Q3 2009 Fast Flux by the Numbers
by Jose NazarioSpent some time lately reading various companies’ Q3 reports on their data to get a lay of the land. I’ve also spent some time thinking about responses to fast flux. The data below is the result of our tracking in ATLAS of fast flux activity. Our monitoring uses spam traps and other means to identify domains which we actively qualify as fast flux, then use passive means to discover possibly related domains (based on IP address overlap) before feeding it back into the system via active qualification. Our system continuously monitors the active domains for membership in the botnet and expires “dead” domains.
The analysis here looks at the three month quarter just ended a few weeks ago for trends in fast flux. This year’s seen a huge uptick in Avalanche domains, and the release of notes from ICANN on the Fast Flux Working Group as well as a specific note around Avalanche. Arbor, like a few others, has been actively working with registries to address fast flux. So, the question is then: how are those efforts doing?
Comparing to Q2 (see below), the biggest gainers are .tk and .eu, with .uk coming in as a new top 10 player. We’ve been trying to work with .eu as they are being targeted, along with .uk, by the Avalanche guys. However, our efforts in .eu are largely fruitless while Nominet in the UK has defended .uk quite handily. The .tk stuff we’re looking at, as it could be a false positive due to the way that .tk hosts stuff.
Across all domain names, in Q3 we saw more TLDs hit, some 34 (against Q2’s 26 distinct TLDs). The attackers are striking at more TLDs in hopes of finding the soft spots, ones that just don’t respond. The average lifetime of a fast flux domain name: 418063 seconds, or about 9.7 days. CN domains are taken down within 7.8 days, EU domain names within 1.6 days, COM domains within 7.23 days, and TK domains within 1.44 days.
For comparison: Q2 2009
Here’s some numbers from the second quarter of this year to serve as a comparison to the Q3 numbers above. The TLD piechart shows a dramatic uptick in .tk domains in Q3 (which we continue to investigate, may be false positives that crept into our system).
Average lifetime of all domains in Q2: 21 days. Three weeks! That’s success now that we’re down to under 10 days.
A cursory examination of this data suggests that while numbers are up, response times are getting better. This may be something worth cheering.
Also, it appears that fast flux is still being used for the same old stuff: phishing, malware, malvertising, child porn, and the like.
Would be interesting to hear the story behind .tk whether its a false positive or there’s an underlying explanation for the growth. In your experience working with TLDs, has the issue of false positives been a problem?