Years ago, attackers would often have one or two really important machines that were the centerpiece of their criminal money-making schemes. The bad guys, thus, often faced one or more single points of failure in their criminal infrastructures. A phisher's imposter Web site could be taken out. A spammer's mail server could be added to a blacklist. And for bot-herders, an IRC server, historically used by many botnets to distribute commands to all of the bot-infected hosts, could be shut down.
So, how have today's enterprising bot-herders, making millions of dollars from their criminal empires, responded to the single points of failure? Two words: fast flux.
Since the summer of 2007, there has been an explosion of large-scale fast-flux botnets. With this technique, bad guys can leverage thousands of disposable drone machines as intermediaries, rapidly swapping among different systems, confounding investigators who try to trace back a constantly fluctuating set of targets.
Fast flux in action
Let's focus on a phishing scenario, in which data thieves have a Web server that pretends to be a big bank. We'll call this machine "EvilServer," with an IP address of w.x.y.z.
To solicit customers to this fake bank, the attacker dupes users to click on a link distributed in email, one that's associated with some domain name that the attacker controls. Let's call this domain name www.fakebank.com. (I know that name isn't convincing, but stick with
In normal phishing attacks, the name in the link (www.fakebank.com) will resolve to w.x.y.z, the address of EvilServer. Thus, if users click on the link, they'll connect directly to it. But, with fast flux, www.fakebank.com will not refer in any way to EvilServer.
Instead, the DNS server associated with www.fakebank.com uses a technique called round-robin DNS. Round-robin DNS allows numerous IP addresses, often five or more, in a response to a single DNS query for a single name. Round robin DNS isn't evil; it was created for load balancing across multiple servers. Fast-fluxers, however, can abuse round-robin DNS, sending responses for www.fakebank.com and mapping the site to several IP addresses, which we'll call a.b.c.d, e.f.g.h, i.j.k.l, and so on.
If users then click on the www.fakebank.com link, their browser will try to connect to a Web server at one of these IP addresses. The machines at those addresses, however, are actually bot-infected victim machines, and they are running a transparent Web proxy. When a Web request is received, each Web proxy running on a victim machine sends the Web request to the EvilServer at w.x.y.z.
But, it doesn't stop there -- after all, this technique is called "Fast Flux." An attacker can set the round-robin DNS records to have very short Time To Live (TTL) values. The DNS TTL indicates how long the DNS client should hold on to a record before it is discarded. With fast flux, the bad guys time-out their DNS records quickly, often setting the TTL between 3 and 10 minutes. What's more, they constantly stuff new DNS entries with the IP address of other bot-infected machines that act as a proxy.
All of this DNS and proxy jujitsu makes it difficult for researchers to find EvilServer. When a diligent examiner asks various ISPs to take down the machine at the IP address a.b.c.d, for example, he or she finds out that it is an infected consumer machine with a Web proxy, not the actual fake bank.
Suppose the investigator convinces the ISP to block traffic to a.b.c.d. If that person clicks on the link again, he or she now goes to e.f.g.h, and the fake bank is still there! The examiner can go on and on, playing whack-a-mole with a bunch of proxies, but the bad guy keeps loading IP addresses with short TTLs, round-robinning them for the name www.fakebank.com.
So why don't investigators take down the DNS server that the bad guy uses to resolve www.fakebank.com? First off, some bad guys use commercial DNS services from companies that ignore such take-down requests. Fast-fluxers also choose ISPs in countries with lenient, if any, cybercrime laws. Attackers have also devised double-flux techniques, where the authoritative DNS server for the domain changes continuously.
Investigating fast-flux attacks in enterprise environments
Most enterprises don't need to know or care if fast-flux techniques are being used against them. They merely need to address phishing and bots generally: educating users to avoid bad links, updating patches and antivirus signatures, and limiting inbound and outbound network traffic at firewalls.
That said, if you do want to investigate possible fast-flux techniques, here are some approaches. Go to the great DNSstuff tools page, and paste the URL of a phishing email into the URL Deobfuscator field. This simple Web app turns bizarrely encoded URLs into something that we humans can better understand.
Now, from your unobscured URL, take the domain name and look up its associated IP address; you can use DNSstuff's "DNS Lookup" option. If you get a bunch of address records -- known as "A" records -- all mapped to the exact same name, you've likely got some form of round-robin DNS going on. Also investigate the TTL fields; anything less than 600 (ten minutes) is suspiciously low. But, some legitimate banks do use round-robin DNS and short TTLs. To see if fast flux is in use, do another DNS Lookup 10 minutes later. Check to see if a whole new set of address records/IP addresses shows up.
To use built-in Windows tools for analyzing DNS records, get a domain name loaded into your machine's DNS cache. Ping the domain name, as in "ping www.fakebank.com".
Once the record is in your DNS cache, run the "ipconfig /displaydns" command to display it. The cache should include the TTL values for each domain record. Note that you can re-run this command every second or so and watch the TTLs decrease. To flush the entries so that you can focus your analysis, run "ipconfig /flushdns". Then, re-ping your host to get it reloaded into the cache, and run "ipconfig /displaydns".
If the records' TTL is a short number, record its IP address(es), wait for the record to expire, and ping the target again. If your cache shows a constant shifting of IP addresses, you may have encountered a fast-flux environment.
To investigate further, go back to the DNSstuff tools Web site and use its Whois lookup tool. Whois lookups, although not always accurate, can provide insight into the people, location and organization associated with a given domain name or even IP address.
Enter the domain name and see if its results make sense. Is it a long-standing domain registered to an organization that looks trustworthy? Or, is it a recently registered domain name for someone in a faraway country not known for hosting a lot of trustworthy banks? You can also perform Whois lookups on the "ipconfig /displaydns" IP addresses. Do you get a bunch of entries associated with consumer ISPs? If so, these systems are probably bot-infected hosts on ISP networks. You may want to report the potential botnet to your ISP or to the folks at the Anti-Phishing Working Group (APWG), who take a keen interest in late-breaking phishing attacks.
About the author:
Ed Skoudis is a SANS instructor and a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on SearchSecurity.com, Ed answers your questions related to information security threats.
This was first published in January 2008