We studied the dynamics of fast flux service networks and their role in online scam hosting infrastructures. By monitoring changes in DNS records of over 350 distinct fast flux domains collected from URLs in 115,000 spam emails at a large spam sinkhole, we measure the rate of change of DNS records, accumulation of new distinct IPs in the hosting infrastructure, and location of change both for individual domains and across 21 different scam campaigns.
We find that fast flux networks redirect clients at much different rates---and at different locations in the DNS hierarchy---than conventional load-balanced Web sites. We also find that the IP addresses in the fast flux infrastructure itself change rapidly, and that this infrastructure is shared extensively across scam campaigns, and some of these IP addresses are also used to send spam. Finally, we compared IP addresses in fast-flux infrastructure and flux domains with various blacklists (i.e., SBL, XBL/PBL, and URIBL) and found that nearly one-third of scam sites were not listed in the URL blacklist at the time they were hosting scams. We also observed many hosting sites and nameservers that were listed in both the SBL and XBL both before and after we observed fast-flux activity; these observations lend insight into both the responsiveness of existing blacklists and the life cycles of fast-flux nodes.
Joint work with Nick Feamster (Georgia Tech) and Jaeyeon Jung (Intel Research).
Maria Konte is currently an MS student, starting the PhD program this Fall, in the College of Computing at Georgia Tech. She received her diploma in Production Engineering and Management from Technical University of Crete and MS in Systems Engineering from Boston University, in 2003 and 2005 respectively. Her research interest are in the area of computer networks with an emphasis on network security.
