Fast Flux Service Networks: Dynamics and Roles in Hosting Online Scams

Files
GT-CS-08-07.pdf (1.21 MB)
Author(s)
Feamster, Nick
Konte, Maria
Jung, Jaeyeon
Advisor(s)
Editor(s)
Associated Organization(s)
Organizational Unit
Organizational Unit
School of Computer Science
School established in 2007
Series
Series
Series
Collections
Research Publications
Supplementary to:
Permanent Link
http://hdl.handle.net/1853/30451
Abstract
This paper studies the dynamics of fast flux service networks and their role in online scam hosting infrastructures. By monitoring changes in DNS records of over 350 distinct fast flux domains collected from URLs in 115,000 spam emails at a large spam sinkhole, we measure the rate of change of DNS records, accumulation of new distinct IPs in the hosting infrastructure, and location of change both for individual domains and across 21 different scam campaigns. We find that fast flux networks redirect clients at much different rates—and at different locations in the DNS hierarchy—than conventional load-balanced Web sites. We also find that the IP addresses in the fast flux infrastructure itself change rapidly, and that this infrastructure is shared extensively across scam campaigns, and some of these IP addresses are also used to send spam. Finally, we compared IP addresses in fast-flux infrastructure and flux domains with various blacklists (i.e., SBL, XBL/PBL, and URIBL) and found that nearly one-third of scam sites were not listed in the URL blacklist at the time they were hosting scams. We also observed many hosting sites and nameservers that were listed in both the SBL and XBL both before and after we observed fast-flux activity; these observations lend insight into both the responsiveness of existing blacklists and the life cycles of fast-flux nodes.
Sponsor
Date
2008
Extent
Resource Type
Text
Resource Subtype
Technical Report
Rights Statement
Rights URI