how the networks of illicit software stay up. There are lots of people trying to take them down, and often they are capable people, often with authority. The answer is that botnets have defense mechanisms built in, mechanisms that are often analogous to techniques used by legitimate networks.

In the illicit world we call these “fast flux” networks. A number of characteristics define this type of network and why it’s so hard to take down:

  • The entry point to the network is a domain. When accessing the domain different users are presented with a wide collection of responding systems, each a different bot in a botnet.
  • The systems in the network have multiple IP addresses from multiple ISPs and exist on multiple physical networks, probably all over the world.
  • Nodes on the network monitor the up times of other nodes to determine who has been shut down.
  • The DNS entries for the network have very low TTLs (this is the “time to live” value; a low value means that the entries won’t be long-cached and the servers will be rechecked frequently)
  • Extensive use is made of proxy servers. Users rarely if ever see actual host systems, but instead are served by a wide collection of proxies.
  • The NS (name server) entries in the registration themselves get fluxed.
  • The whole network is self-contained; the hosts, the proxies, the DNS servers, all run on the botnet.

The point of all of this is to make the network at once difficult to identify as a whole, and impossible to take down. Well, almost impossible. The one weak spot in a fast flux network is the domain name. Take it down and the network still exists, but all the links pointing it to don’t. New links need to be sent out, and perhaps multiple domains are already pointing to the network so it’s not completely down. Still, the best way to take down fast flux networks is to improve the speed with which their domains may be taken down.

Page: 1 2

Larry Seltzer

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

12 hours ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

15 hours ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

17 hours ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

1 day ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

1 day ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

2 days ago