Have you ever wondered how online criminals are able to stay hidden so well? And have you ever wondered why online crimes such as phishing, hacking, botnets and hosting of malicious / offensive content are still very common and show no signs of being controlled? Well, just one of the many techniques that online criminals use is fast flux DNS. Before we get into the gory details of fast flux DNS, let’s just have a very brief overview of what DNS is for those who don’t already know.
DNS – The Basics
DNS (Domain Name System) is the protocol that is used on the Internet to convert a domain name (such as google.com) into Its IP address. The whole fabric of the Internet operates on IP addresses. Every device that communicates on the Internet has an IP address. Domain names and DNS were introduced to make the Internet more user friendly. Can you imagine having to remember IP addresses for a website? It wouldn’t happen; this is where DNS comes in.
Fast Flux DNS – The Basics
Fast flux DNS is the method of changing a DNS record for a host or multiple hosts at a very fast rate, sometimes as quick as five minutes. DNS records can be updated as frequently as they are required. More advanced techniques such as round-robin, enable a DNS record to point to multiple IP addresses. In most cases a very short TTL (Time-To-Live) value is used. This value governs the length of time that the DNS record will expire in. With very short values, a new DNS lookup will be performed often to ensure that the end user is targeting the most up to date IP address for that domain name.
Fast Flux DNS – A Real World Example
Consider this scenario. Have you ever come across a phishing site? You may have done and not even realised it. A phishing site is a replica of a legitimate website that is setup to steal people’s usernames, passwords or even worse; credit card numbers and bank details. In the latter case, this is fraud and considered a criminal activity. If a criminal setup a phishing site that uses a simple DNS record to convert the domain name into a single IP address, it wouldn’t be long before the hosting company was contacted or the IP address blacklisted and possibly shutdown or made non routable, this would depend heavily on the way in which the criminal had hosted the content. Regardless though, this would be very easy to shut down and would see the criminal’s efforts rather futile as his phishing website wouldn’t last very long.
Now let’s consider the same scenario but with Fast Flux DNS. Within half an hours’ time period, a phishing website could have pointed to five or six different IP addresses, possibly even more. Trying to blacklist these IP addresses or shut down hosts would be a very difficult task due to the rate of change. Once a malicious host was detected the DNS record for the phishing website will already be pointing to another malicious host.
This picture below shows an example of how a fast flux DNS network operates. (Click to enlarge.)
Fast Flux DNS and Botnets
You may be wondering how all this is possible, how can a hacker or criminal have access to this many hosts to serve content from? They must have thousands of systems to make this kind of system effective, right? This is where botnets come into play. A botnet is essentially a number of “zombie” computers. These are regular computers, home or office, that are infected with a virus and have become part of the botnet. In most cases, people won’t even realise their computer is being used to serve malicious content. It is in the criminal’s best interests to be as inconspicuous as possible and as such, the virus is usually well hidden, hard to detect and does not make itself noticed easily.
Sometimes, criminals can have access to botnets that consist of hundreds of thousands of infected computers (in some cases a million plus) which are located all over the world. This can make them even harder to detect since there is often no geographical pattern. The other issue here is that these hosts cannot be shut down in the normal sense, since they are merely victims of a computer virus and usually have no idea that they are an accessory to a crime.
The entire fast flux DNS system for an online criminal is usually built upon computers that are part of the botnet. The domain names may be registered from infected computers, the NS records (NS means name server, these are the ‘top level’ records that govern all the other DNS records for a given domain name) themselves point to infected hosts, and the end hosts serving the content are also part of the botnet.
From a security point of view this kind of setup is an absolute nightmare to unravel and get to the bottom of, in a lot of cases criminals will simply go undetected as a network of infected computers and fast flux DNS offers them a great deal of anonymity. Online security firms have a great deal of trouble dealing with this and have still not been able to put a stop to it, or even slow down it’s widespread use.
Fast Flux DNS – The Weak Spot
Ultimately, the weak spot in this entire system is usually the domain name, this is the top level. There might be hundreds or thousands of hosts underneath the domain name which are ready to serve content for it, however, with the domain name gone, none of this is achievable since. ICAAN, the organisation responsible for the registering of domain names wrote a report on fast flux hosting which you can read here, be warned, it’s a long read and contains some rather specific terminology which may confuse you!
Most sophisticated online criminals have realised that the domain name is the weak spot, and as a result, they will register many (sometimes hundreds or thousands) and use a system of distributing their malicious content through them. Until ICAAN are able to respond to abuse reports quicker, or to bring in better measures to ‘vet’ the registering of domain names, the fast flux DNS system used by online criminals is here to stay.