An insight into the Fast-Flux Attack Networks and the applied cyber defensive practices

An insight into the Fast-Flux Attack Networks and the applied cyber defensive practices (EN)

Charisopoulos, Georgios (EN)

Baltatzis, Dimitrios (EN)

Serketzis, Nikolaos (EN)

Rantos, Konstantinos (EN)

masterThesis

2024-04-15

2024-04-15T10:30:50Z

2023-05-28

Written as part of my MSc degree in Cybersecurity at International Hellenic University, this dissertation focuses on the operation and detection of a special category of malicious networks, very similar to Botnets, the Fast-Flux Attack Networks (FFAN). FFANs are used to carry out severe DNS attacks in combination with the implementation of effective hiding techniques for their most important component: the Fast-Flux mothership, a C&C server responsible for controlling the network's compromised agents and delivering malware or the illegal web content to the connected DNS clients. The special feature of an FFAN is the usage of legitimate load balancing techniques such as Round-Robin algorithms and redirection processes in order to connect the targeted host to an intermediary level of DNS servers or computer hosts (fast-flux agents) that act as proxies by forwarding a DNS request from one IP address destination to another without establishing a direct communication channel between the victim and the Fast-Flux mothership until the accomplishment of the client’s registration as an infected host or bot of the malicious network. The existing similarities in terms of applied load-balancing methods between legitimate web-distributed networks such as Content Distribution Networks (CDNs) and FFANs add to the difficulty of distinguishing them, as they share a common trait: the rapid rotation of resolved IP addresses assigned to a given domain name in a seemingly random manner in combination with low Time-To-Live (TTL) values enforcing frequently updated DNS name resolution processes. Nevertheless, the previous fast flux technique isn’t unique and the hiding tools of FFSNs have been enriched by new approaches and methods such as DGAs, Double-Flux, Hydra Flux, or N-Flux attacks that will be analyzed in detail in Chapter 3. Taking the two inherent features of an FFAN, the IP address and domain name “fluxiness” for granted, the traditional cyber defensive methods including blacklists or whitelists seem to fail to detect this type of network because of its dynamic function. However, the research progress in machine learning theory and data mining offers new capabilities for designing predictive models that embed algorithms and metrics based on fundamental assumptions about the intrinsic behavioral features of FFSNs. (EN)

Fast-Flux Attack Networks (EN)

Cybersecurity (EN)

FFAN (EN)

Αγγλική γλώσσα

School of Science and Technology, MSc in Cybersecurity

IHU (EN)

Default License

Διεθνές Πανεπιστήμιο της Ελλάδος

Ιδρυματικό Αποθετήριο Διεθνούς Πανεπιστημίου Ελλάδος (ΔΙΠΑΕ)

University Center of International Programmes of Studies (UCIPS)

Master Theses