[apops] [operational update] Fast-Flux (fast IP changing hosts)
- To: apops at apops dot net
- Subject: [apops] [operational update] Fast-Flux (fast IP changing hosts)
- From: Gadi Evron <ge at linuxbox dot org>
- Date: Sun, 19 Feb 2006 03:12:01 +0200
- List-archive: <http://www.apnic.net/mailing-lists/apops>
- List-help: <mailto:firstname.lastname@example.org?subject=help>
- List-id: Asia Pacific Operators Forum <apops.apops.net>
- List-post: <mailto:email@example.com>
- List-subscribe: <http://mailman.apnic.net/mailman/listinfo/apops>, <mailto:firstname.lastname@example.org?subject=subscribe>
- List-unsubscribe: <http://mailman.apnic.net/mailman/listinfo/apops>, <mailto:email@example.com?subject=unsubscribe>
- User-agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)
[X-posted]I figure it's a good idea to update the ops community on a new term called Fast-Flux.. but for that you need a bit of background.
There have been three *main* new phishing tricks used over the past year.. which will bring us to what interests us...
POST information in the mail message ------------------------------------ That means that the user fills his or her data in the HTML email message itself, which then sends the information to a legit-looking site. The problem with that, is how do you convince an ISP that a real (compromised) site is indeed a phishing site, if there is no phishy-looking page there, but rather a script hiding somewhere? Trojan horses ------------- This is an increasing problem. People get infected with these bots, zombies or whatever else you'd like to call them and then start sending out the phishing spam, while alternating the IP address of the phishing server. Now.. Which brings us to... Fast-Flux --------- Fast Flux is a term coined in the anti spam world to describe such Trojan horses' activity. The DNS RR leading to the phishing server keeps changing, with a new IP address (or 10) every 10 minutes to a day. Trying to keep up and eliminate these sites before they move again is frustrating and problematic, making the bottle-neck the DNS RR which needs to be nuked.At times this is even on the domain level itself, making termination/suspension of the domain critical.
This has been seen before, but before this past year mostly in POC's. This is mostly known is closed communities, and needs some public light.
A lot more data and test cases out there, but I figure this is enough for now..
Gadi. -- http://blogs.securiteam.com/ "Out of the box is where I live". -- Cara "Starbuck" Thrace, Battlestar Galactica.