With ten new IP addresses coming in every few minutes, even most sophisticated and capable anti-abuse actors have to give up. In fact, they are an important utility for cyber criminals, especially because they are very resilient against take-down attempts. The author, however, never observed a Fast Flux hosting setup that had even a patina of legitimacy. In theory, there are few legitimate use-cases for this. Therefore, you'll end up talking to a different machine every time. While legitimate services often have a TTL within the range of hours or a day, Fast Flux FQDNs come with a significantly smaller one: Some of them propagate a TTL of half an hour, while others shuffle the IP addresses returned back every minute. Replies to a DNS query come with a Time to Live (TTL), telling a DNS resolver how long it should cache them. Instead of returning one or two relatively static IP addresses for a FQDN, as it is commonly done, a FQDN being in use for Fast Flux hosting returns a bunch of IP addresses, pointing into different countries and Autonomous Systems. What is Fast Flux hosting?įast Flux is a way of hosting content on a highly volatile network of usually compromised machines across the globe. If you are in need of some tea or coffee, it is now time to make it. To compensate the rather simple looking screenshot, this blog post explains what Fast Flux hosting looks like, how it is used by cyber criminals, and how IPFire detects it. If you are using IPFire's built-in web proxy, all you need to do is to tick a checkbox, hit the "save and reload" button at the end of that page, and you're done. Even better, measurements done so far indicate it comes with a near-zero false positive rate in productive environments. Contrary to other security mechanisms such as AV scanners, which are often lagging behind, it detects malware, phishing, C&C servers and other nefarious things proactively - before any threat intelligence source in the world even knows about them. To the best of our knowledge, this is a unique feature. This allows us to introduce a new feature: Proactive detection of Fast Flux setups, which are commonly used by ne'er-do-wells for hosting questionable and malicious content on compromised machines around the world, switching from one infected PC, IoT device, or router to another within minutes.
FLUX NETWORKS FREE
Thanks to libloc, the free & open source location database, IPFire comes with an accurate, trustworthy database for mapping IP addresses to countries and Autonomous Systems, and vice versa.
0 kommentar(er)
