/
Definition - Chronology

Definition - Chronology

Owned by naveed
Last updated: Apr 18, 2011Version comment

DRAFT - FOR DISCUSSION PURPOSES ONLY

Fast flux is not an attack, but a technique – one element – of an
attack. As we try to refine the terminology, we might want to be
careful when we use each term. These definitions seem to be emerging:

  • Fast flux: an attack technique that involves rapidly changes the bindings of IP addresses to domain names, typically to prevent detection of hosts operating illegal or unauthorized services (DNS, mail, web)
  • Fast flux hosting: employing fast flux as part of the hosting component of a criminal or other unauthorized activity (e.g., phishing) fast flux attack: an attack that uses fast flux \
  • Short TTL: a value in the Time To Live parameter associated with a DNS resource record(s) that is observably less than the values encountered in the DNS under typical operating conditions, e.g., less than 3600 seconds. Short TTLa may be used for both legitimate and abusive purposes; for example, the use of a short TTLa is one way to enable a fast flux attack.

Clarifications;

  • Fastflux nameservers may be recursively fastflux in turn, but in many cases expect to see very LONG TTLs for fastflux name servers, taking advantage of caching and the "glue record problem."
  • Fastflux domains also differ from normal domains in HOW MANY A records may be returned for a given IP. While most normal web hosts return only one or perhaps two IPs, fastflux domains may return half a dozen or a dozen dotted quads in response to a single query.
  • Fastflux domains also usually will not change IPs just for the sake of changing. That is unlike some other services which may exploit what effectively amounts to IP "frequency hopping" (routinely and continually changing IPs in an effort to avoid monitoring and censorship), fastflux nodes tend to change IPs when they HAVE to be changed (e.g., because a formerly used node has become unresponsive or is performing poorly or is believed to have become compromised).
  • Fastflux domains will routinely have invalid domain whois data, such as bogus or incomplete address information
  • Fastflux domains will routinely be associated with registrars or registration service providers who have, or who may be perceived to have, lax or limited TOS or lax or limited abuse handling procedures
  • Fastflux A records have been seen on multiple occaisions associated with attempts to return additional NS resource records mapping "." to the misreants own servers on vulnerable name servers
  • Fastflux nodes are (a) created non-consensually (in most jurisdictions, criminally) by malware, and (b) operate clandestinely without the informed consent of the owner of that system.

7/17/2008; notes by Greg Aaron:

The definitions in the GNSO Issues Report and the SSAC Advisory on Fast
Flux Hosting and DNS are generally consistent with each other.

The GNSO Issues Report on Fast Flux Hosting defines thusly:

  • Fast Flux: In this context, the term “fast flux” refers to rapid and repeated changes to A and/or NS resource records in a DNS zone, which have the effect of rapidly changing the location (IP address) to which the domain name of an Internet host (A) or name server (NS) resolves.
  • Fast Flux Hosting: The practice of using fast flux techniques to disguise the location of web sites or other Internet services that host illegal activities.
  • Fast Flux Service Network: A network of compromised computer systems (a “botnet”) with public DNS records that are constantly changing.

The SSAC Advisory on Fast Flux Hosting and DNS defines thusly:

  • Fast flux: This phrase is used to represent the ability to quickly move the location of a web, email, DNS or generally any Internet or distributed service from one or more computers connected to the Internet to a different set of computers to delay or evade detection.
  • Fast Flux service network: In this paper, a service network refers to a subset of bots that the bot-herder assigns to a given Fast Flux service operator who in turn provides its customer with facilities for fast flux hosting or name service. Note that this service network is often times operated by a “middle man”, not by the customer themselves.

Note that neither paper defines "fast flux" as a necessarily criminal
usage of a technique, and neither assigns the term a social meaning or
value. The GNSO Issues Report has one term for the technique, and a
separate term for the criminal use of the technique.

However, many in the security arena use the term "fast flux" to mean the DNS technique used _with_criminal purpose. This conflated definition is in that community's
general lexicon, and may have even been the original meaning or first
use of the term "fast flux."

It is generally accepted that the great majority of real-world
implementations of fast flux are indeed criminal. However, to use the
term “fast flux” as synonymous with criminal intent leaves us with no
terminology for non-criminal uses. One posible solution is the refer to
"non-criminal fast flux;" other suggestions welcome.

An analogy is that e-mail is a method, based on a protocol. The great
majority of e-mail messages are bulk unsolicited messages, the sending
of which is against the law in many countries. This use of the method
is therefore criminal, and is referred to as "spam." However, all
e-mail is not called spam, and the term "e-mail" is not freighted with
a negative social meaning or value. To employ the SSAC definition,
e-mail is to spam what fast flux is to fast-flux hosting.

