Fast-Flux is a DNS technique that involves frequent and rapid changing of the IP addresses associated with a Fully Qualified Domain Name (FQDN) by using a network of compromised hosts (Bots) acting as reverse proxies.
There are two types of Fast-Flux Service Network:
- Single-Flux Network
- Double-Flux Network
1. What is FFSN:
To implement a fast-flux network the attacker first leverages a botnet. The botnet contains thousands of bots and all of these bots are connected with the attacker’s C&C server. The bots that take part in a Fast-Flux Network are also known as fast-flux agents. The main purpose of using botnets is to employ thousands of bot machines (fast-flux agents) as reverse proxies. Basically, the Fast-Flux agents work as a reverse proxy server by forwarding the client request to the C&C server and reply to the answers that came from the C&C server back to the client.
In a fast-flux network, the attacker assigns new IP addresses for a Domain Name or for a Name Server within a very short period of time from thousands of bots (fast-flux agents). The different IP addresses of the malicious domain name in a fast-flux network are the IP addresses of fast-flux agents.
In a single-flux network, only the malicious Domain Name uses IP addresses from the fast-flux agents and the Authoritative Nameserver is hosted in a bulletproof hosting server. But In a double-flux network, the malicious Domain Name and the Authoritative Nameserver both use IP addresses that belong to the fast-flux agents.
Fast-Flux C&C Servers are the backbone of fast-flux service networks. The C&C server is a complex server which is used to control or manage the botnet and fast-flux network. The C&C server has a lot of servers running on the backend to deliver various services as needed. Such as a DNS server for the malicious domain name resolution, HTTP server for delivering malware files or setting up phishing sites, etc. In a fast-flux network, the C&C server is also refereed as mothership server. Fast-Flux Service Network (FFSN) is not only limited to HTTP application moreover any application that uses DNS can use the Fast-Flux Service Network (FFSN).
2. Single-Flux Network:
Single-Flux refers to the frequent and rapid changing of IP addresses associated with a domain name. In single flux networks, the DNS A or AAAA records for a domain are constantly updated with the address of fast-flux agents that act as reverse proxies.
In single flux networks, the attacker manages an Authoritative Name Server for name resolution of the malicious domain name and dynamically updates the DNS A record with the IP addresses of fast-flux agents with a very short TTL value. The Authoritative Name Server is hosted in a bulletproof hosting server.
At the expiration of TTL, new IP addresses replace the old ones for these DNS A records in the DNS Zone file. Thousands of fast-flux agent’s IP addresses are used in a cyclic order for the DNS A record. DNS A record changes as often as every 3-10 minutes, which means that the victim client connecting to the malicious domain every 3 minutes would be connecting to a different IP address each time.
When a victim client wants to resolve a malicious domain name, it sends the DNS query to the Recursive DNS Server. The Recursive DNS Server in turn resolves the queried domain name (FQDN) and returns a set of IP addresses back to the client. These IP addresses are actually the IP addresses of fast-flux agents which work as a reverse proxy server. The victim client then initiates a connection to one of the resolved IP addresses and sends its HTTP query there. The fast-flux agent at that address forwards the client request to the C&C server and delivers the content received from the C&C server back to the client. Hence, the victim client cannot communicate directly with the C&C server; instead, the victim client communicates with C&C server via fast-flux agents which acts as reverse proxies.
Depicted in the figure above the attacker has registered a domain name flux.com and manages an Authoritative Name Server(ns.flux.com) for the name resolution of flux.com. The Authoritative Name Server is hosted in a bulletproof hosting server. The attacker leverages a botnet to implement the fast-flux network. The botnet contains thousands of bots and all of these bots are connected with the attacker’s C&C server. In a fast-flux network, these bots are also called as fast-flux agents. The attacker’s C&C server address is c2.flux.com. The C&C server is used for malicious activity such as hosting phishing sites, delivering malware, controlling the malware-infected hosts and botnet, etc.
