Extra Feeds & Services »

Home / Blogs

Peering into Fast Flux Botnet Activity

  • Oct 09, 2008 8:31 AM PDT
  • Comments: 0
  • Views: 3,649
Print Comment
By Jose Nazario
Jose Nazario

Together with Thorsten Holz, I recently published a paper on fast flux botnet behaviors, "As the Net Churns: Fast-Flux Botnet Observations," based on data we gathered in our ATLAS platform. Fast flux service networks utilize botnets to distribute the web servers to the infected PCs. The zombies in the network are advertised in DNS records managed by the botnet and act as web proxies, handling the inbound request from a victim and relaying the data from a central machine, often dubbed the mothership. The botnet will advertise some small fraction of the bot population in this DNS map and use it to lure in new victims. One of the most well known fast flux botnets has been the Storm Worm botnet, which uses the zombies to spam, send out new enticements to infect users, and to host the malicious website which delivers the malcode. Fast flux hosting techniques are used by botnet operators to thwart takedown of their key infrastructure and deny the chance for analysts to inspect the central malicious content server. These sort of hosting schemes are often resold as bulletproof hosting schemes for a variety of illegal activities.

ATLAS is our data repository and we added fast flux botnet tracking to it earlier this year and one of its main focuses is on botnet activity tracking. The system gathers data by actively polling DNS servers with fast flux domain name queries, recording the answers. Briefly, we watch domain names spammed in email messages and used by malcode and screen them for fast flux characteristics: a very short time to live (TTL), a wide dispersal of hosts that constantly change, and other factors that are consistent with past fast flux botnet behaviors. Once they pass the screening process, ATLAS will enter them into a polling loop to gather as many results for the queries over time. ATLAS will stop tracking the domain name only after it fails to resolve or stops changing, suggesting that its been disabled. This list of IP addresses associated with domain names over time are members of the botnet.

For our study we used 6 months of data gathered by ATLAS representing nearly 1000 unique domain names and 15 million unique IP address and domain name pairs. Using this data set we found the following:

  • Most fast flux domains are dormant for more than 30 days before their use in a flux operation; domain name tasting, where a domain name is used for the five day 100% refund grace period, does not appear to be a major factor in fast flux domain name use.
  • The global TLD distribution (i.e. .com, .cn, etc) of fast flux domain names is now wider than originally reports by Holz and company at NDSS in 2007; this issue now affects significantly more registrars.
  • We can identify clusters of IPs and associated hostnames, showing how many botnets use how many names. We find only a handful of distinct botnets using fast flux methods.
  • Fast flux service networks support a wide variety of online crime activity, such as phishing, malcode delivery, casino advertisements, illegal or questionable pharmacy sites, and other activities.
  • Fast flux is a smaller-scale problem than is widely assumed, and only a few thousand hosts globally are involved at any one time. The dollar value of these crimes, however, is significant.
  • Hosts involved in fast flux service networks are extremely promiscuous, sometimes having hundreds or even thousands of domain names associated with them, due to the large number of names used by many active fast flux botnets.
  • Active DNS probing, which is commonly used to investigate fast flux botnet activities (and was used in our study), does not appear to be an effective, reliable measure of a botnets size. We found only about 1% visibility into the storm worm botnet, and we have not been able to get size estimates of other botnets for comparison.

We also anticipate that this dormant period between the domain names registration and activation can be used to identify domain names that are similar to other active fast flux names and proactively disable them.

We have taken the analysis we performed in the paper and have expanded it into our ATLAS system. These reports show distinct botnets group by domain names, infected hosts around the world, newly discovered domains and the longest lived domains. Our results are further strengthened with the increased visibility we have obtained in the months since the research was first conducted. We have now begun to work with the registrar community to get fast flux domain names deactivated and continue to reach out to new registrars to combat this problem.

By Jose Nazario, Senior Security Researcher, Arbor Networks. Visit the blog maintained by Jose Nazario here.

Related topics: ICANN, Malware, Security, Spam

Get a weekly summary of postings to CircleID:

 Master Feed (more feeds)      Twitter      Mobile
Bookmark / Email This Post
Print Comment

Comments

To post comments, please login or create an account.

Related Blogs

EoWhy?

  • Mar 17, 2010
  • Comments: 0

Perspectives on a DNS-CERT

  • Mar 16, 2010
  • Comments: 0

"Thin Brand Line" Breaks as Canon Announces Plans for .CANON

  • Mar 16, 2010
  • Comments: 2

EI, EI - NO!

  • Mar 12, 2010
  • Comments: 1

Another One (Partially) Bites the Dust

  • Mar 12, 2010
  • Comments: 0
View More

Related News

ICANN to Reconsider the .XXX Decision on March 12

  • Mar 09, 2010
  • Comments: 0

ICANN CEO Urges African Telcos to Shatter Monopolies

  • Mar 08, 2010
  • Comments: 1

ICANN Meeting in Nairobi Begins Despite Security Concerns

  • Mar 08, 2010
  • Comments: 0

German High Court Says No to Retaining Telecom, Email Data for Tracking Criminal Networks

  • Mar 02, 2010
  • Comments: 0

Comcast Announces Aggressive Plan to Deploy DNSSEC, Launches First Public Trial

  • Feb 23, 2010
  • Comments: 0
View More

Other Topics

Access Providers Broadband Censorship Cloud Computing Cyberattack Cybercrime Cybersquatting Data Center DNS DNSSEC Domain Names Domain Registries Email Enum ICANN Internet Governance Internet Protocol IP Addressing IPTV IPv6 Law Malware Mobile Multilinguism Net Neutrality P2P Policy & Regulation Privacy Regional Registries Security Spam Telecom Top-Level Domains VoIP Web White Space Whois Wireless
View More



Industry Updates – Sponsored Posts

MarkMonitor Year in Review Report: How Escalating Online Brand Abuse is Used to Monetize Web Traffic

.ORG: Introducing Fully Internationalized Domain Names

  • By PIR
  • Views: 588

.ORG to Fully Deploy DNSSEC in June

  • By PIR
  • Views: 458

The GLOBE Program Chooses Dyn Inc.'s Dynect Platform to Deploy DNSSEC per Federal OMB Mandate

SPECIAL: Updates from the ICANN Meetings in Nairobi

MarkMonitor Sets New Standard in Brand Protection with Site Staydown Service

ICANN and Cybersecurity: Hot Topics at The First Ever .ORG Forum

  • By PIR
  • Views: 1,747

Expressions of Interest a Requirement for New gTLDs?

Neustar Implements DNS Security Extensions in the .US Registry

Paid Search Ads Can Lead to Fake Goods

Neustar Launches Initiative to Enhance DNS With Faster, More Secure Updates

Registry Stakeholder Group Comments on Latest ICANN Policies

  • By PIR
  • Views: 2,009

Open Phishing Season

Nominum Announces "DNSSEC Made Easy" Solutions

.ORG Highlighted for Success in Fighting Phishing

  • By PIR
  • Views: 2,263

Afilias' Matt Pounsett Elected Director-at-Large for DNS-OARC

SPECIAL: Updates from the ICANN Meetings in Seoul

SEO Poisoning: A Persistent Malware Threat Targeting High-Profile Brands

Vertical Integration: A View from the Bottom Up

  • By PIR
  • Views: 2,473

Afilias Statement on ICANN Affirmation of Committments with US Department of Commerce

View More