Akamai Diversity

The Akamai Blog

Digging Deeper - An In-Depth Analysis of a Fast Flux Network (Part Two)

Read Part One, an Introduction to Fast Flux Networks, here.

Fluxing - Deep Dive 

The primary characteristic of the Fast Flux network is that the network constantly changes its IP addresses, domains, and nameservers. These changes obfuscate the true nature of the network and make it more difficult for researchers to understand and defend against.

IP Addresses 

Looking at the amount of IP addresses associated with the Fast Flux network over time, we observed a rapid change in the involved IP addresses. This behavior is also known as "single-flux," where multiple individual nodes within the network register and de-register their addresses for a single DNS name. Figure 3 shows the number of IP addresses involved with the observed network daily from May 24, 2017 until June 17, 2017. 

 diggingthree.png

Figure 3: Number of associated IP addresses to Fast Flux network per day over time

Monitoring the Fast Flux network IP addresses rotation (by analyzing a collection of four snapshots that each represent a week of the network and the associated IP addresses) shows that an average of 75% of network IP addresses changed between snapshots. When comparing the first snapshot and the fourth snapshot, we can see that only 19% of the associated IP addresses remained the same. 

 diggingfour.png

Figure 4: IP addresses rotation over time

Domains 

Examining IP fluxing over time, we observed some domains alternated between active and inactive mode (a domain was considered inactive if its DNS queries receive a NXDOMAIN response, indicating "non-existing domain"). The Fast Flux network activated a domain for a limited time frame, making sure that by the time the malicious activity related to that domain was spotted, a new domain could take place and as a result, network services remained intact. 

This behavior is also known as "double-flux," where multiple nodes within the network register and de-register their addresses as part of the DNS nameserver and the related domain name. This provides an additional layer of redundancy and survivability within the network. Following the DNS "trail" and shutting down servers used by the botnet doesn't put an end to the larger botnet. 

 diggingfive.png

Figure 5: Number of associated IP addresses per domain (Fast Flux network domains) per day over time

Nameservers 

We were able to see more than 15 nameservers, most registered by different entities, associated with the Fast Flux network. Over time, we observed changes in the nameserver in use, as new servers were rotated into usage. We attribute this behavior to the Fast Flux network's need to be resilient to detection, making the nameserver an entity that is constantly changing and therefore hard to track. 

 diggingsix.png

Figure 6: Example for the two Fast Flux network nameservers' registrant personal information

The analysis of the Fast Flux network begins with the assumption that the botnet is malicious. The nameservers' registrant personal information (see Figure 6) shows what are most likely fake identities for the alleged owners of the nameservers. When we look at the similarity between those nameservers in terms of associated IP addresses later in this paper, we can see evidence that those nameservers are strongly related. Looking at the registrant personal information, we can see that someone took the time to register those nameservers with different fake names that were associated with different countries to make them look unrelated; however, as our research above shows, these domains are strongly related. 

Another indication of authenticity for the nameserver can be found in the history of the nameservers, most of which were recently registered, indicating an emerging activity. The usage of fake identities is another technique being used by Fast Flux network owners to make nameservers look legitimate. 

Fast Flux Domains and Nameserver Correlation 

In order to visualize the strength of relationships between different domains hosted on the Fast Flux network, we created a heat map to highlight the correlations between different domains. Similarity is being represented as a factor of similar associated IP addresses of each pair of domains. 

Each pair of domains has a similarity value, ranging from 0 to 1. The value of 1 represents a perfect match (i.e., the set of associated IP addresses of the first domain contains the set of IP addresses of the second domain). The heat map below is assigned with a darker blue color as the similarity value gets closer to 1. 

diggingseven.png

Figure 7: Similarity heat map between different domains

A similar heat map was also created for nameservers hosting all the domains in the Fast Flux network. For example, nameservers, such as "klyatiemoskali{.}at" show a strong correlation "cobby{.}at" with similarity rate of 0.75.

diggingeight.pngFigure 8: Similarity heat map between different nameservers

Looking on the heat maps we can see that many paired domains and nameservers have a strong relation between them. This strengthens our suspicion of the existence of fluxing behavior, where a network of compromised machines is being activated by reallocation of resources (represented as IP address) to new domains and nameservers rapidly. 

Continue reading more about two different Fast Flux sub-networks in Part Three.