North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

[operational update] Fast-Flux (fast IP changing hosts)

  • From: Gadi Evron
  • Date: Sat Feb 18 20:15:46 2006


[X-posted]

I figure it's a good idea to update the ops community on a new term called Fast-Flux.. but for that you need a bit of background.

There have been three *main* new phishing tricks used over the past year.. which will bring us to what interests us...

POST information in the mail message
------------------------------------
That means that the user fills his or her data in the HTML email message
itself, which then sends the information to a legit-looking site.

The problem with that, is how do you convince an ISP that a real
(compromised) site is indeed a phishing site, if there is no
phishy-looking page there, but rather a script hiding somewhere?

Trojan horses
-------------
This is an increasing problem. People get infected with these bots,
zombies or whatever else you'd like to call them and then start sending
out the phishing spam, while alternating the IP address of the phishing
server.

Now..
Which brings us to...

Fast-Flux
---------
Fast Flux is a term coined in the anti spam world to describe such
Trojan horses' activity.

The DNS RR leading to the phishing server keeps changing, with a new IP
address (or 10) every 10 minutes to a day.

Trying to keep up and eliminate these sites before they move again is
frustrating and problematic, making the bottle-neck the DNS RR which
needs to be nuked.

At times this is even on the domain level itself, making termination/suspension of the domain critical.

This has been seen before, but before this past year mostly in POC's. This is mostly known is closed communities, and needs some public light.

A lot more data and test cases out there, but I figure this is enough for now..

Gadi.

--
http://blogs.securiteam.com/

"Out of the box is where I live".
-- Cara "Starbuck" Thrace, Battlestar Galactica.