IT leaders in governments, critical infrastructure providers, and businesses must work closely with their ISPs and cybersecurity providers to block a tactic increasingly being used by threat actors to hide the locations of malicious servers, says the Five Eyes intelligence partnership of countries.
In a joint warning issued this week, the cyber and intelligence agencies of the US, the UK, Canada, Australia, and New Zealand said the tactic, called fast flux, is “a national security threat.”
Fast flux allows attackers to obfuscate the locations of malicious command and control (C2) servers by rapidly changing Domain Name System (DNS) records.
It’s “a defensive gap in many networks,” the report says.
The agencies recommend that all stakeholders, both government and providers, collaborate on developing and implementing scalable solutions to close this gap.
However, the report admits, differentiating fast flux from legitimate activity “remains an ongoing challenge.” For example, some common content delivery network (CDN) behaviors may look like malicious fast flux activity. To avoid blocking or impeding legitimate content, Protective DNS services (PDNS), service providers, and network defenders should make “reasonable efforts,” such as allowlisting expected CDN services, the report says.
One problem: Fast flux domains frequently cycle though tens or hundreds of IP addresses a day.
Not a new tactic
Fast flux isn’t new. A criminal network called Avalanche, believed to have been active since at least 2009, used it to operate as many as a half million infected computers to distribute 20 malware families. Avalanche was taken down by law enforcement agencies in 2018 after a four year effort. However, many organizations today are unaware of the tactics.
Ed Dubrovsky, COO and managing partner of Cypfer, an international incident response firm, says that more IT departments and providers need to know about the tactic. But he’s not sure if most ISPs and their customers, particularly firms that host their own DNS servers, are up to defending themselves.
For example, he said in an interview, defenders have to quickly detect abnormal DNS query patterns. But most firms, even large ones, can’t do that, he said. Defenders will also have to quickly integrate and digest DNS threat intelligence. But he also doubted that can be done with current firewalls and DNS servers.
This is why the report urges more collaboration among ISPs, cybersecurity device manufacturers, and their customers to develop scalable solutions.
“There’s going to be a need to revamp of many technologies in small and medium-sized businesses,” he added, “The only organizations that might have the resources [to handle fast flux attacks] are really critical infrastructure organizations and larger businesses.”
How to mitigate DNS attacks
Fast flux is one of many types of DNS attack. But there are tactics organizations can use to mitigate them.
In the case of fast flux, the report recommends that:
- defenders should use cybersecurity and PDNS services that detect and block fast flux. “By leveraging providers that detect fast flux and implement capabilities for DNS and IP blocking, sinkholing, reputational filtering, enhanced monitoring, logging, and collaborative defense of malicious fast flux domains and IP addresses, organizations can mitigate many risks associated with fast flux and maintain a more secure environment,” says the report;
- ISPs and cybersecurity service providers, especially PDNS providers, should implement a multi-layered approach in co-ordination with customers for detection.
Tactics include:- using threat intelligence feeds and reputation services to identify known fast flux domains and associated IP addresses;
- implementing anomaly detection systems for DNS query logs to identify domains exhibiting high entropy or IP diversity in DNS responses and frequent IP address rotations;
- analyzing the time-to-live (TTL) values in DNS records, because fast flux domains often have unusually low TTL values;
- reviewing DNS resolution for inconsistent geolocation;
- monitoring for signs of phishing activities, such as suspicious emails, websites, or links and correlating these with fast flux activity, and more.
As might be expected because fast flux tries to hide C2 servers, it’s linked to phishing attacks. So the advisory says all IT departments should watch for signs of phishing activity and correlate these with fast flux activity. One defensive tactic: phishing awareness training.