vastscuba.blogg.se - Flux networks

Fast-fluxing remains an intricate problem in network security and current countermeasures remain ineffective.įast-fluxing was first reported by the security researchers William Salusky and Robert Danford of The Honeynet Project in 2007 the following year, they released a systematic study of fast-flux service networks in 2008. ĭepending on the configuration and complexity of the infrastructure, fast-fluxing is generally classified into single, double, and domain fast-flux networks. The fundamental idea behind fast-flux is to have numerous IP addresses associated with a single fully qualified domain name, where the IP addresses are swapped in and out with extremely high frequency, through changing DNS resource records, thus the authoritative name servers of the said fast-fluxing domain name is-in most cases-hosted by the criminal actor. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures. They examine activity, footprint, and time-to-live indexes to detect whether or not a fast-flux or double-flux network is in use.Robtex DNS Analysis of a fast fluxing domain.įast flux is a domain name system (DNS) based evasion technique used by cyber criminals to hide phishing and malware delivery websites behind an ever-changing network of compromised hosts acting as reverse proxies to the backend botnet master-a bulletproof autonomous system.

Fast-flux monitors: These help detect fast-flux and double-flux behaviors in real time.

Rotating IP addresses and changing geographic location can be a clue that a fast-flux network is in use.

Evaluating domain servers' geographic distribution: Another common technique is examining the geographic distribution of the domain servers.

By analyzing networks' temporal and DNS-based features, machine learning can help predict whether or not fast flux is in use.

Using machine learning (ML): ML is one of the most prominent and current techniques being used to detect fast-flux networks.

With IP addresses and random domains constantly rotating, it is a wild goose chase for authorities. Organizations should therefore do their best to detect and monitor for fast-flux networks.įast-flux networks are easy to set up but difficult to trace and are likely to mislead investigators trying to get to the root cause. The best way to deal with a fast-flux network is to prevent accessing a compromised domain in the first place, but that is not always possible. Because the IP address constantly rotates, it is extremely difficult to identify the source and shut it down. Each will be live for just a few minutes before cycling in new, with the domain stealing credentials and other sensitive information as soon as users connect. Botnets will deploy a variety of IP addresses with a malicious domain.

But in reality, they landed on a phishing site located on the cybercriminals server, ready to steal their information.Īlthough the domain is consistent in terms of the site each user lands on, the IP address rotates constantly. This way, attackers trick users into thinking they went to the site of a major bank or another retailer. The malicious domain the IP addresses rotate around is known as a typosquatting, which takes a popular domain name-such as from a big brand-and add a variation to it, such as a spelling variation.

All the IP addresses will point to one malicious domain name, but how users connect to that domain will vary. A fast-flux network uses a variety of IP addresses and rotates them in rapid succession.