Fast Flux Service Networks: Dynamics and Roles in Hosting Online Scams

This paper studies the dynamics of fast flux service networks and their role in online scam hosting infrastructures. By monitoring changes in DNS records of over 350 distinct fast flux domains collected from URLs in 115,000 spam emails at a large spam sinkhole, we measure the rate of change of DNS records, accumulation of new distinct IPs in the host- ing infrastructure, and location of change both for individual domains and across 21 different scam campaigns. We find that fast flux networks redirect clients at much different rates—and at different locations in the DNS hierarchy—than conventional load-balanced Web sites. We also find that the IP addresses in the fast flux infrastructure itself change rapidly, and that this infrastructure is shared ex- tensively across scam campaigns, and some of these IP ad- dresses are also used to send spam. Finally, we compared IP addresses in fast-flux infrastructure and flux domains with various blacklists (i.e., SBL, XBL/PBL, and URIBL) and found that nearly one-third of scam sites were not listed in the URL blacklist at the time they were hosting scams. We also observed many hosting sites and nameservers that were listed in both the SBL and XBL both before and after we ob- served fast-flux activity; these observations lend insight into both the responsiveness of existing blacklists and the life cy- cles of fast-flux nodes. in this paper we show that attackers have developed a sophis- ticated infrastructure for directing victims to scam sites that move around frequently to evade detection and blocking. At- tackers that mount scam campaigns appear to be making extensive use of fast-flux service networks (8), which can dynamically (and quickly) redirect clients to different sites for hosting scams. The machines that host content are typi- cally ephemeral (i.e., they may simply be compromised ma- chines) and distinct from the controllers that provide content and control redirections. This paper studies the dynamics of fast-flux service net- works as they are used to host point-of-sale sites for email scam campaigns. We study the scam sites that were hosted by more than 350 domains as part of 21 scam campaigns in over 115,000 emails collected over the course of a month at a large spam simkhole. We study characteristics of dynam- ics of the infrastructure hosting fast-flux service networks, the roles that various machines play in hosting online scams, and the effectiveness of various blacklists at identifying IP addresses and URLs of scam sites. Previous work has studied the rates at which fast-flux net- works change DNS A-record mappings (i.e., name to IP address mappings) and the rate at which new IP addresses are accumulated (6); this paper expands on that study and presents many new classes of findings. First, we study fast- flux networks by campaign to determine whether dynamics differ across campaigns, and whether distinct spam cam- paigns share fast-flux service infrastructure. Second, we perform continual and iterative DNS monitoring to discover the locations in the DNS hierarchy where fast-flux networks dynamically redirect clients. Finally, we study the roles of fast-flux nodes in hosting different parts of the infrastructure (e.g., authoritative name server, Web server, or spammer) and how these roles evolve over time. Table 1 summarizes the findings of our study and possible implications for these findings. We present findings regard- ing the following aspects of fast-flux networks: Rate of change. We examine the rates at which fast- flux networks redirect clients to different authorita- tive name servers (either by changing the authoritative nameserver's name or IP address), or to different Web sites entirely. We find that, while the DNS TTL val-