ICANN SSAC, Cairo Nov 2008 Page 1 Summary of Fast Flux Dave Piscitello ICANN SSAC

What is Fast Flux Hosting? An evasion technique Using fast flux hosting, an attacker –Hosts illegal content at a web site –Sends phishing containing URLs that point to compromised computers he commands –Commands the compromised computers (proxies) to forward user requests to the attackers web site –Rapidly changes the IP addresses of the proxies to avoid detection and takedown Several variants –Double flux changes addresses of name servers as well as proxies –Domain names are key element of FF attacks

Who benefits from fast flux? Question misses the mark –Dynamic authority spreading and other adaptive networking techniques may look like fast flux attacks –Calls attention to need to distinguish beneficial from harmful uses of adaptive networking techniques Who benefits from adaptive networking? –Organizations that require high availability, have highly targetable assets, or operate highly adaptive networks (Content Delivery Networks, military networks, …) –Free speech and and advocacy groups Who benefits from fast flux attacks? –Criminals, anyone who uses the technique for harmful purposes ICANN SSAC, Cairo Nov 2008 Page 3

Who is harmed by fast flux attacks? Some debate as to the extent to which FF attacks contribute to the overall impact of e-crime –Same set of victims whether fast flux is used or not –fast flux attacks have considerable influence in the duration and efficacy of harmful activities Users –Are victims of fraud or criminal activities –Are unwitting accomplices: their PCs hosts FF malware –Bear of the cost to detect and remediate infected systems Registrants and registrars targets for phishing and attacks that result in unauthorized access to domain accounts and DNS exploitation ICANN SSAC, Cairo Nov 2008 Page 4

Are registrars involved? Varying opinions! Involvement has many interpretations: –Reputable registrars are uninvolved –Certain registrars are unwitting participants (ignorant of problematic registrations) –Certain registrars appear to lack competence in managing abuse –The actions of certain registrars (or lack thereof) create the appearance of facilitation or complicity ICANN SSAC, Cairo Nov 2008 Page 5

Fast Flux Poses Many Challenges Purview –Does this matter fall within ICANNs remit? –What parties other than ICANN should be involved? Relationships? –Is Fast Flux unique enough to merit policy development? Activities –What kinds of monitoring are needed? –How should monitored data be reported, published, shared? –What actions (responses) are appropriate? Roles of players –Who monitors Fast Flux activities today? –Are parties who work to take down domains trustworthy? –Are registrars and registries expected to monitor Fast Flux activity? –Are FF data collected sufficient to justify a domain suspension? –What is an acceptable false positive rate when identifying a domain as a maliciously fluxing domain results in suspension? ICANN SSAC, Cairo Nov 2008 Page 6

How can ICANN community respond? Purview –A very large set of players currently pursues fast flux attackers –When flux hosting involves domain names, ICANN cannot avoid being involved at some level –Is policy needed? remains an open question Activities –Offer examples of monitoring, "data of value" to monitor –Describe a range of existing and possible mitigation techniques Roles of players –Multiple views on the kinds of roles ICANN, registries, registrars and broader ICANN community can play ICANN SSAC, Cairo Nov 2008 Page 7

ICANN SSAC, Cairo Nov 2008 Page 8 Lets Characterize FF Attack Nets Some network nodes run on compromised hosts (bots –Bots run proxies, DNS and web servers, or botnet C&Cs Network nodes change to sustain the networks lifetime, to spread network software, and to conduct attacks –Member nodes are monitored to if that a host has been shut down Network node IP addresses changed (frequently) via DNS (low TTLs) Network nodes distributed across multiple ASNs Network nodes distributed across multiple IP allocation blocks –in-addrs of IPs fall within consumer broadband allocation blocks WHOIS characteristics –Domain registration is "recent" –Contact information quality and accuracy is poor –Registration was fraudulently altered or purchased Not all characteristics must be present to positively identify a network as a fast flux attack network

ICANN SSAC, Cairo Nov 2008 Page 9 Technical Challenges Original characterizations of fluxing attacks is too narrow –Not all flux attacks are "fast Fluxing is not limited to short TTLs: attackers "flux" in response to loss of communication between bots and their command and control computers –Fluxing alone is insufficient to conclude criminal activity Short TTLs for NS records or other adaptive techniques are found in production networks where high availability is paramount What additional characteristics distinguish beneficial from criminal fluxing behaviors?

Any best practices today? What are some of the best practices available with regard to protection from fast flux? –Cited Anti-Phishing Best Practices Recommendations for Registrars from APWG stPractices.pdf –Cited SAC 025 –Enumerated subset of recommendations from both that FF WG believes to be applicable ICANN SSAC, Cairo Nov 2008 Page 10

ICANN SSAC, Cairo Nov 2008 Page 11 Where should ICANN and SSAC focus future studies? Improve data sharing and analysis among registry, registrar and anticrime/antiphishing communities Reduce fraudulent registrations and account theft Adopt an accelerated domain suspension plan Study algorithms and automated means of detecting domains used in fast flux attacks –How effective are current detection algorithms? –Can automation adapt to change as quickly as attackers? –What is an acceptable false positive rate? –Can we couple automation with manual inspection to further reduce probability of false positives? In parallel, consider evolution of attack strategies –Srizbi and Conficker

Questions? ICANN SSAC, Cairo Nov 2008 Page 12