A malware-infected client wants to connect with its C&C server at c2.flux.com. To resolve that c2.flux.com domain name, the malware-infected client sends a DNS query to the Recursive DNS Server. The Recursive DNS Server sends a DNS query to the Root Server asking for the IP address of c2.flux.com domain name. The Root Server answers with a referral IP address of the .COM Name Servers. Then the Recursive DNS Server sends DNS query to that .COM name server. The .COM name server replies with the referral IP address of Authoritative Names Server of the c2.flux.com. Finally, the Recursive DNS Server sends DNS query to the Authoritative Name Server (ns.flux.com) and gets a list of IP addresses (220.127.116.11 and 18.104.22.168) for the domain name c2.flux.com. After that, the Recursive DNS Server sends those resolved IP addresses to the client.
3. Double-Flux Network:
Double-flux refers to dynamically and repeatedly changing the IP addresses of both the Domain Name and its Authoritative Nameservers with a very low TTL value.
The Double-Flux process is done by changing the DNS A and DNS NS Glue record frequently in the DNS Zone file with the IP address of fast-flux agents. Thousands of fast-flux agents get involves in the process and frequently register and deregister their IP addresses as part of a DNS A record and DNS NS Glue record, for the domain name and the authoritative name server respectively.
A glue record is the IP address (A record) of a Nameserver at the domain name registry. Glue records are required when the Nameservers for a domain name are the sub-domains of the domain name itself.
Suppose the attacker registered a domain name flux.com and its Authoritative Nameserver address is configured as ns.flux.com. The ns.flux.com Nameserver is assigned with the IP address 22.214.171.124 of a fast-flux agent and the flux.com domain is assigned with IP address 126.96.36.199 of another fast-flux agent.
flux.com. 300 IN NS ns.flux.com
ns.flux.com 300 IN A 188.8.131.52 (Glue Record)
flux.com. 300 IN A 184.108.40.206
In a double flux network, the IP address (A Record) of the ns.flux.com (Authoritative Nameserver) and also the IP address (A Record) of flux.com (Domain) changes constantly.
The different IP addresses of both the malicious Domain Name and the Authoritative Nameserver in a double-flux network are the IP addresses of fast-flux agents. The attacker uses thousands of fast-flux agents from his botnet and periodically register and deregister these IP addresses for the Domain Name and the Authoritative Nameserver.
In a double fast-flux network when a client wants to resolve a malicious domain name, it sends the DNS query to the Recursive DNS Server. The Recursive DNS Server asks the Root Server which name server is responsible for the malicious domain and the Root Server refers to ask the .COM server. Then the Recursive DNS Server again asks the .COM Server. As the attacker configured DNS NS record pointing to fast-flux agent’s IP address on the .COM server’s DNS zone file. The .COM server replies back with the IP address of a fast-flux agent as the Authoritative Nameserver of queried malicious domain name. Now the Recursive DNS Server sends a DNS query to the Authoritative Nameserver (fast-flux agent) to resolve the IP of malicious domain name.
Though the attacker designated a fast-flux agent as Authoritative Nameserver. However, the fast-flux agent does not perform any name resolution of the malicious domain. When the fast-flux agent (Authoritative Nameserver) receives a DNS query from any client, the fast-flux agent forwards that DNS query to the actual malicious DNS Server controlled by the attacker, under his C&C server. Once the malicious DNS Server answers the DNS query to that fast-flux agent then the fast-flux agent sends that answer back to the query issuer client, in this case to the Recursive DNS server. Now the Recursive DNS Server sends the resolved IP addresses of malicious domain to the actual client.
The malicious DNS Server deployed by the attacker doesn’t resolve to the IP of the C&C server or the actual web server used for hosting malicious content but instead resolve to any other fast-flux-agents IP address.
The client then establishes a connection with the resolved IP of malicious domain, which is actually the IP address of another fast-flux agent. And sends HTTP requests to that fast-flux agent. Again, that fast-flux agent forwards the HTTP request to the actual Web Server running under attacker C&C server. After retrieving the content from attacker C&C server this fast-flux agent delivers the content to the client. Fast-Flux network ensures that a victim will only connect to fast-flux agents, but never to the real C&C server.