AntiPhishing Working Group - PowerPoint PPT Presentation
1 / 28
Title:
AntiPhishing Working Group
Description:
Large-scale use of botnets with rapidly changing IP addresses for site resolution ... Makes it harder to black-list IPs of known bad DNS servers ... – PowerPoint PPT presentation
Number of Views:58
Avg rating:3.0/5.0
Title: AntiPhishing Working Group
1
Anti-Phishing Working Group
- Fast-Flux Domain Attacks
- Rod Rasmussen
- Co-Chair IPC of the APWG
- APWG Industry Attache
- rod.rasmussen_at_internetidentity.com
2
Fast Flux Attacks
- Technique to keep malicious sites up longer
- Dozens to Hundreds of bogus domain names
- Large-scale use of botnets with rapidly changing
IP addresses for site resolution - Systems are automated and resilient to node loss
- Domain shut-down only viable option
- Double Flux being seen as well
- Rotating nameserver IPs
3
How Fast Flux Works
- Fraud domain name hosted on criminal controlled
nameservers - Nameservers configured to rapidly rotate DNS A
records amongst dozens of IP addresses - Most use wildcard to allow any hostname to
resolve to the same IP addresses - Those IP addresses are compromised bots hosting
the malicious content - Typically on high-speed residential/SMB
connections - Bots set to resolve any host under the domain and
often many domains - As bots are killed new ones added to rotation
4
Fast-Flux for Phishing Increasing
- More Players?
- Commercial systems from bot herders?
- More kits seen on flux and fraud DNS networks
- Volume of lures high for fast-flux incidents
personalized tracking - More Targets
- Attacks against traditional targets continue
relentlessly - Little Guys hit hard with fast-flux on first
ever phish - Overwhelming - infrastructure and personnel
- Losses occurring quickly major cash-outs in
short amount of time - More Sophistication!
- Routine blocking of monitoring by security
organizations - Better DNS set-ups (self-defined, and use of
ccTLD nameservers) - Finding and using the worst registrars to handle
mitigation - Exploiting cash-outs via holes in overseas ATM
verification systems - CrimeDNS High availability fraud DNS systems
for hire
5
Fast Flux in Action
phishdomain.tld
NS1.phishdomain.tld
NS2.badguy-ns.tld
200.72.139.67
202.74.32.13
Wildcard.xxx123.phishdomain.tld
6
Fast Flux Example Components
- Bogus domain phishdomain.tld
- Nameservers under criminal control
- NS1.phishdomain.tld (self-defined)
- NS2.badguys-NS.tld (independent network)
- Typically those IPs are bots too!
- A Record on wildcard resolution
- Wildcard.xxx123.phishdomain.tld
- Anything resolves to the same content page
- Bots for hosting the content pointed to by the A
DNS record on multiple netblocks
7
Fast Flux in Action
phishdomain.tld
NS1.phishdomain.tld
NS2.badguy-ns.tld
200.72.139.67
202.74.32.13
Wildcard.xxx123.phishdomain.tld
8
Fast Flux Example 10min
phishdomain.tld
NS1.phishdomain.tld
NS2.badguy-ns.tld
200.72.139.67
202.74.32.13
Wildcard.xxx123.phishdomain.tld
9
Rotation of Bot A Records Under Flux
- Bad guys use short TTL (time-to-live) values on
DNS A Records to ensure all resolvers must
re-query for updated A Record entries - Move to new IP via default round-robin
resolution - Add new bots into the list to keep sites active
if IPs get blocked or disabled - Victims always able to access site via domain
name and hosts
10
Fast Flux Example 20min
phishdomain.tld
NS1.phishdomain.tld
NS2.badguy-ns.tld
200.72.139.67
202.74.32.13
Wildcard.xxx123.phishdomain.tld
11
Fast Flux Example 30min
phishdomain.tld
NS1.phishdomain.tld
NS2.badguy-ns.tld
200.72.139.67
202.74.32.13
Wildcard.xxx123.phishdomain.tld
12
Fast Flux Example 40min
phishdomain.tld
NS1.phishdomain.tld
NS2.badguy-ns.tld
200.72.139.67
202.74.32.13
Wildcard.xxx123.phishdomain.tld
13
Kill Fast Flux via Hosting
- Traditional malicious site removal involves
removing actual content files - Contact provider of IP address (ISP, web host)
