chevron_left chevron_right
Login Register invert_colors photo_library


Stay updated and chat with others! - Join the Discord!


Tutorial Fast-Flux Service Networks (FFSN) filter_list
Author
Message
Fast-Flux Service Networks (FFSN) #1
Fast Flux is a DNS method that involves frequent and rapid changes to IP addresses associated with a fully defined domain name (FQDN), using a network of compromised hosts (bots) acting as reverse proxy servers.
The basic concept of a Fast Flux network is to have multiple IP addresses associated with a domain name, and then constantly swap these IP addresses by changing DNS records A or AAAA with a very low TTL value. These IP addresses belong to compromised hosts, which are known as bots or fast-flux agents. Fast Flux technology is used by an attacker (Botmaster) to circumvent detection of the C & C server and IP-based blacklisting by hiding the C & C server behind a network of compromised hosts acting as reverse proxy servers. The Fast-Flux network guarantees that the victim client will only connect to fast flux agents, but not to the real C & C server.

There are two types of Fast-Flux service network:
1. Single-Flux Network.
2. Double-Flux Network.

Fast-Flux service network basics (FFSN):
To implement a fast-flux network, an attacker first uses a botnet. The botnet contains thousands of bots, and all of these bots are linked to the attacker's C & C server. Bots that participate in the Fast-Flux network are also known as fast-flux agents. The main purpose of using botnets is to use thousands of bot machines (fast-flux agents) as reverse proxies. In essence, Fast-Flux agents work as a reverse proxy server, redirecting a client request to the C & C server and responding to responses received from the C & C server back to the client.
In a fast-flux network, an attacker assigns new IP addresses for a domain name or for a name server within a very short period of time from thousands of bots (fast-flux agents). The various IP addresses of a malicious domain name in the fast-flux network are the IP addresses of fast-flux agents.

In a single-stream network, IP addresses from fast-flux agents use only the malicious domain name, and the authorized name server is hosted on a bulletproof hosting server. But on a two-thread network, the malicious domain name and the authorized name server use IP addresses that belong to fast-flux agents.

Fast-Flux Mothership / C & C Server:
Fast-Flux C & C servers are the backbone of fast-flux service networks. The C & C server is a complex server that is used to control or manage the botnet and the fast-flux network. The C & C server has many servers running on the backend to provide various services as needed. For example, a DNS server for resolving malicious domain names, an HTTP server for delivering malicious files or setting up phishing sites, and so on.in the fast-flux network, a C & C server is also called a parent server. The Fast-Flux service network (FFSN) is not limited to the HTTP application only.moreover, any application that uses DNS can use the Fast-Flux service network (FFSN).

Single-thread network
Single-Flux is a frequent and fast change of IP addresses associated with a domain name. In single-stream networks, DNS a or AAAA records for the domain are constantly updated using the addresses of fast-flux agents, which act as reverse proxy servers.
In single-thread networks, an attacker manages an authoritative name server to resolve malicious domain name names and dynamically updates the DNS record A with the IP addresses of fast-flux agents with a very short TTL value. The Authoritative Name Server is hosted on a bulletproof hosting server.
When the TTL expires, the new IP addresses replace the old ones for these DNS a records in the DNS zone file. Thousands of fast-flux agent IP addresses are used in a cyclical order to write DNS A. the DNS a Record changes every 3-10 minutes, which means that a victim client connecting to a malicious domain every 3 minutes will connect to a different IP address each time.
When a victim client wants to resolve a malicious domain name, it sends a DNS request to the recursive DNS server. The recursive DNS server, in turn, resolves the requested domain name (FQDN) and returns a set of IP addresses to the client. These IP addresses are actually the IP addresses of fast-flux agents that work as a reverse proxy server. The victim client then establishes a connection to one of the allowed IP addresses and sends its HTTP request there. The fast-flux agent at this address redirects the client request to the C & C server and delivers the content received from the C & C server back to the client. Consequently, the victim client cannot directly communicate with the C & C server; instead, the victim client communicates with the C & C server via fast-flux agents that act as reverse proxies.

[Image: dswzoWV.png]

Double-Flux Network:
A double stream means that the IP addresses of both the domain name and its authorized name servers are dynamically and repeatedly changed with a very low TTL value.
The Double-Flux process is performed by frequently changing the DNS a and DNS NS Glue entries in the DNS zone file with the IP address of fast-flux agents. Thousands of fast-flux agents are involved in the process and often register and unregister their IP addresses as part of the DNS a record and the DNS NS Glue record for the domain name and for the authoritative name server, respectively.
The pasted record is the IP address (record) of the name server in the domain name registry. Binding records are required when the name servers for a domain name are subdomains of the domain name itself.
The different IP addresses of both the malicious domain name and the authorized name server in the dual-stream network are the IP addresses of fast-flux agents. The attacker uses thousands of fast-flux agents from their bot network and periodically registers and unregisters these IP addresses for the domain name and for the authorized name server.

How the Double-Flux network works :
DNS name resolution and HTTP content search process in a fast-flux dual network:
In a fast-flux dual network, when a client wants to resolve a malicious domain name, it sends a DNS request to a recursive DNS server. The recursive DNS server asks the root server which name server is responsible for the malicious domain, and the root server accesses the .COM server. Then the Recursive DNS server requests the .COM server again. Because the attacker configured a DNS NS record that points to the fast-flux agent's IP address in the DNS server's .COM zone file, the. COM Server responds with the fast-flux agent's IP address as the authorized name server for the requested malicious domain name . Now the recursive DNS server sends a DNS request to the authorized name server (fast-flux agent) to resolve the IP address of the malicious domain name.
Although the attacker assigned the fast-flux agent as an authoritative name server. However, the fast-flux agent does not perform any malicious domain name resolution. When the fast-flux agent (Authoritative Nameserver) receives a DNS request from any client, the fast-flux agent redirects this DNS request to the actual malicious DNS server controlled by the attacker under its C & C server.As soon as the malicious DNS server responds to the DNS request to this fast-flux agent, the fast-flux agent sends this response back to the query provider client, in this case to the recursive DNS server. The Recursive DNS server now sends the allowed IP addresses of the malicious domain to the actual client.
A malicious DNS server deployed by an attacker is not mapped to the IP address of a C & C server or a valid web server used to host malicious content, but is instead resolved to any other fast-flux-agent IP address.
The client then establishes a connection to the allowed IP address of the malicious domain, which is actually the IP address of another fast-flux agent. And sends an HTTP request to this fast-flux agent. Again, this fast-flux agent redirects the HTTP request to the actual web server running on the attacker's C & C server. After receiving content from the attacker's C & C server, this fast-flux agent delivers the content to the client. The Fast-Flux network guarantees that the victim will only connect to fast flux agents, but not to the real C & C server.

[Image: KCSAnfc.png]
>>> shoppy.gg <<<
discord: 3TON#1115
jabber: tryton@exploit.im
telegram: @TRYTON_SERVERS

Wizard of system administration!

[+] 1 user Likes 3TON's post
Reply






Users browsing this thread: 1 Guest(s)