Feed: Slashdot
Feed Link: https://slashdot.org/
---

Title: NSA Warns 'Fast Flux' Threatens National Security

Link: https://it.slashdot.org/story/25/04/04/205921...

An anonymous reader quotes a report from Ars Technica: A technique that
hostile nation-states and financially motivated ransomware groups are using
to hide their operations poses a threat to critical infrastructure and
national security, the National Security Agency has warned. The technique is
known as fast flux. It allows decentralized networks operated by threat
actors to hide their infrastructure and survive takedown attempts that would
otherwise succeed. Fast flux works by cycling through a range of IP addresses
and domain names that these botnets use to connect to the Internet. In some
cases, IPs and domain names change every day or two; in other cases, they
change almost hourly. The constant flux complicates the task of isolating the
true origin of the infrastructure. It also provides redundancy. By the time
defenders block one address or domain, new ones have already been assigned.
"This technique poses a significant threat to national security, enabling
malicious cyber actors to consistently evade detection," the NSA, FBI, and
their counterparts from Canada, Australia, and New Zealand warned Thursday.
"Malicious cyber actors, including cybercriminals and nation-state actors,
use fast flux to obfuscate the locations of malicious servers by rapidly
changing Domain Name System (DNS) records. Additionally, they can create
resilient, highly available command and control (C2) infrastructure,
concealing their subsequent malicious operations." There are two variations
of fast flux described in the advisory: single flux and double flux. Single
flux involves mapping a single domain to a rotating pool of IP addresses
using DNS A (IPv4) or AAAA (IPv6) records. This constant cycling makes it
difficult for defenders to track or block the associated malicious servers
since the addresses change frequently, yet the domain name remains
consistent. Double flux takes this a step further by also rotating the DNS
name servers themselves. In addition to changing the IP addresses of the
domain, it cycles through the name servers using NS (Name Server) and CNAME
(Canonical Name) records. This adds an additional layer of obfuscation and
resilience, complicating takedown efforts. "A key means for achieving this is
the use of Wildcard DNS records," notes Ars. "These records define zones
within the Domain Name System, which map domains to IP addresses. The
wildcards cause DNS lookups for subdomains that do not exist, specifically by
tying MX (mail exchange) records used to designate mail servers. The result
is the assignment of an attacker IP to a subdomain such as
malicious.example.com, even though it doesn't exist." Both methods typically
rely on large botnets of compromised devices acting as proxies, making it
challenging for defenders to trace or disrupt the malicious activity.

Read more of this story at Slashdot.

---
VRSS v2.1.180528