Fast-flux

• Concept“The ability to quickly move the location of a web, email, DNS or generally any Internet or distributed service from one or more computers connected to the Internet to a different set of computers to delay or evade detection.”

• What it does: utilizes DNS to continually update valid domain names with A and NS records that resolve to an ever-changing set of of IP addresses of infected computers (a botnet).

• The motherships: command and control servers that issue commands to bots and add and remove IP addresses from DNS records. By cycling IP addresses of infected computers in and out of DNS records, the mothership is able to use active bots to host content and services.

• Action: To stop the constantly rotating IP addresses in the DNS server we need to take down the Fast-Flux domain. A domain Registrar needs to do so.

Previous slide

Next slide

Back to first slide

View graphic version