The use of language in this situation is important, as some solutions
aimed at criminal activity could prohibit or constrain non-criminal
activity that uses similar techniques, or might not differentiate based
on the intent of the activity. Other solutions may require parties to
separate the criminal uses from the non-criminal, and may not be
entirely successful on the edges. Whether solutions to criminal
fast-flux may constrain non-criminal services and/or the creation of
new and legitimate services on the Internet are pertinent issues for
the Working Group to consider.

July 18 teleconference discussion (Mike's notes - feel free to improve/edit - the conversation starts around minute 25 of the MP3 of the call and ends around minute 48. These are not necessarily in call-sequence order, I sometimes clumped observations together)

  • The question of intent
    • Intent can be viewed as criminal or benign, depending on vantage point -- and, given how difficult this is to determine, we should be careful when thinking about building that distinction-making into the solutions that we propose.
    • We may be missing a term for "non-criminal" use of the technique
    • Start from a value-neutral perspective -- generic definition first, then can narrow in on a subset of that technique that addresses intent
    • Could we use "residing on a criminally-obtained botnet" as a "fingerprint" to identify the narrower/undesired form of fastflux? Concern this may limit our response to only those instances of fastflux that have been created through an illegal botnet. This fingerprint might be very good for law-enforcement, but not such a great solution from the ICANN perspective.
    • Is there such a thing as "universally criminal" that we could use as a baseline (eg bank-fraud, child pornography)? Considerable disagreement with this proposition.
    • Could "non-consentual" use of one's computer be used as a substitute for the "criminal" fingerprint? Again, there are issues -- for example, there are consentual bot-nets. Again, making intent difficult to determine.
    • Should the definition of fastflux include intent (eg "criminal" "evade detection" "illegal activities") or should it be limited to describing the method (eg email)?
  • The connection between proposed-solutions and definition
    • The value of our definition is inherently linked to whatever action we're going to take -- and we need to understand the impact on all activities that will fall within our definition.
    • Perhaps the solution (informational vs restriction-based) will help us determine this definition. Related thought -- value of fixing the problem at the core or the edge of the network. One approach would be to evaluate the impact of proposed solutions on various classes of users and make a determination from there.
  • The word "fast" in Fastflux
    • Lots of criminal organizations are doing similar things, but they're not necessarily doing them quickly. They're doing them automatically, so if a bot is taken down they automatically change, but they don't rapidly rotate between them -- most famous example being the Rockphishinggroup. They don't rotate IPs rapidly, but the other techniques are the same (bogus registrations, compromised servers). We should keep other kinds of flux in mind -- they're extremely related, and narrow recommendations will be less useful in solving the overall problem that we're looking at.

From Randy Vaughn

Definition
A Compromised Host is a computer which has had software functionality installed without the express consent of the host's owner.

Definition
A Compromised Host Service Network (CHSN) is a network whose infrastructure depends on the use of compromised hosts.The above category would include my definition of FF and Rod's phishing networks.
Definition
A Volatile Network is one is purposed to distribute logically identical
services over multiple (perhaps virtual) hosts at request time.Both the traditional round robin DNS (RRDNS) and content delivery
network (CDN) fall into the definition of volatile networks. Anycast
DNS and CDN's also meet the definition of volatile networks.
Definition
A Volatile Compromised Host Service Network (VCHSN) is a volatile network which is also a CHSN.The fastflux vernacular refers to a VCHSN.
Now consider two networks of intent:
 a) Illegally Purposed Service Networks; and,
 b) Politically Purposed Service Networks.

Definition
An Illegally Purposed Service Network (IPSN) is a network whose
infrastructure is built with the intent of conducting activities which
are considered to be of an illegal nature.

Definition
A Politically Purposed Service Network (PPSN) is a network whose
infrastructure is built with the intent of conducting activities which
are considered to be of a political nature.The inclusion of a PPSN in the IPSN category would often be a matter of debate.
Observations

  • An Illegally Purposed Service Network (IPSN) may not be a Compromised Host Service Network (CHSN). As an hypothetical example, pedophile networks might be entirely built with voluntarily contributed assets.
  • A Politically Purposed Service Network (PPSN) may not be a Compromised Host Service Network CHSN. For example, a network purposed for political dissent may be built entirely with voluntary assets.
  • None of the various service networks described above (IPSN, PPSN, CHSN) are necessarily built using volatile (flux) networks.