Fast flux botnets
Researchers at the excellent Honeynet Project have published a detailed paper on the growing phenomenon of what they call “fast flux service networks “.
Essentially, criminals are now using DNS records with a short time-to-live that return hundreds of A records of compromized hosts. Both the NS records for the domain and the A records returned are changed rapidly (e.g. once every few minutes) , making it more difficult to get a complete list of compromized hosts and to shut down the hosting name server.
Further, the A records may not point directly to the final destination server hosting the malware or phishing web site. Instead they may point to a compromized host that either redirects the victim elsewhere or proxies the HTTP traffic to the actual destination. What fun! SecurityFocus has more discussion here .
This greatly complicates tracking down compromized hosts and the command and control centers that direct their malicious activities. Imagine how much this also complicates the task of explaining the network to a jury.
There is hope in detecting these DNS tricks. The fast flux service networks paper describes some ways an IDS could be used. It should be possible to identify DNS replies that return hundreds of IPs for one name, have very short time to live, and also return different A and NS records on subsequent queries. Rotating NS records would seem to be a dead giveaway… as far as I’ve seen those rarely change in legitimate DNS records.
There’s an interesting study of DNS anomalies done by researchers at the University of Aukland that examines DNS issues, including fast flux domains and determining the “reputation” of domains and IPs by logging DNS traffic.