Fast flux is a technique used to conceal a botnet server’s location by using short TTL values in the DNS header. It allows servers to join and drop off the network at a fast pace in order to escape detection.
- (Narrator) When a malicious program takes over an internet host, it can become a zombie. The host is unaware that they've been compromised. And zombies respond to instructions when signaled from the botmaster. A botnet is a network of millions of zombies. The botnet is remotely controlled through command-and-control servers. Botnets are dangerous and can launch Distributed Denial of Service attacks or propagate malware.
I'm at this website: Cyberthreat Real Time Map where we can see at any given time there's hundreds, if not millions, of attacks launched at any given time using botnets. With millions of zombies at their disposal we need some form of botnet control. The trend has been to move away from traditional command-and-control and move to decentralized command-and-control using peer to peer.
Peer to peer botnets use fast flux DNS. The fast flux switching method combines peer to peer networking, distributed command-and-control, proxy redirection, and web-based load balancing. Now normally a host's IP address doesn't change very often. But with fast flux DNS this uses alternate IP addresses to distribute traffic.
Fast flux DNS uses a 60-second time to live value to swap IP records. Servers join and drop off the network at a fast pace. A fast flux DNS network is difficult to detect and effective at eluding detection. Let's take a look at a normal DNS record and then we'll take a look at fast flux. Now here you see a DNS query and response.
I filtered this so we only see a couple of queries; a couple of responses. Now when we take a look at the query we'll drop down the response, and here we see the answers. The query was for ssl.gstatic.com. Then down below the time to live is 208. Now the time to live value in a DNS header is different than an IP header.
The time to live value in a DNS header says how many seconds it can live in the cache. So after 208 seconds have passed, you'll have to re-request the record. And here I have a fast flux capture. It was generated, but it gives us a good idea of what a fast flux DNS network would look like. Here you see simply query and response.
Let's take a look at the response. We'll drop down the DNS header, and I'll filter so I just get the responses. We'll right click on the flag - Response and now all I have is the responses. But now let's take a look at the responses. 50% of this capture are the responses, but here we see the domain name- allyourbasesarebelongto.cn.
And here, each of those has a separate IP address, which is very unusual. Let's take a look at the header and we'll drop down to the time to live. Here you see the time to live value is 60 seconds, which is indicative of a fast flux network. And all of those would have the same time to live value. So if you're seeing excessive DNS traffic on your network, you might do a quick capture and filter to see those records that have a time to live value of 60 seconds.
That is a fast flux network. Fast flux is a technique used to conceal a botnet server's location by using those short time to live values in the DNS headers and allows servers to join and drop off the network at a fast pace in order to escape detection.
- Trends in cyberattacks
- Preventing system compromise
- Analyzing packets
- Using Wireshark
- Creating firewall rules
- Baselining a network
- Using capture filters
- Using a ring buffer
- Handling OSI layer attacks
- Identifying attack signatures
- Using VirusTotal
- Handling unwanted TOR activity