14 DAY TRIAL // The Internet Corporation for Assigned Names and Numbers (ICANN) has set out to regulate a DNS technique known as fast flux hosting, which is constantly being abused by cyber-criminals to hinder the efforts of security groups and authorities. After releasing its initial report (PDF), ICANN's Generic Names Supporting Organization (GNSO) has called a public comment session, hoping to receive more input on the matter from industry professionals.
Fast flux is a technique that enables domain owners to change pointing their domain names to multiple IP addresses. This is achieved by using very low TTL (time-to-live) value for the NS record, which causes DNS servers to lower the caching of a domain's IP from hours or days to just a few seconds. The technique is used by hackers to make their botnet control servers or malicious websites more resilient against take-down attempts.
Unfortunately, fast flux also has legitimate uses, and as the report explains, “It is not an attack itself – it is a way for an attacker to avoid detection and frustrate the response to the attack.” By comparison, content delivery networks use this technical quirk for load balancing or location adjustments in order to improve performance of their service.
One of the tasks of the working group who drafted the report has been to determine whether fast flux has anything to do with domain registrars and can be regulated by ICANN. On this issue, the report notes that “Some members of the Working Group provided reasons as to why policy development to address fast flux is outside the scope of ICANN’s remit, while others disagreed. The Working Group’s fact-finding and work on definitions documented how fast-flux involves domain name use issues, rather than domain name registration issues.”
But even if it is still uncertain whether ICANN should intervene or not in this situation, the group has made several suggestions to be considered by the GNSO Council. Since this issue exceeds the scope of gTLDs, it recommends that other ICANN-related or external entities and regulatory organizations be involved in the process. It also suggests that the domain abuse policy be extended to address fast flux attacks, by allowing registrars to suspend domain names more easily.
The group also proposes a “Fast Flux Data Reporting System,” where members of the online community could submit reports that involve such abuse. In this respect, it gives Internic's Whois Data Problem Reporting Service or Phishtank's abuse reporting system as examples. The group expects feedback from the community regarding these suggestions for a period of 20 days, during which the report is open to public comment.
When this period is over, it will analyze the received feedback and will begin drafting the final version of the report, which will be submitted to the GNSO Council. The working group began to work on this preliminary version of the report on June 26, 2008. The fast flux technique is currently being abused by some of the largest spam-sending botnets in the world, such as Waledac, Storm's successor.