- Convince them they have a problem
- Have a technician remove files plus clean up the
bot vulnerabilities to prevent re-infection - Potentially have to contact end-user customer for
removal - Privacy issues
- Lack of technical capability
- Leads to loss of Internet access in many cases
for infected customers - Providers VERY reluctant to block customer net
access
14
Killing Fast Flux - the WRONG way
phishdomain.tld
NS1.phishdomain.tld
NS2.badguy-ns.tld
200.72.139.67
202.74.32.13
Wildcard.xxx123.phishdomain.tld
X
X
X
X
X
X
X
15
Killing Bots is Fruitless
- Killing a single bot or two brings site down for
a few minutes - Automatic rotation of IPs in DNS re-enables sites
within minutes - New bots will be cycled in automatically to
replace any the phisher detects as being off-line - Killing bots does not kill the root (the domain)
16
Killing Fast Flux - the WRONG way
phishdomain.tld
NS1.phishdomain.tld
NS2.badguy-ns.tld
200.72.139.67
202.74.32.13
Wildcard.xxx123.phishdomain.tld
17
Killing Fast Flux - the WRONG way
phishdomain.tld
NS1.phishdomain.tld
NS2.badguy-ns.tld
200.72.139.67
202.74.32.13
Wildcard.xxx123.phishdomain.tld
18
Kill Fast Flux via Domain Name
- If you remove the domain name from DNS, the
entire phish disappears - Cannot resolve to any spammed URLs without domain
resolution - Short TTLs on the DNS records mean a domain
suspension can lead to quick downing of site - Biggest challenge registrars are often
reluctant to intervene quickly - Not hosting actual content
- Not staffed 24/7
- Only effective means of permanent removal
19
Killing Fast Flux - Permanently
X
phishdomain.tld
NS1.phishdomain.tld
NS2.badguy-ns.tld
200.72.139.67
202.74.32.13
Wildcard.xxx123.phishdomain.tld
X
20
Double Fast Flux
- Same basic configuration as a standard fast flux
attack - Bogus domain
- Bots hosting content
- Nameservers are NOT fixed in position
- Nameserver IPs also on rotating bots
- Makes it hard to kill phish by taking out known
bad nameservers - Makes it harder to black-list IPs of known bad
DNS servers - Requires involvement of registrar account
- Only way to update nameserver IPs is via
registrar interace to domain management - Phishers using automated systems to rotate NS IPs
21
Double Fast Flux
phishdomain.tld
NS1.phishdomain.tld
NS2.badguy-ns.tld
200.72.139.67
202.74.32.13
Wildcard.xxx123.phishdomain.tld
22
Double Fast Flux 10 min
phishdomain.tld
NS1.phishdomain.tld
NS2.badguy-ns.tld
Wildcard.xxx123.phishdomain.tld
23
Double Fast Flux 20 min
phishdomain.tld
NS1.phishdomain.tld
NS2.badguy-ns.tld
Wildcard.xxx123.phishdomain.tld
24
Only Dead via Domain Name
- Same as regular Fast Flux remove the domain name
from DNS, the entire phish disappears - Bonus of killing the bad nameserver entries at
the same time if on self-defined NS - Glue records can present issues if they are tied
to other domains
25
Double Fast Flux Dead
X
phishdomain.tld
NS1.phishdomain.tld
NS2.badguy-ns.tld
Wildcard.xxx123.phishdomain.tld
X
26
Review Detecting, Killing, Preventing
- DNS is the key! Advice for hunters/registrars/reg
istries - Scrutinize nameservers
- New nameservers on unusual domains/TLDs
- DNS servers located on consumer netblocks
- Multiple changes to nameserver IPs (double
FastFlux) - Examine new domain A Records in DNS
- Rapid changes
- Located on consumer netblocks
- Move daily from one to another - around the globe
- Multiple static entries - worldwide
- Can compare to known bad actors
- Wildcard - all hosts resolve
- The 3 Ps - Policies, procedures, people - in
place for quick kills
27
APWG Contacts
- Website http//www.antiphishing.org
- E-mail info_at_antiphishing.org
- Phish Site Reporting reportphishing_at_antiphishing.
org - Membership membership_at_antiphishing.org
Thank You!
28
Anti-Phishing Working Group
- Fast-Flux Domain Attacks
- Rod Rasmussen
- Co-Chair IPC of the APWG
- APWG Industry Attache
- rod.rasmussen_at_internetidentity.com
Recommended
CrystalGraphics Presentations
