A
domain name server (DNS) helps the users to reach a particular
website hosted on a particular server. With the advance in
technology, the DNS service has been upgraded to dynamic DNS service.
The dynamic DNS service helps a domain name to point to Internet
resources hosted on changing public IP addresses. However, dynamic
DNS service has both advantages and disadvantages just like all other
technologies.
On the positive side, the dynamic DNS service helps
small scale businesses who need to provide consistent content or
services to their customers. These small scale businesses use the IP
assigned to them by their ISP, and every time their IP changes, they
notify their dynamic DNS provider to update its name servers so that
the customer’s domain points now to the new IP.
On the negative side, the dynamic DNS service,
especially the free dynamic DNS service, are being abused by cyber
criminals for various cyber crimes and cyber attacks. Some of the
nefarious activities of cyber criminals abusing dynamic DNS service
include malware implants in websites, targeted spear phishing,
establishing of C&C for botnet, spamming, etc.
Abusing dynamic DNS service helps the cyber
criminals escape the authorship
attribution for their cyber crimes. It provides a layer of
anonymity and anti
forensics to the criminal activities of those abusing dynamic DNS
service. This is more so when IP address cannot be solely relied upon
to secure a
conviction in a cyber crime case.
Further, using dynamic DNS services can also help in
bypassing the IP blacklisting deployed by various service providers
to prevent DNS abuses. The malware can be continued to be used to
infect the computers of end users by using constantly-changing
hosting IP addresses.
These IP addresses usually belong to law abiding and
innocent users whose computers are compromised and made part of the
botnet. These IP addresses may also belong to compromised public
websites where the malicious payloads may be installed.
There may be a situation where domains themselves
may be blacklisted. To circumvent domain blacklisting, cyber
criminals can also use randomly-generated disposable sub-domains
under the dynamic DNS domain to point to the next hop in a
redirection chain or to the final malware hosting IP.
This behaviour seems similar to fast flux method but
in practice dynamic DNS and fast flux are different concepts. Dynamic
DNS operates at a micro level whereas fast flux operates at a macro
level. Dynamic DNS operates at a regional level whereas fast flux
operates at international level. Further, the authoritative name
servers for a dynamic DNS domain physically belong to the dynamic DNS
provider, whereas with fast flux, double fluxing is possible where
the name servers can be made point to constantly changing IP address
of physical hosts located in different countries. In practice,
dynamic DNS domains map to a much smaller set of IP addresses than
fast flux.
So what is the purpose of using the fast flux
method? Fast flux is a DNS technique used by cyber criminals to
hide phishing and malware delivery sites behind an ever-changing
network of compromised hosts (botnets) acting as proxies. It can also
refer to the combination of peer-to-peer networking, distributed
command and control, web-based load balancing and proxy redirection
used to make malware networks more resistant to discovery and
counter-measures. Fast flux may be a single-flux or double-flux.
Some of these phishing and malware delivery websites
are hosted on bullet proof server with mirrored hosting facilities.
Mirrored hosting is a powerful mirrored web hosting management
platform that uses multiple specially designed virtual servers to
host website with 100% uptime. This is supported by powerful
automated control panels. No one is able to trace original IP of the
server or the place where the files are hosted so the
websites/domains hosted have a 100% Uptime.
The security vendors must have been working on this
issue and they may come up with state of the art and innovative
methods to deal with this situation.
Source: CECSRDI.