Paper: As the Net Churns: Fast-Flux Botnet Observations
Together with the esteemed Thorsten Holz, I have a paper at MALWARE 2008 on fast flux botnets. The paper uses the data from our ATLAS platform, specifically the fast flux tracking we added in Q1 of this year, to gather a global perspective on fast flux operations. What we found can be summarized as:
- most fast flux domains are dormant for more than 30 days before their use in a flux operation; domain name tasting is not an issue, it seems
- the gTLD distribution is now wider than originally reports by Holz et al at NDSS; this issue affects more registrars
- we can identify clusters of IPs and associated hostnames, showing how many botnets use how many names. We find only a handful of distinct botnets using fast flux methods.
- fast flux supports a wide variety of online crime activity, such as phishing, malcode delivery, casino advertisements, illegal or questionable pharmacy sites, and other activities
- fast flux is smaller than is widely assumed, and only a few thousand hosts globally are involved at any one time
- involved hosts are extremely “promiscuous”, sometimes having hundreds of domain names associated with them
- active DNS probing does not appear to be an effective, reliable measure of a botnet’s size. We found only about 1% visibility into the storm worm botnet, and we have not been able to get size estimates of other botnets for comparison
This paper came out of a presentation I did for a conference this summer. We’ve shared this data with groups such as FIRST and ICANN, and now we’re sharing this work with the larger world with this publication. The analysis done in the paper is more or less ongoing in our ATLAS fast flux summary report. We have found far more fast flux domains since our original analysis, but it’s still a small problem (only a few thousand hosts and a few thousand domain names active at any one time).
Fast flux botnets are gathering a great deal of attention, and for good reason. Several groups have been working on similar research questions and have found similar results, ours is just the first study around these specific questions to get published. The paper abstract is below:
While botnets themselves provide a rich platform for financial gain for the botnet master, the use of the infected hosts as webservers can provide an additional botnet use. Botnet herders often use fast-flux DNS techniques to host unwanted or illegal content within a botnet. These techniques change the mapping of the domain name to different bots within the botnet with constant shifting, while the bots simply relay content back to a central server. This can give the attackers additional stepping stones to thwart takedown and can obscure their true origins.
Evidence suggests that more attackers are adopting fast-flux techniques, but very little data has been gathered to discover what these botnets are being used for. To address this gap in understanding, we have been mining live traffic to discover new fast-flux domains and then tracking those botnets with active measurements for several months. We have identified over 900 fast-flux domain names from early to mid 2008 and monitored their use across the Internet to discern fast-flux botnet behaviors. We found that the active lifetimes of fast-flux botnets vary from less than one day to months, domains that are used in fast-flux operations are often registered but dormant for months prior to activation, that these botnets are associated with a broad range of online fraud and crime including pharmacy sites, phishing and malware distribution, and that we can identify distinct botnets across multiple domain names. We support our findings through an in-depth examination of an Internet-scale data continuously collected for hundreds of domain names over several months.
The full paper in PDF format is now available. I am unable to attend MALWARE 2008 myself as something came up, but we’re still releasing the paper.