NOW READ THIS
("Security Advisory")
Go Back
Submitted by: Bill Hickey
NCVA List Master
NRT-0244 Fast-flux DNS makes BotNets Hard to Disable:
An increasingly popular technique, known as fast-flux domain name service (DNS), allows botnets to use a multitude of servers to hide a key host or to create a highly- available control network. Traditional botnets have used Internet Relay Chat (IRC) servers to control each of the compromised PCs, or bots, but the central IRC server is also a weakness, giving defenders a single server to target and take down. To disable a botnet using the fast-flux DNS method. "...you have to take down thousands of hosts," said network security analyst Lawrence Baldwin.
Fast-flux botnets use the Internet's look-up system for domain names against defenders. With a typical domain, the IP address associated with the domain does not change often, if at all. Fast-flux DNS uses a large number of servers and a fast- changing domain record to elude attempts to disrupt the botnet operations.
A related technique, known as rock phishing, uses a large number of proxies to hide the location of a smaller number of critical servers. The computers typically protected by these methods include the command and control servers for botnets, phishing sites, caches of stolen data, and sites that push malicious code out to other compromised systems.
Bot programmers have borrowed the technique from spammers. Spam networks have used fast-flux DNS to hide mail servers for several years, and during the late 1990's, when many users still connected to the internet via dial-up modems, spammers used a variant of fast-flux DNS to point compromised PCs to currently available download servers.
Top-level domain name registrars could help solve this problem by refusing to allow fast-changing domains or by making the takedown process for domains easier, but in the meantime defenders will have to resign themselves to increasingly difficult-to-disable botnets, said Johannes Ullrich of the SANS Internet Storm Center. In the past, only a third of botnets lasted more than 24 hours, "but once we see a botnet converted to fast flux, it's likely that the botnet will be around for a long while," Ullrich said.
(www.theregister.co.uk 11JUL07)
Last Modified: Tuesday, 31-Jul-2007 21:43:40 EDT