Home / Blogs

A Noteworthy Report on Fast Flux Hosting

Suresh Ramasubramanian

This very interesting document was released by ICANN's Generic Names Supporting Organization (GNSO) for public comment yesterday. And it asks some fundamental questions while at the same time pointing to sources such as the Honeynet Alliance's reports on fast flux.

It also points out the benefits of "legitimate" fast flux — such as its use by content distribution networks, or by DDoS protection systems. An additional use is of course a simple attempt at using multiple A records with short (< 1 minute) TTL in a basic attempt to load balance.

It would be interesting to see what registries and registrars can do to suppress malicious fast flux — such as due diligence to prevent fraudulent registration of domains (most if not all malicious fast flux domains are registered using stolen cards, and chargebacks of course hurt registrars far more than the revenue from these, or at least I hope so), and proactive action by registries to block registration of fastflux domains.

A lot of the fast flux domains also — it must be noted — use Whois privacy as a default where it is available (and some registrars have a very bad habit of inserting absolutely fake addresses into the Whois records, for Whois privacy — where others list their own business address and a clear note on the nature of this Whois privacy). Some of that ugly mess of a discussion is quite likely to be relevant here as well.

Questions that get asked in the report — some are quite probably rhetorical, and most of these do have suggested answers in the report — are below:

  • Who benefits from fast flux, and who is harmed?
  • Who would benefit from cessation of the practice and who would be harmed?
  • Are registry operators involved, or could they be, in fast flux hosting activities? If so, how?
  • Are registrars involved in fast flux hosting activities? If so, how?
  • How are registrants affected by fast flux hosting?
  • How are Internet users affected by fast flux hosting?
  • What technical (e.g. changes to the way in which DNS updates operate) and policy (e.g. changes to registry/registrar agreements or rules governing permissible registrant behavior) measures could be implemented by registries and registrars to mitigate the negative effects of fast flux?
  • What would be the impact (positive or negative) of establishing limitations, guidelines, or restrictions on registrants, registrars and/or registries with respect to practices that enable or facilitate fast flux hosting?
  • What would be the impact of these limitations, guidelines, or restrictions to product and service innovation?
  • What are some of the best practices available with regard to protection from fast flux?

By Suresh Ramasubramanian, Antispam Operations

Related topics: Cyberattack, Cybercrime, DDoS, DNS, Domain Names, Registry Services, ICANN, Malware, Policy & Regulation, Security, Spam, Top-Level Domains, Whois

 
   
WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

One thought on Fast Flux Richard Golodner  –  Jan 29, 2009 11:40 PM PDT

After reading the GNSO report on Fast Flux one of the problems I can see is that it breaks the ability of a network that uses IP based ACL's to limit access to their online resources. With Fast Flux, the bad guys can now have access to targets that may have been previously blocked by these controls. Granted a company should have many layers of protection such as firewalls, IDS and IPS, but I see a lot of smaller customers, not ISP's, that rely on IP based ACL's as part of their line of defense. With Fast Flux, these companies will now need to step up their game and determine other ways to protect themselves.

With budgets being tightened in all aras of IT, security staff will have to be extra dilligent in reading logs, scanning their nets for unusual activity and monitoring or prohibiting where users are allowed to go on the Internet which should be done anyway, as the money to increase netork protection via hardware may not be there. Explaining this to upper level mangement may be difficult until they are compromised by Fast Flux guided bots.

I can't count the times I have been told that "it cant happen here" or "why would someone try and attack us?" Often times I find the answer to that question is because the bad guys could and did.

Fast Flux does have it's place in the industry and we all take advantage of it. Content delivery networks, computer updates all use it.

My question is what can be done at the domain registry level to make it more difficult to for the bad guys to use Fast Flux as a means of continuing their criminal enteprises?

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Industry Updates – Sponsored Posts

LogicBoxes Launches the New Elite Reseller Program

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Afilias Acquires Premium TLDs .ARCHI, .BIO and .SKI

Effective Strategies to Build Your Reseller Channel (Webinar)

Radix Adds Dyn as a DNS Service Provider

Facilitating a Trusted Web Space for Financial Service Professionals

Ready or Not, 5 Big Tech Trends Headed Your Way

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

.STORE Grosses Over $1 Million Before the Close of Day 1

News.Markets: A Rising Star in the World of Financial Trading and New TLDs

Dyn Partners with the Internet Systems Consortium to Host Global F-Root Nameservers

Verisign Announces .コム Domain Names Are Now Available for Anyone to Register

NBA & NFL Teams Drive .store Sunrise Score to 647

Financial Industry Quick to Embrace New Top Level Domains

New TLD .STORE Crosses 500+ Sunrise Applications

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Meet Boston Ivy, Home to Some of the Most Specialized TLDs in the Financial Services Sector

Move Beyond Defensive Domain Name Registrations, Towards Strategic Thinking

Is Your TLD Threat Mitigation Strategy up to Scratch?

Sponsored Topics

Afilias

DNS Security

Sponsored by
Afilias
Afilias - Mobile & Web Services

Mobile

Sponsored by
Afilias - Mobile & Web Services
Port25

Email

Sponsored by
Port25
Verisign

Security

Sponsored by
Verisign