[operational update] Fast-Flux (fast IP changing hosts)

Gadi Evron ge at linuxbox.org
Sun Feb 19 01:12:33 UTC 2006


I figure it's a good idea to update the ops community on a new term 
called Fast-Flux.. but for that you need a bit of background.

There have been three *main* new phishing tricks used over the past 
year.. which will bring us to what interests us...

POST information in the mail message
That means that the user fills his or her data in the HTML email message
itself, which then sends the information to a legit-looking site.

The problem with that, is how do you convince an ISP that a real
(compromised) site is indeed a phishing site, if there is no
phishy-looking page there, but rather a script hiding somewhere?

Trojan horses
This is an increasing problem. People get infected with these bots,
zombies or whatever else you'd like to call them and then start sending
out the phishing spam, while alternating the IP address of the phishing

Which brings us to...

Fast Flux is a term coined in the anti spam world to describe such
Trojan horses' activity.

The DNS RR leading to the phishing server keeps changing, with a new IP
address (or 10) every 10 minutes to a day.

Trying to keep up and eliminate these sites before they move again is
frustrating and problematic, making the bottle-neck the DNS RR which
needs to be nuked.

At times this is even on the domain level itself, making 
termination/suspension of the domain critical.

This has been seen before, but before this past year mostly in POC's. 
This is mostly known is closed communities, and needs some public light.

A lot more data and test cases out there, but I figure this is enough 
for now..



"Out of the box is where I live".
	-- Cara "Starbuck" Thrace, Battlestar Galactica.

More information about the NANOG mailing list