Fast Flux

From ICANNWiki
(Redirected from FF)
Jump to: navigation, search

Fast Flux (FF) is an evasion technique used by Internet miscreants and cyber-criminals to evade their identification, thwarting anti-crime efforts aimed at identifying and shutting down websites that are used for illegal purposes. Due to the tendency of the fast flux hosting to support fraudulent activities, it is considered to be one of the biggest threat in the online activities. Double flux, a variant of fast flux hosting even exploits the name resolution services and even the domain name registration.[1]


Fast flux service networks are basically used for the following two purposes:

  • To host referral web sites: Bots in the Fast Flux network service, in fact, do not host the content of the customer but it redirects the traffic of the web site to the server where the customer using fast flux hosts the illegal and unauthorized activities. As only a single network is operated for the sake of fast flux hosting, it is known as single flux.
  • To host name servers: Bots in the fast flux service network use the name server referrers for the sake of fast flux customers. These name servers in turn forward the DNS requests to a hidden name server which hosts the zones containing DNS. If this is used along with to host referral web sites then it is known as double flux. [1]

How it works

The main objective of fast flux is to assign plenty of IP addresses for a qualified domain name. With the help of a combination of round-robin IP addresses, these qualified IP addresses are swapped in and out of the flux at an extremely large frequency and that too at a very short Time-to-Live (TTL) for a specific DNS Resource Record (RR).

Furthermore, the attackers also see to it that the compromised systems which they sue to host these scams have a good amount of bandwidth and availability of service. They also make use of a load distribution system which helps to flux out the unresponsive nodes by taking into account the node health-check results so that the availability of content is always maintained. [2]

Measures taken by ICANN to regulate Fast Flux

ICANN’s Security and Stability Advisory Committee views Fast Flux hosting as serious and ever increasing problem, which might have negative effects on name services in all the Top Level Domains. The SSAC has encouraged all ICANN, registrars and registries to have in place the best practices that would help in mitigating fast flux hosting. [1]

It had also set up a Fast Flux working Group to answer a host of questions about fast flux hosting. The Group submitted its final report in 2009 to the GNSO Council. The Group had also come up with a definition of fast flux attacks to differentiate between the legitimate uses of fast flux. [3]