To give you a better feel of the scope of fast-flux service networks and how many systems are typically involved, below we provide statistics about one specific fast-flux service network. This example was involved in delivery of a PharmaShop scam. Key points include:
We collected data from 03 February 2007 to 11 February 2007. The domain itself greatfriedrice.info was created January 02, 2007 at 15:11 and was terminated February 13, 2007 at 04:26 EST. To gather our information we queried DNS every 2 minutes and then collected information on the IP addresses assigned to the domain name and how those IP addresses (A and NS records) changed over time. A total of 3,241 unique IP addresses were utilized in this fast-flux service net during the study. Of these unique IP addresses, 1,516 were advertised as Authoritative NS records. 2,844 were short lived TTL A record round robins used for HTTP proxy/redirect. 256 different Autonomous Systems (AS's) were represented in the infection base. 181 AS’s served fluxDNS, and 241 AS’s served fluxHTTP redirection. This may be an indicator of provider policies regarding inbound blocking policies of either UDP 53 or TCP 80 into subscriber populations. Below is a table highlighting the AS’s that had the most infected systems as part of the fast-flux service network. This example was chosen because it was monitored at the highest resolution (every 2 min). To date over 80,000 flux IPs have been logged so far with over 1.2 million unique mappings.
AS Breakdown for DNS Flux Networks
AS Breakdown for HTTP Flux Networks