fast flux (noun)
Rick Howard: The word is: fast flux.
Rick Howard: Spelled: fast as in rapid, and flux as in change.
Rick Howard: Definition: a network designed to obfuscate the location of a cyber adversary's command and control server by manipulating the domain name system, or DNS, in a way that rotates the associated IP address among large numbers of compromised hosts in a botnet.
Rick Howard: Example sentence: Fast flux agents within a botnet act as a relay between the "real" command and control server and the victim machine trying to download tools and instructions that will enable the attacker to complete the attack sequence.
Rick Howard: Origin and context: Hang onto your hats, this one is complicated. From the command and control section of the Lockheed Martin intrusion kill chain model, fast flux networks first appeared in 2007. When a real storm hit Europe, hackers released a malicious Trojan horse email with the sensational headline "230 dead as storm batters Europe."
Rick Howard: According to Mikko Hypponen, head of research at the Finnish data security firm F-Secure, hundreds of thousands of people clicked the link and added their device to the Storm Worm Fast Flux network.
Rick Howard: According to the MITRE ATT&CK website, cyber adversaries, use a fully qualified domain name, like BadGuy.biz for their command and control channel, but set the DNS, or domain name system, time-to-live parameter to be very short, like less than five minutes. Typically, DNS entries don't change that much, but with this configuration, cyber adversaries change the IP resolution address to their command and control server, www.commandandcontrol.badguy.biz every five minutes to another botnet host.
Rick Howard: Botnet hosts relay the command and control traffic from the victim site to the actual command control server. According to David Balaban at CyberNews, the Storm Worm Fast Flux network contained close to 2 million compromised hosts. The impact is that fast flux networks make it impractical for network defenders to block access to the relay botnet hosts because there are so many and make a difficult for law enforcement officials to use search warrants to track the hackers back to the source. This obfuscation technique is called the single-flux method. To add an additional layer of misdirection, hackers deploy the double-flux method. They still use the single-flux method of changing the command and control server IP addresses quickly in the domain name server, but then they also change the IP addresses registered in the DNS zone that the domain name server belongs to in the same round-robin manner. It's diabolical.
Rick Howard: Nerd reference: In the 2012 James Bond movie "Skyfall," Q describes defending against a terrorist hacking technique like trying to solve a Rubik's cube that's fighting back. Exactly.
Rick Howard: But for a double bonus nerd reference, in the 2008 hacker movie "Untraceable," Academy Award nominee Diane Lane plays an FBI cyber cop. She and her boss played by the perennial, "That Guy" actor Peter Gray Lewis, and her colleague played by Colin Hanks, whose dad by the way is Tom Hanks, are tracking down a serial killer who live-streams his next victims on the website www.killwithme.com.
Rick Howard: His promise to his audience is the more hits he gets on the site, the more gruesome the death will be. In this clip, Diane Lane explains a twist on the fast flux network idea. Each botnet host has a copy of the killwithme website, and that's why the FBI can't track the killer to his evil lair. Now remember, this movie came out just one year after the Storm Worm Fast Flux network emerged.
Diane Lane: it's been doing that all night. The site's IP keeps changing constantly. Each new address is an exploited server. It's running a mirror of the site. The siteâ€™s Russian name server uses a low TTL. So your computer constantly queries the name servers record and that's how it gives you a new address so consistently.
Diane Lane: I mean, look, there are thousands of exploited servers on the internet, so he's not going to run out of victims anytime soon, but he's accessing these machines so quickly. He's got to be running his own botnet. I mean, we are blackholing these IPs, but every time we shut one down, a new mirror pops up.
Rick Howard: Word notes is written by Nyla Gennaoui, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliot Peltzman. Thanks for listening.