Home  ›  Content Delivery and the Natural Evolution of Dns Review

Content Delivery and the Natural Evolution of Dns Review

Written By ۱۴۰۱ اردیبهشت ۱, پنجشنبه Add Comment Edit

DNS evasion technique against origin server fingerprinting.

Robtex DNS Analysis of a fast fluxing domain.

Fast flux is a domain name system (DNS) based evasion technique used by cyber criminals to hide phishing and malware delivery websites behind an ever-changing network of compromised hosts interim equally opposite proxies to the backend botnet master—a impenetrable autonomous systems.[one] It can also refer to the combination of peer-to-peer networking, distributed control and command, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures.

The cardinal idea behind fast-flux is to have numerous IP addresses associated with a single fully qualified domain proper name, where the IP addresses are swapped in and out with extremely high frequency, through changing DNS resource records, thus the authoritative name servers of the said fast-fluxing domain name is—in most cases—hosted by the criminal role player.[two]

Depending on the configuration and complexity of the infrastructure, fast-fluxing is generally classified into single, double, and domain fast-flux networks. Fast-fluxing remains an intricate trouble in network security and current countermeasures remain ineffective.

History [edit]

Fast-fluxing was first reported by the security researchers William Salusky and Robert Danford of The Honeynet Project in 2007;[3] the post-obit twelvemonth, they released a systematic report of fast-flux service networks in 2008.[4] Rock Phish (2004) and Tempest Worm (2007) were two notable fast-flux service networks which were used for malware distribution and phishing.[five]

Fast-flux service network [edit]

A fast-flux service network (FFSN) is a network infrastructure resultant of the fast-fluxed network of compromised hosts; the technique is too used by legitimate service providers such as content distribution networks (CDNs) where the dynamic IP accost is converted to match the domain name of the internet host, ordinarily for the purpose of load balancing using circular-robin domain name system (RR-DNS).[6] The purpose of using FFSN infrastructure for the botnets is to relay network requests and human action as a proxy to the backend bulletproof content server which function as an "origin server".[7]

The frontend bots, which human activity as an imperceptible host affixed to a control primary, are called flux-agents whose network availability is indeterminate due to the dynamic nature of fast-fluxing.[one] The backend motherships do non establish direct communication with the user agents, rather every actions are contrary proxied through compromised frontend nodes,[eight] finer making the attack long-lasting and resilient confronting take down attempts.[9]

Types [edit]

An illustration of single and double DNS fast-fluxing networks.

Fast-fluxing is mostly classified into 2 types: single fluxing and double fluxing, a build-on implementation over unmarried fluxing. The phraseologies involved in fast-fluxing includes "flux-herder mothership nodes" and "fast-flux amanuensis nodes", referred to the backend impenetrable botnet controller and the compromised host nodes involved in reverse proxying the traffic dorsum-and-forth betwixt the origin and clients respectively.[x] [ane] The compromised hosts used by the fast-flux herders typically includes residential broadband access circuits, such as DSL and cable modems.[11]

Single-flux network [edit]

In single-flux network, the authoritative proper noun server of a fast-fluxing domain proper name repeatedly permutes the DNS resource records with depression time to live (TTL) values, conventionally between 180 and 600 seconds. The permuted record within the zone file includes A, AAAA and CNAME record, the disposition is usually done by means of round robin from a registry of exploited host's IP addresses and DDNS names.[12] [13] [14] Although HTTP and DNS remain unremarkably proxied application protocols past the frontend flux-agents, protocols such as SMTP, IMAP and POP can too exist delivered through transport layer (L4) TCP and UDP level port binding techniques between flux-agents and backend flux-herder nodes.[15]

Double-flux network [edit]

