The US govt's Cybersecurity Infrastructure Agency, aka CISA, on Thursday urged organizations, internet service providers, and security firms to strengthen defenses against so-called fast flux attacks.
Fast flux refers to a technique for obscuring malicious servers by, rather simply, rapidly altering their Domain Name System (DNS) records.
Malicious cyber actors use fast flux to obfuscate the locations of malicious servers
CISA, the FBI, and cyber authorities in Australia, Canada, and New Zealand – evidently still on speaking terms with the US despite threats of annexation – consider such DNS deception a threat to national security. Fast flux may be less troubling than saber-rattling by a head of state but it is an active threat rather than a proposed one.
"Malicious cyber actors, including cybercriminals and nation-state actors, use fast flux to obfuscate the locations of malicious servers by rapidly changing Domain Name System (DNS) records," said CISA in its advisory [PDF]. "Additionally, they can create resilient, highly available command and control (C2) infrastructure, concealing their subsequent malicious operations."
DNS maps domain names, such as google.com, to numeric network IP addresses like 142.250.191.46. When a crook or government spy infects a victim's computer with malware, that software nasty can look up a specific domain name, such as something programmed in like malware.example.com, to get that full domain name's latest IP address from its DNS records. The malware then connects to the server at that IP address to receive instructions from its controllers and to send stolen data.
Every few minutes, typically three to five, the DNS for malware.example.com is automatically updated by the malware's masters so that it resolves to the IP address of another server controlled by those operators. That allows the malware to outrun any network filters that intercept connections to IP addresses of known bad systems. By constantly changing the DNS records from one IP address to another, it turns into a game of Whac-A-Mole.
One could employ DNS filtering, to catch the look ups of known bad domains, but different domain names can be looked up on the fly by the malware, making it another game of Whac-A-Mole. malware.abc.example.com, malware.def.example.com, malware.jkl.example.com, etc, as a trivial example.
As described by MITRE, fast flux comes in two unpalatable flavors: Single flux and double flux. Single flux involves rapidly changing the DNS A record (or AAAA record for IPv6) which binds the domain name to an IP address. Double flux changes both the DNS A record and the authoritative nameserver for that record – the DNS NS record for the DNS zone file (the full set of DNS records for the domain). It may also involve changing the DNS CNAME (Canonical Name) record.
CISA illustration of a single flux DNS attack
CISA's illustration of a single flux DNS attack ...
CISA illustration of a double flux DNS attack
... and a double flux attack. Click to enlarge either
Both techniques, CISA says, rely on botnets – a large number of compromised servers – that serve as relays that make it more difficult to block or take down malicious infrastructure. The malware looks up the latest IP address for a domain name, as described above, and connects to a relay to collect its latest instructions and send any pilfered information.
The cybersec org points to the Hive and Nefilim ransomware attacks, and the Gamaredon Group, as examples of fast flux usage.
CISA et al in their report recommend a combination of detection and defense techniques, such as using threat intelligence feeds in association with boundary firewalls, DNS resolvers, and SIEM (Security Information and Event Management) services.
The government threat orgs also note that some attention should be paid to TTL (time-to-live) values, a DNS record setting that tells the DNS resolver how long to cache a query before requesting a new one.
"Fast flux domains often have unusually low TTL values," the advisory says. "A typical fast flux domain may change its IP address every three to five minutes."
A typical fast flux domain may change its IP address every 3 to 5 minutes
The issue with this is, as noted by regional internet registry APNIC in 2019, is that "half the internet has a one-minute TTL or less, and three-quarters have a five-minute TTL or less." If 75 percent of domains deserve scrutiny because of low TTL values, that's going to result in a lot of false positives.
CISA and tariff-ied allies have other recommendations: Implementing anomaly detection systems for DNS; reviewing DNS resolution for inconsistent geolocation; analyzing flow data to find large-scale communication with different IP addresses over a short period of time; developing fast flux detection algorithms; trying to correlate phishing and related malicious activity to fast flux; and help customers share data about fast flux defense effort.
But in the end, the advisory becomes a promotion for PDNS (Protective DNS) providers – companies that sell security services that can help mitigate fast flux attacks.
Cybersecurity analyst Michael Taggart, via Mastodon, said his major takeaway from the CISA advisory is that organizations need to establish DNS authority by "forcing your assets to use DNS servers of your choosing."
"If you can see and stop DNS queries in your environment, [fast flux] is cut off at the knees," he said.
That is to say, you could filter DNS lookups for fast-flux domains to stop answers reaching infected clients and raise the alarm, provided you can keep on top of which domains are being used, or can detect when clients are making suspicious-looking queries. ®