ICANN group ponders fixes to fast-flux abuse
"Fast flux" is a technique used by highly respectable service providers and content networks to handle serious traffic loads. It has also become a favored tool of scammers and spammers.
ICANN this week released a report detailing its initial efforts to save this technique from being commandeered by the bad guys.
Fast flux allows a system administrator to quickly re-route a domain name to a new IP address. That's handy if the first IP address fails or is overwhelmed (for instance, by a DDoS attack). The problem is that various scamsters have embraced the technology, using it to make malware and phishing sites stronger and less easy to block. A 2007 study cited by ICANN says that phishing networks that use flux techniques stay online 2-6 times longer than those that do not.
There are two kinds of fast-flux operations. A single-flux setup involves multiple nodes quickly registering and deregistering addresses -- hundreds or even thousands of them -- on the DNS A address record list for a given domain name. The double-flux technique, which is harder to combat, involves multiple network nodes doing the same register-and-deregister process on the DNS name-server record list for the DNS zone, providing a second level of obfuscation. In both cases, the IP addresses change very rapidly, sometimes every 3-5 minutes or thereabouts.
It's all done by zombies, of course -- except for those services who do it deliberately, about which Spamhaus has various tart things to say. The Honeynet Project, which has an excellent technical paper of the the process, says that widespread use of fast-flux techniques by the bad guys dates from after March 2007.
ICANN's GNSO (Generic Names Supporting Organization) Fast Flux Hosting Working Group developed the 121-page report (PDF available here) in response to a previous report on the problem issued early last year.
This being ICANN, there's no easy or clear consensus on how fixing fast flux might be accomplished. There's not even consensus on who's using it or why. As mentioned, legitimate businesses often have cause to use the system, and the report notes that some entities could also use the technology to circumvent censorship by restrictive governments, or high-value targets (e.g., military networks) can use it to dodge attack if needed.
Seven months, 33 members, weekly conference calls and 800-odd e-mails later, the report makes few concrete recommendations. (The report notes, with a hint of dismay, that "neither the GSNO Council nor the charter [of the working group] identified what the objective of a potential recommendation on fast flux should be.") Faster action by registrars to shut down domains exhibiting fast-flux activity could be part of the solution, and/or a reporting system to more swiftly draw attention to offenders.
Those with better ideas, or with specific interest in and understanding of the problem, are invited to read and comment on the GNSO report. After twenty days, the committee will redraft and resubmit the text.