Attackers are continuing to benefit from the use many different techniques to remain hidden. New research released Oct. 10 by Akamai reveals that a botnet with over 14,000 IP addresses has been using the fast flux DNS technique to evade detection while still causing damage to users and organizations.
Fast Flux is an attacker technique that uses the Domain Name System (DNS) to hide the source of an attack. DNS operates by referring a domain name to a specific IP address.
In a fast flux attack, multiple sets of IP addresses are rapidly swapped in and out of the DNS records in an attempt to evade detection. Akamai's research team was able to track one particular fast flux botnet with over 14,000 IP addresses, with most of the addresses coming from Eastern Europe.
"No attribution to a specific attacker, but the research shows that the majority of botnet IP addresses are from Ukraine, Romania and Russia," Or Katz, Principal Lead Security Researcher, Akamai, told eSecurityPlanet.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
Botnets have been using fast flux techniques before, including the zBot and Avalanche networks that were both publicly revealed in 2016. Despite its use of fast flux, the Avalance botnet was actually taken down by global law enforcement officials in December 2016.
Though fast flux is not a new attack technique, Katz noted that the focus of his research paper was to present different point of views on fast flux botnets by using data science approaches. Those approaches show different aspects of the botnet's behavior.
"According to the evidence we were able to collect, we assume that the botnet infrastructure is based on compromised machines and the machines that are associated with the botnet are constantly changing," Katz said. "The fast flux technique being used is abusing the features of DNS in a way that serve their objectives."
Akamai has not given the 14,000 IP strong fast flux botnet it detected a specific name and Katz noted that he didn't have any specific information on the precise impact of the botnet in terms of numbers of victims or financial loses.
"While tracking fast flux botnet is challenging, it is possible to do so by using algorithms that capture the fluxing behavior by looking on the relevant features, and this can lead to detecting such networks out-of-the-box," Katz said.
The key factor in detecting fast flux, according to Katz is having visibility into the threat landscape as well as DNS and web traffic.
"Fast flux botnets are using domain names as the way for communication with malware," Katz said. "Having algorithms that can track those domain names, once they start to become active, can reduce the effectiveness of such botnets."
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.