NSA Warns 'Fast Flux' Threatens National Security (arstechnica.com) 20
An anonymous reader quotes a report from Ars Technica: A technique that hostile nation-states and financially motivated ransomware groups are using to hide their operations poses a threat to critical infrastructure and national security, the National Security Agency has warned. The technique is known as fast flux. It allows decentralized networks operated by threat actors to hide their infrastructure and survive takedown attempts that would otherwise succeed. Fast flux works by cycling through a range of IP addresses and domain names that these botnets use to connect to the Internet. In some cases, IPs and domain names change every day or two; in other cases, they change almost hourly. The constant flux complicates the task of isolating the true origin of the infrastructure. It also provides redundancy. By the time defenders block one address or domain, new ones have already been assigned.
"This technique poses a significant threat to national security, enabling malicious cyber actors to consistently evade detection," the NSA, FBI, and their counterparts from Canada, Australia, and New Zealand warned Thursday. "Malicious cyber actors, including cybercriminals and nation-state actors, use fast flux to obfuscate the locations of malicious servers by rapidly changing Domain Name System (DNS) records. Additionally, they can create resilient, highly available command and control (C2) infrastructure, concealing their subsequent malicious operations." There are two variations of fast flux described in the advisory: single flux and double flux. Single flux involves mapping a single domain to a rotating pool of IP addresses using DNS A (IPv4) or AAAA (IPv6) records. This constant cycling makes it difficult for defenders to track or block the associated malicious servers since the addresses change frequently, yet the domain name remains consistent.
Double flux takes this a step further by also rotating the DNS name servers themselves. In addition to changing the IP addresses of the domain, it cycles through the name servers using NS (Name Server) and CNAME (Canonical Name) records. This adds an additional layer of obfuscation and resilience, complicating takedown efforts.
"A key means for achieving this is the use of Wildcard DNS records," notes Ars. "These records define zones within the Domain Name System, which map domains to IP addresses. The wildcards cause DNS lookups for subdomains that do not exist, specifically by tying MX (mail exchange) records used to designate mail servers. The result is the assignment of an attacker IP to a subdomain such as malicious.example.com, even though it doesn't exist." Both methods typically rely on large botnets of compromised devices acting as proxies, making it challenging for defenders to trace or disrupt the malicious activity.
"This technique poses a significant threat to national security, enabling malicious cyber actors to consistently evade detection," the NSA, FBI, and their counterparts from Canada, Australia, and New Zealand warned Thursday. "Malicious cyber actors, including cybercriminals and nation-state actors, use fast flux to obfuscate the locations of malicious servers by rapidly changing Domain Name System (DNS) records. Additionally, they can create resilient, highly available command and control (C2) infrastructure, concealing their subsequent malicious operations." There are two variations of fast flux described in the advisory: single flux and double flux. Single flux involves mapping a single domain to a rotating pool of IP addresses using DNS A (IPv4) or AAAA (IPv6) records. This constant cycling makes it difficult for defenders to track or block the associated malicious servers since the addresses change frequently, yet the domain name remains consistent.
Double flux takes this a step further by also rotating the DNS name servers themselves. In addition to changing the IP addresses of the domain, it cycles through the name servers using NS (Name Server) and CNAME (Canonical Name) records. This adds an additional layer of obfuscation and resilience, complicating takedown efforts.
"A key means for achieving this is the use of Wildcard DNS records," notes Ars. "These records define zones within the Domain Name System, which map domains to IP addresses. The wildcards cause DNS lookups for subdomains that do not exist, specifically by tying MX (mail exchange) records used to designate mail servers. The result is the assignment of an attacker IP to a subdomain such as malicious.example.com, even though it doesn't exist." Both methods typically rely on large botnets of compromised devices acting as proxies, making it challenging for defenders to trace or disrupt the malicious activity.
It’s been ages (Score:1)
Re:It’s been ages (Score:5, Informative)
Yes.. And there's a solution for this one too. Use DNS Pinning on your local DNS resolvers.
Web browsers themselves had to look at this a number of decades ago due to DNS Rebinding Attacks [wikipedia.org]. And the answer I'm pretty sure was to Pin DNS records whose TTL was less than 10 minutes or so to make sure DNS records will be cached for a minimum length of time, even if the TTL has been configured less.
You can handle this on your organization's DNS servers as well:
For example; if your DNS resolver is Unbound, then set the cache-min-ttl to 24 hours.
Then the "fast flux" attackers can't be so effective against your infrastructure. Because the DNS records are pinned upon the first lookup.
At least they won't be able to use DNS for their fast flux network in this case - if your DNS resolvers' policy prevents fast flux.
Re: (Score:2)
Why in the hell is the National Security Agency of the United States warning about this decades-old problem
I am not sure why the warning about it in the first place.
Fast flux in itself is not a threat or security attack even though they are describing it as a "threat". Just about every major consumer website uses DNS configurations that allow rapid change in order for content delivery network load-distribution and fault/tolerance reundancy schemes to function. The internet works this way because it was d
AKA: Round robin DNS load balancing. (Score:4, Insightful)
Basically all major hosting providers even describe this technique as a cheap easy way to add load balancing without a dedicated load balancer, this 'fast flux' method is just a way lots of people did it if they didn't control the DNS server either by constantly pushing new DNS records instead to cycle between.
It's been used for decades, plural. Just suddenly it's a big security threat because it makes tracking more complicated somehow?
Don't worry - Trump's on it (Score:3, Informative)
Re: (Score:2)
What DEI hire will he pick next?
Re:Don't worry - Trump's on it (Score:5, Funny)
Re:Don't worry - Trump's on it (Score:4, Insightful)
The whole administration is DUI.
putin's I.
Re: (Score:2)
Yeah. It helped a lot with spam, as I recall.
There is literally no more of it.
/o\ | \o/ (Score:1)
It's making it difficult for us to have the level of control over others we are accustomed to. We need military-backed political action to get things back the way we like them.