Home
Pi1 - Lehrstuhl Praktische Informatik I
Laboratory for Dependable Distributed Systems
University of Mannheim
Login

Research
Projects
Fast-Flux
Forensig2
Honeynet
SecureSCM
TrustedPals
Theses
Teaching
Current Courses
Dependable Distributed Systems
Doktorandenseminar
Praktische IT-Sicherheit
Course Archives
Multimedia
Multimedia from Aachen
Reach Out
Publications
Presentations
Partners
General
Staff
How to reach us
Pi1 News Mailing List
FAQ
Administration
Home




Fast-Flux


One of the projects at our lab focuses on fast-flux service networks (FFSNs), a mechanism used by attackers to build an overlay network on top of compromised machines. FFSNs are for example used to host scam pages or malicious content. Our findings were published in a paper at NDSS'08.

Abstract:

We present the first empirical study of fast-flux service networks (FFSNs), a newly emerging and still not widely-known phenomenon in the Internet. FFSNs employ DNS to establish a proxy network on compromised machines through which illegal online services can be hosted with very high availability. Through our measurements we show that the threat which FFSNs pose is significant: FFSNs occur on a worldwide scale and already host a substantial percentage of online scams. Based on analysis of the principles of FFSNs, we develop a metric with which FFSNs can be effectively detected. Considering our detection technique we also discuss possible mitigation strategies.

Full paper

Data availability:
To foster research in this area, the data collected during our study and some other related information is available for research purposes.
We created a tarball which contains a summary of the fast-flux data collected over a period of several weeks. The tarball contains a potpourri of different measurement results and has a total size of 7.3 MB. It contains about 55K raw dig lookup files and has an unpacked size of about 220 MB. The archive contains the following data:

  • storm-qavoter.com.log: dig lookups for domain used by the Storm Worm botnet which uses fast-flux techniques
  • asprox-damnec-hydra.log: dig lookups for Asprox/Damnec botnet which also uses fast-flux techniques
  • lookups-ff: dig lookups for fast-flux domains, confirmed manually
  • lookups-spam: dig lookups for various domains found in spam e-mails
  • lookups-benign: dig lookups for (probable) benign domains, most of them collected via dmoz or Alexa
  • lookups-ndss: part of the domains used for the NDSS paper
  • lookups-ndss-ff: suspected fast-flux domains from NDSS paper

Please send an e-mail to thorsten.holz[at]informatik.uni-mannheim.de or christian.gorecki[at]informatik.uni-mannheim.de if you have questions.




Print-Version