Double-fluxing networks involve high-frequency permutation of the fluxing domain's authoritative proper noun servers, along with DNS resource records such as A, AAAA, or CNAME pointing to frontend proxies.[15] [sixteen] In this infrastructure, the authoritative proper noun server of the fluxing domain points to a frontend redirector node, which forwards the DNS datagram to a backend mothership node that resolve the query.[17] [18] The DNS resources records, including the NS record, are set with a lower TTL value, therefore resulting in an additional level indirection.[nineteen] [twenty] The NS records in a double-fluxing network usually point to a referrer host that listens on port 53, which forrad the query to a backend DNS resolver that is authoritative for the fluxing domain.[21] [22] : 6 Advanced level of resilience and redundancy is achieved through blind proxy redirection techniques of the frontend nodes;[22] : 7 Fast-fluxing domains as well abuse domain wildcarding RFC 1034 specification for spam delivery and phishing, and use DNS covert channels for transferring application layer payloads of protocols such every bit HTTP, SFTP, and FTP encapsulated inside a DNS datagram query.[23] [22] : 6-7

Domain-flux network [edit]

Domain-flux network involves keeping a fast-fluxing network operational through continuously rotating the domain name of the flux-herder mothership nodes.[23] The domain names are dynamically generated using a selected pseudorandom domain generation algorithm (DGA), and the flux operator mass-registers the domain names. An infected host repeatedly tries to initiate a flux-agent handshake past spontaneous generating, resolving and connecting to an IP address until an acknowledgment, to annals itself to the flux-herder mothership node.[nineteen] A notable instance includes Conficker, a botnet which was operational past generating 50,000 dissimilar domains in 110 peak-level domains (TLDs).[24]

Security countermeasures [edit]

The detection and mitigation of fast-fluxing domain names remain an intricate claiming in network security due to the robust nature of fast-fluxing.[25] Although fingerprinting the backend fast-flux mothership node remains increasingly difficult, service providers could detect the upstream mothership nodes through probing the frontend flux-agents in a special way by sending a crafted HTTP request that would trigger an out-of-band network request from the backend fast-flux mothership node to the customer in an contained aqueduct, such that the client could deduce the mothership node'due south IP address by analyzing the logs of its network traffic.[26] Various security researchers suggests that the effective measure against fast-fluxing is to accept down the domain name from its use. Notwithstanding, the domain proper noun registrars are reluctant in doing so, since in that location aren't jurisdiction contained terms of service agreements that must exist observed; in most cases, fast-flux operators and cybersquatters are the main source of income to those registrars.[27]

Other countermeasures confronting fast-fluxing domains include deep package inspection (DPI), host-based firewall, and IP-based admission command lists (ACLs), although there are serious limitations in these approaches due to the dynamic nature of fast-fluxing.[28]

See also [edit]

  • Barrage (phishing grouping)

References [edit]

