There are several kinds of flux networks, all of which bad actors can use to hide malware Command and Control traffic. Read on for a security expert's views.
Join the DZone community and get the full member experience.Join For Free
Over the past few weeks, I've covered some of the techniques used to hide malware Command & Control (C&C) traffic. Recently, I went into some depth on how attackers use Tor, why that can be good for them (anonymity, yay!), and why it can be bad (easy to see, boo!). But that's only one approach. Another common technique used today is fluxing.
Flux networks (or fast flux networks) come in a variety of flavors. Single flux networks quickly change a domain name associated with a C&C endpoint. Usually, the IP addresses change too (otherwise, defenders can simply block the IP address itself). Double flux networks change domain names as well as name servers, giving attackers even more control over C&C endpoint addresses and infrastructure.
But what good are these fluxing domain names if I don't know what they are? Well, that's where domain name generation algorithms (DGA) come in. These can be implemented in a variety of ways, but, basically, they take some kind of common seed (a time, a date, perhaps a token from the last C&C connection) and generate a domain name (or group of domain names). This DGA is distributed with malware as well as the C&C system so that the domain names used by malware correspond with the names generated for name servers and endpoints by the C&C system.
So single flux networks only flux the endpoint addresses, and, potentially, the IP addresses used by the endpoints (though this makes things significantly more complex). To make this work, you need to have access to a name server that will allow you to set *very* short time-to-live (TTL) settings on given entries. Not many reputable domain name services will do this today, so there's a grey market of ISPs that will turn a blind eye to this kind of use. Now, there are real business drivers that would lead engineers to fast-flux domain names - specifically round-robin domain name schemes for load balancing on the cheap. But this use generally fluxes the domain name between a few addresses in the same domain, so it's easily predictable. Flux networks may do this, but they don't need to do so (double flux networks specifically support this kind of use). Single flux networks are useful, but they can be easy to block (using DNS sinkholing), especially once the C&C IP ranges are known.
Double flux networks were designed to help alleviate some of these shortcomings. If an attacker can control the name servers, they have much more flexibility with how they implement the IP addresses associated with various domain names. Remember, in single flux networks, defenders can block IP ranges as a defensive technique, and ISPs can disallow name services for known malware campaigns. If attackers have their own name servers, this becomes less problematic. And attackers can use DGAs to generate new name server names as well, fluxing both the endpoint and the name servers themselves. The name servers can allocate domain names to a much wider range of IP addresses as well, potentially across a much, much larger IP range.
Flux networks are common today because they work. And I'll start to show you how you build them.
Opinions expressed by DZone contributors are their own.