/
FastFlux Activity Data - Initial Draft

FastFlux Activity Data - Initial Draft

Owned by naveed
Last updated: Apr 04, 2011Version comment

DRAFT -- for discussion purposes only

Framing

  • What facts would we need in order to understand its scale and scope?1a. How many IP addresses are known to be participating as fastflux nodes?
    1b. How many domains names use fastflux?
    1c. How many unique name servers support fastflux domains?
    1d. What fraction of those unique name servers are themselves served on
    fastflux IPs?
    1e. What registrars or registration service providers have been used to
    create fastflux domains?
    1f. If notified that a customer's domain is fast fluxing, what (if anything)
    will a registrar or registration service provider do? How long does it
    take them to do it? If they do nothing, why? If they do do something,
    what do they do?
    1g. If notification is made to ISPs, will they pass those notifications
    along to the infected customers? If so, do the customers, once notified,
    appear to be remediated (or at least cease to be seen as fastflux nodes?)* Where could we get those facts?2a. Accept a feed of fastflux domain name candidates, and verify the IP
    addresses on which they live.
    2b. From the 2a list, extract name servers and registrars/registration
    service providers
    2c. Contact the registrar/registration service provider with the observed
    data, and note their response (including the time required to make
    those reports, and the time required for the registrar/registration
    service provider to respond/react). Truncating the right tail of the
    response window at some reasonable time period may be desirable.
    2d. Track individual fastflux IP's over time, including noting time of
    ISP notification.* Are the statistics being collected now? how well -- is the data credible?3. I'm a big believer of data replication and validation. I'd encourage folks
    who feel likewise to participate in measuring this phenomena. Replication
    brings validity and trust.* If they're being collected, is the person/organization willing to share them?4. In the "everyone a gardner/hunter, everyone a chef" model, that's up
    to each gardner/hunter chef. :-)* If they're not being collected now, what's the best place to get them and is it worth it to go after them?

Requests:

  • Does data exist which supports the general characterization of addresses to which domains momentarily resolve to, perhaps many times, and perhaps for more than one domain, are dynamically assigned, from provider assigned blocks?

Current Data

  • Research report by Minaxi Gupta, features recent data and good suggestions for automated data collection in the future -- Click here for the full report
    • From the reportTop eight ASNs observed while monitoring 33 fast-flux domains over a period of seven weeks.1) 7132 (AT&T Internet Services, US) 2,677
      2) 9304 (Hutchison Global, HK) 1,797
      3) 4766 (Korea Telecom, KR) 590
      4) 3320 (Deutsche Telekom, DE) 500
      5) 8551 (Bezeqint Internet, IL) 445
      6) 12322 (Proxad/Free ISP, FR) 418
      7) 8402 (Corbina telecom, RU) 397
      8) 1680 (NetVision Ltd., US) 361
  • Data provided by Jose Nazario, arbor.net -- and here's a related presentation- the scale and scope of fast-flux activities (ie, what percent of IP
    addresses, and what percent of domain-names are used for fast-flux?)ATLAS measures fast flux botnet membership via active polling of the domain names. that said, ATLAS sees ~3000 unique IPs for those addresses every 24 hours or so.
    ATLAS is currently tracking ~6400 fast flux domain names.
    both values are sub 1% for their entity class. even if we're off by a reasonsable factor of 10 it's just not a "big" problem in terms of populations.
    active polling gives us between 1 and 5 % botnet visibility for botnets using fast flux (a small minority of all botnets) when we compare actve botnet measurements vs DNS-based methods.- the impact of fast flux (how many networks, businesses, etc. suffer
    harm -- and what kind of harm)there are at least two sides to the "harm" question: infected machines participating in the fast flux network and victims who click the links to go there (ie folks lured in by the storm worm campaigns). the latter is well measured by various groups. the former is something we can eastimate in ATLAS.
    here's top 20 ASNs by infected bot count in the past 24 hours:
    150 | AS7132 SBIS-AS - AT&T Internet Services
    121 | AS8708 RDSNET RCS & RDS S.A.
    117 | AS8402 CORBINA-AS Corbina Telecom
    88 | AS9121 TTNET TTnet Autonomous System
    72 | AS5617 TPNET Polish Telecom's commercial IP network
    57 | AS8997 ASN-SPBNIT OJSC North-West Telecom Autonomous System
    53 | AS13184 HANSENET HanseNet Telekommunikation GmbH
    50 | AS8615 CNT-AS CNT Autonomous System
    50 | AS8551 BEZEQ-INTERNATIONAL-AS Bezeqint Internet Backbone
    50 | AS4766 KIXS-AS-KR Korea Telecom
    47 | AS9304 HUTCHISON-AS-AP Hutchison Global Communications
    47 | AS12714 TI-AS NetByNet Holding
    43 | AS4837 CHINA169-BACKBONE CNCGROUP China169 Backbone
    43 | AS3209 Arcor IP-Network
    36 | AS9829 BSNL-NIB National Internet Backbone
    36 | AS6830 UPC UPC Broadband
    36 | AS1680 NetVision Ltd.
    32 | AS6746 ASTRAL ASTRAL Telecom SA, Romania
    32 | AS3320 DTAG Deutsche Telekom AG
    What are dates of these comments?

contributed by Guest User on Oct 21 10:35am