Posted by bilcorry 625 days ago
Category: Content filtering | Tags: fast flux
OpenDNS should develop a way to detect and block malware domains that use fast flux:

"Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies."

from: http://en.wikipedia.org/wiki/Fast_flux
comments 6 Comments  

Comments

written by Larry Gilbert 624 days ago Rating: 1 | Rate Comment: + -

Since OpenDNS works with domain-name lookups, not IP filtering, I think it is already equipped to handle the "single-flux" case, but the "double-flux" case would remain a challenge.

written by bilcorry 612 days ago Rating: 5 | Rate Comment: + -

ICANN released an advisory called "Advisory on Fast Flux Hosting and DNS":

http://www.icann.org/committees/security/sac025.pdf

And there's a new research paper out on "Measuring and Detecting Fast-Flux Service Networks":

http://honeyblog.org/archives/161-Measuring-and-Detecting-Fast-Flux-Service-Networks.html

written by sparko 584 days ago Rating: 0 | Rate Comment: + -

bilcorry, I commend you for following up by posting the additional links. Really, I think it's outside the scope of OpenDNS' service to tackle FastFlux (monitor, identify and block, in realtime).

As I understand it, the monitoring/identification technique involves watching for frequent NS changes and/or excessively short TTLs.

Once you open THAT can-o-worms, what do you do (how do you treat) DynDNS -hosted servers, etc. Do you "give them a global whitelisting"? If so, the fluxxers will just flock to running from behind, or within, dyndns (if they're not doing so already)? Personally, I believe many fluxxers *are* already abusing dyndns in this manner. Additionally, I believe that once they've paid their $4.95/mo, dyndns really isn't motivated to police them. As such, the scenario has shaded my opinion of "who uses dyndns? to host a SERVER?!?" to the point where I block dyndns and similar services (no-ip) carte blanche, at the domain level.

I do agree that the identification of, and end-user protection from, FastFlux -enabled monkeyshite is an important issue. I'm confident that Symantec and McAffee as well as Agnitum, Comodo, and various other vendors are working toward providing "branded" protection for us, based on their individual, proprietary "special sauce" algorithms each is developing in-house.

written by holmanwebb 512 days ago Rating: 1 | Rate Comment: + -

This could be opt in, ie if yourself / your users are not using dynDNS then block domains with suspicious activity or alternatively allow a click through from a warning page. This is a logical extension to the block Suspicious Responses option, so very much an OpenDNS area of responsibility.

written by infinity306 217 days ago - show/hide this comment Rating: -1 | Rate Comment: + -

written by patopolis 175 days ago Rating: 0 | Rate Comment: + -

link:http://mail.google.com/mail/?hl=pt-BR&shva=1#inbox


Sign in to comment or register here.