NEW TRENDS IN FASTFLUX NETWORKS

Fast-flux networks has been adopted by attackers for many years. Existing works only focus on characteristics such as the fast changing rate of the IP addresses (e.g. A record) and the name server addresses (NS records); the single flux/double flux structure etc. In this work, we track and analyze over 200 fast-flux domains and we discovered that the features of the fast-flux networks have shifted. More specifically, we discovered that the change rate of the IP addresses and name server addresses are slower than before, in some cases even slower than some benign applications that leverage fast-flux alike techniques. We also discovered that IP addresses and name servers are shared among different families of fast-flux domains indicating that there is a well-established under-ground economic model for the use of fast-flux network. Moreover, we also noticed that instead of single or double flux, current fast-flux domains exhibits “n-levels” of flux behavior, i.e., there appears to be “n” levels of name servers in the DNS system for fast-flux domains. Finally, we also studied the benign applications that look alike fast-flux domains but not. In light of these new characteristics, we proposed several new detection approaches that capture the discoveries about the new features of fast-flux domains.

Presented by