Black Hat Preview: New Trends in Fast-Flux Networks

Fast-flux networks. Do you know about the latest developments and trends with fast-flux techniques?

If not, you may be interested in attending a session presented by two of my colleagues at Black Hat next week. It will take place on July 31 at 10:15 am in Palace 2.


Below is a short preview of what they will cover.

But first, I’ll discuss what a fast-flux network is, in case anyone isn't familiar with the term.

Fast-flux is an important technique for someone running a botnet, or any sophisticated malicious operation on the Internet, who doesn't want to leave a direct trail of breadcrumbs back to their lair. The purpose of a fast-flux network is to obscure the true location of an attacker. Essentially, a fast-flux network provides a constantly changing proxy layer (or layers) in the Internet that sits between a victim and the true location of an attacker. So instead of malware talking to the attacker's command and control server directly, he is going to proxy his connections through a network of other infected hosts that are constantly changing the mapping of IP address to domain.

At Black Hat my colleagues, Wei Xu and Xinran Wang, will present research on more recent developments in how fast-flux networks are operated, which will determine how we go about detecting them. It seems that as domains become cheaper, fast-flux networks actually flux more slowly so looking for really high flux rates may not be the best approach to detecting them. Our research team at Palo Alto Networks did an analysis that mapped out the different domains that all share the same IP addresses in order to see what domains are clustered together as part of the fast-flux. This allowed them to build a better understanding of when a name server should be trusted or not. This can be a better technique for identifying the fast-flux network. Learn more at the Black Hat session on July 31 at 10:15 am in Palace 2.

Hope to see you in Vegas this week!