![]() ![]() The Recursive DNS Server in turn resolves the queried domain name (FQDN) and returns a set of IP addresses back to the client. ![]() When a victim client wants to resolve a malicious domain name, it sends the DNS query to the Recursive DNS Server. DNS A record changes as often as every 3-10 minutes, which means that the victim client connecting to the malicious domain every 3 minutes would actually be connecting to a different IP address each time. Thousands of fast-flux agent’s IP addresses are used in a cyclic order for the DNS A record. The Authoritative Name Server is hosted in a bulletproof hosting server.Īt the expiration of TTL, new IP addresses replace the old ones for these DNS A records in the DNS Zone file. In single flux networks, the attacker manages an Authoritative Name Server for name resolution of the malicious domain name and dynamically updates the DNS A record with the IP addresses of fast-flux agents with a very short TTL value. In single flux networks the DNS A or AAAA records for a domain are constantly updated with the address of fast-flux agents that act as reverse proxies. Single-Flux refers to the frequent and rapid changing of IP addresses associated with a domain name. Fast-Flux Service Network (FFSN) is not only limited to HTTP application moreover any application that uses DNS can use the Fast-Flux Service Network (FFSN). In a fast-flux network the C&C server is also refereed as mothership server. Such as a DNS server for the malicious domain name resolution, HTTP server for delivering malware files or setting up phishing sites etc. The C&C server has a lot of server running on the backend to deliver various services as needed. The C&C server is a complex server which is used to control or manage the botnet and fast-flux network. ![]() But In a double-flux network, the malicious Domain Name and the Authoritative Nameserver both use IP addresses that belong to the fast-flux agents.įast-Flux C&C Servers are the backbone of fast-flux service networks. In a single-flux network, only the malicious Domain Name uses IP addresses from the fast-flux agents and the Authoritative Nameserver is hosted in a bulletproof hosting server. The different IP addresses of the malicious domain name in a fast-flux network are the IP addresses of fast-flux agents. In a fast-flux network, the attacker assigns new IP addresses for a Domain Name or for a Name Server within a very short period of time from thousands of bots (fast-flux agents). Basically, the Fast-Flux agents work as a reverse proxy server by forwarding the client request to the C&C server and reply the answers came from the C&C server back to the client. The main purpose of using botnets is to employ thousands of bot machines (fast-flux agents) as reverse proxies. The bots that take part in a Fast-Flux Network are also known as fast-flux agents. The botnet contains thousands of bots and all of these bots are connected with the attacker’s C&C server. To implement a fast-flux network the attacker first leverages a botnet. There are two types of Fast-Flux Service Network:īasics of Fast-Flux Service Network (FFSN): Fast-Flux network ensures that a victim client will only connect to fast flux agents, but never to the real C&C server. Fast Flux technique is employed by the adversary (Botmaster) to evade C&C server detection and IP based Blacklisting by hiding the C&C server behind a network of compromised hosts acting as reverse proxies. These IP addresses belong to compromised hosts which are known as bots or fast-flux agents. The core concept of a Fast Flux network is to have multiple IP addresses associated with a domain name, and then constantly swapping those IP addresses in quick succession by changing DNS A or AAAA Records with a very low TTL value. Fast Flux is a DNS technique which involves frequent and rapid changing of the IP addresses associated with a Fully Qualified Domain Name (FQDN) by using a network of compromised hosts (Bots) acting as reverse proxies.
0 Comments
Leave a Reply. |