  1. ^ a b c Li & Wang 2017, p. 3.
  2. ^ Almomani 2016, p. 483.
  3. ^ Zhou 2015, p. three.
  4. ^ Saif Al-Marshadi; Mohamed Anbar; Shankar Karuppayah; Ahmed Al-Ani (17 May 2019). "A Review of Botnet Detection Approaches Based on DNS Traffic Analysis". Intelligent and Interactive Computing. Lecture Notes in Networks and Systems. Singapore: Springer Publishing, Universiti Sains Malaysia. 67: 308. doi:10.1007/978-981-13-6031-2_21. ISBN978-981-xiii-6030-five. S2CID 182270258.
  5. ^ Nazario, Josh; Holz, Thorsten (viii October 2008). As the cyberspace churns: Fast-flux botnet observations. 3rd International Conference on Malicious and Unwanted Software (MALWARE). Alexandria, Virginia: Institute of Electrical and Electronics Engineers. p. 24. doi:10.1109/MALWARE.2008.4690854. ISBN978-one-4244-3288-ii.
  6. ^ Almomani 2016, p. 483-484.
  7. ^ Almomani 2016, p. 484.
  8. ^ Zhou 2015, p. iv.
  9. ^ Zhou 2015, p. ii-iii.
  10. ^ Salusky & Daford 2007, p. 1.
  11. ^ Konte, Feamster & Jung 2008, p. 8.
  12. ^ Salusky & Daford 2007, p. 1-ii.
  13. ^ Li & Wang 2017, p. three-4.
  14. ^ "FAQ: Fast-fluxing". Andorra: The Spamhaus Project. Archived from the original on 29 April 2021. Retrieved 12 December 2021.
  15. ^ a b Salusky & Daford 2007, p. 2.
  16. ^ Zhou 2015, p. 5.
  17. ^ Li & Wang 2017, p. 3-v.
  18. ^ Zhou 2015, p. 5-half dozen.
  19. ^ a b Li & Wang 2017, p. iv.
  20. ^ Salusky & Daford 2007, p. 2-3.
  21. ^ Konte, Feamster & Jung 2008, p. 4-half-dozen.
  22. ^ a b c Ollmann, Gunter (4 June 2009). "Botnet Communications Topologies: Agreement the intricacies of botnet Control-and-Control" (PDF). Core Security Technologies. Archived (PDF) from the original on 26 March 2020. Retrieved 3 March 2022.
  23. ^ a b Hands, Nicole M.; Yang, Baijian; Hansen, Raymond A. (September 2015). A Report on Botnets Utilizing DNS. RIIT '15: Proceedings of the 4th Annual ACM Conference on Research in It, Purdue University. United States: Clan for Calculating Machinery. pp. 23–28. doi:x.1145/2808062.2808070.
  24. ^ Li & Wang 2017, p. iv-five.
  25. ^ Zhou 2015, p. i-2.
  26. ^ Salusky & Daford 2007, p. 7.
  27. ^ Konte, Feamster & Jung 2008, p. 8-11.
  28. ^ Florian Tegeler; Xiaoming Fu; Giovanni Vigna; Christoper Kruegel (10 December 2012). BotFinder: finding bots in network traffic without deep packet inspection. Clan for Computing Machinery. pp. 349–360. doi:10.1145/2413176.2413217. ISBN9781450317757. S2CID 2648522.

Bibliography [edit]

  • Almomani, Ammar (24 Baronial 2016). "Fast-flux hunter: a arrangement for filtering online fast-flux botnet". Neural Comput & Applic. Springer Publishing. 29 (seven): 483–493. doi:10.1007/s00521-016-2531-1. S2CID 4626895.
  • Li, Xingguo; Wang, Junfeng (25 September 2017). "Botnet Detection Technology Based on DNS". Hereafter Cyberspace. Sichuan Academy. 9 (iv): 55. doi:10.3390/fi9040055.
  • Salusky, William; Daford, Robert (xiii July 2007). "Know Your Enemy: Fast-Flux Service Networks". The Honeynet Project. Archived from the original on thirty September 2012 – via Wayback Car.
  • Konte, M.; Feamster, North.; Jung, J. (January 2008). "SAC 025: SSAC Informational on Fast Flux Hosting and DNS" (PDF). Security and Stability Advisory Committee (SSAC). Internet Corporation for Assigned Names and Numbers (1). Archived (PDF) from the original on 22 Nov 2021. Retrieved 12 December 2021.
  • "SpamHaus: Frequently Asked Questions (FAQ)". The Spamhaus Projection. Archived from the original on 22 February 2022. Retrieved 3 March 2022.
  • "SAC 025 SSAC Advisory on Fast Flux Hosting and DNS" (PDF). Net Corporation for Assigned Names and Numbers. January 2008.
  • Zhou, Shijie (29 June 2015). "A Survey on Fast-flux Attacks". Information Security Journal: A Global Perspective. University of Electronic Scientific discipline and Technology of China. 24 (4–half-dozen). doi:10.1080/19393555.2015.1058994.

castillonothat.blogspot.com

Source: https://en.wikipedia.org/wiki/Fast_flux

0 Response to "Content Delivery and the Natural Evolution of Dns Review"

ارسال یک نظر

اشتراک در: نظرات پیام (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel