[gnso-ff-pdp-may08] Interesting comment from major A/V vendor on fast vs. other flux
This is from a lead researcher at one of the largest A/V vendors out there - hopefully they can contribute some hard data eventually, but he's tied up at the moment. Again this is anecdotal, but this helps illustrate the challenge with "fast" in the problem statement: <quote>FF is only half the story though, most of the bp hosters are slow fluxing just enough to be ahead of the whackamole crowd. The tricky Phish and CP colocate these days on slow fluxers. I don't think I have a big enough cluestick to thump them with the evils of bpnameserver dot com and friends. But lets try: The last CP ring I investigated was slow flux - 150 changes in 3.5 days but interestingly only used 25 IP's in total, one site advertised 13 others- it was mixed with wells fargo phish campaigns that fluxed 10 nameservers a total of 107399 times. I know which one I world direct law enforcement at first. </quote>The key here is that we have the same basic thing going on - just at different rates. A fraudulently registered domain name being hosted on a network of compromised hosts with DNS served by criminally controlled nameservers (typically bots themselves). The key for them is to keep the hosting for their content live based on a permanent fixed identifier (they understand domain names really well!) over an unstable underlying physical infrastructure (their IP based bots) since those bots can fail at any time, be blocked via black lists, lead investigators to their activities, or some other "bad" thing for their goals. Their infrastructure is also constantly under attack from the real owners of the nodes (installing/using A/V), ISPs of the nodes (walled gardens and port blocking), Law Enforcement, and others trying to eliminate their malicious campaigns. Thus any single part of their physical IP infrastructure must be considered expendable, and their main concern is keeping their semi-permanent presence (a domain name) for their campaign active as long as possible. |