SSAC Fast Flux Activities

Download Report

Transcript SSAC Fast Flux Activities

Summary of
Fast Flux
Dave Piscitello
ICANN SSAC
ICANN SSAC, Cairo
Nov 2008
Page 1
What is Fast Flux Hosting?
• An evasion technique
• Using fast flux hosting, an attacker
– Hosts illegal content at a web site
– Sends phishing email containing URLs that point to
compromised computers he commands
– Commands the compromised computers (proxies) to
forward user requests to the attacker’s web site
– Rapidly changes the IP addresses of the proxies
to avoid detection and takedown
• Several variants
– Double flux changes addresses of name servers as well
as proxies
– Domain names are key element of FF attacks
Who benefits from fast flux?
• Question misses the mark
– Dynamic authority spreading and other adaptive
networking techniques may look like “fast flux” attacks
– Calls attention to need to distinguish beneficial from
harmful uses of adaptive networking techniques
• Who benefits from adaptive networking?
– Organizations that require high availability, have highly
targetable assets, or operate highly adaptive networks
(Content Delivery Networks, military networks, …)
– Free speech and and advocacy groups
• Who benefits from fast flux attacks?
– Criminals, anyone who uses the technique for harmful
purposes
ICANN SSAC, Cairo
Nov 2008
Page 3
Who is harmed by fast flux attacks?
• Some debate as to the extent to which FF attacks contribute
to the overall impact of e-crime
– Same set of victims whether fast flux is used or not
– “fast flux attacks have considerable influence in the
duration and efficacy of harmful activities”
• Users
– Are victims of fraud or criminal activities
– Are unwitting accomplices: their PCs hosts FF malware
– Bear of the cost to detect and remediate infected systems
• Registrants and registrars
• targets for phishing and attacks that result in unauthorized
access to domain accounts and DNS exploitation
ICANN SSAC, Cairo
Nov 2008
Page 4
Are registrars involved?
• Varying opinions!
• “Involvement” has many interpretations:
– Reputable registrars are “uninvolved”
– Certain registrars are unwitting participants
(ignorant of problematic registrations)
– Certain registrars appear to lack competence in
managing abuse
– The actions of certain registrars (or lack thereof)
create the appearance of facilitation or complicity
ICANN SSAC, Cairo
Nov 2008
Page 5
Fast Flux Poses Many Challenges
• Purview
– Does this matter fall within ICANN’s remit?
– What parties other than ICANN should be involved? Relationships?
– Is Fast Flux unique enough to merit policy development?
• Activities
– What kinds of monitoring are needed?
– How should monitored data be reported, published, shared?
– What actions (responses) are appropriate?
• Roles of players
–
–
–
–
–
Who monitors Fast Flux activities today?
Are parties who work to take down domains trustworthy?
Are registrars and registries expected to monitor Fast Flux activity?
Are FF data collected sufficient to justify a domain suspension?
What is an acceptable “false positive” rate when identifying a
domain as a maliciously fluxing domain results in suspension?
ICANN SSAC, Cairo
Nov 2008
Page 6
How can ICANN community respond?
• Purview
– A very large set of players currently pursues fast flux
attackers
– When flux hosting involves domain names,
ICANN cannot avoid being involved at some level
– “Is policy needed?” remains an open question
• Activities
– Offer examples of monitoring, "data of value" to monitor
– Describe a range of existing and possible mitigation
techniques
• Roles of players
– Multiple views on the kinds of roles ICANN, registries,
registrars and broader ICANN community can play
ICANN SSAC, Cairo
Nov 2008
Page 7
Let’s Characterize FF Attack Nets
• Some network nodes run on compromised hosts (“bots”
– Bots run proxies, DNS and web servers, or botnet C&Cs
• Network nodes change to sustain the network’s lifetime, to spread
network software, and to conduct attacks
– Member nodes are monitored to if that a host has been shut down
• Network node IP addresses changed (frequently) via DNS (low TTLs)
• Network nodes distributed across multiple ASNs
• Network nodes distributed across multiple IP allocation blocks
– in-addrs of IPs fall within consumer broadband allocation blocks
• WHOIS characteristics
– Domain registration is "recent"
– Contact information quality and accuracy is poor
– Registration was fraudulently altered or purchased
Not all characteristics must be present to positively
identify a network as a fast flux attack network
ICANN SSAC, Cairo
Nov 2008
Page 8
Technical Challenges
• Original characterizations of fluxing attacks is too
narrow
– Not all flux attacks are "fast”
• Fluxing is not limited to short TTLs: attackers "flux" in response to
loss of communication between bots and their command and
control computers
– “Fluxing” alone is insufficient to conclude criminal activity
• Short TTLs for NS records or other adaptive techniques are found
in production networks where high availability is paramount
• What additional characteristics distinguish beneficial
from criminal fluxing behaviors?
ICANN SSAC, Cairo
Nov 2008
Page 9
Any best practices today?
• What are some of the best practices available
with regard to protection from fast flux?
– Cited Anti-Phishing Best Practices
Recommendations for Registrars from APWG
http://www.apwg.org/reports/APWG_RegistrarBe
stPractices.pdf
– Cited SAC 025
– Enumerated subset of recommendations from
both that FF WG believes to be applicable
ICANN SSAC, Cairo
Nov 2008
Page 10
Where should ICANN and SSAC
focus future studies?
• Improve data sharing and analysis among registry, registrar
and anticrime/antiphishing communities
• Reduce fraudulent registrations and account theft
• Adopt an accelerated domain suspension plan
• Study algorithms and automated means of detecting
domains used in fast flux attacks
– How effective are current detection algorithms?
– Can automation adapt to change as quickly as attackers?
– What is an acceptable false positive rate?
– Can we couple automation with manual inspection
to further reduce probability of false positives?
• In parallel, consider evolution of attack strategies
– Srizbi and Conficker
ICANN SSAC, Cairo
Nov 2008
Page 11
Questions?
ICANN SSAC, Cairo
Nov 2008
Page 12