2008 H2 Fast Flux Data Analysis

ATLAS has spent a good portion of 2008 tracking fast flux botnets and recording the data there. We’ve been sharing the data with some folks and digging into it, but here’s some of the analysis you may not see in the every day reports that ATLAS produces.

I took the past two quarter’s worth of data from ATLAS, specifically the domains discovered fluxing by date and the domain names, and analyzed them. By comparing these two quarters we can size up what’s happening in the malicious, fast flux hosting world.

Q3 2008

The first data set to review here is the TLD of the fast flux domains we saw in the 3 months of Q3 2008. These don’t differ too much from our paper that we released in October which covered 1H 2008. The breakout of TLD and counts are shown below, showing the top 10 specifically.

The maximum number of distinct domains per TLD was 10637 (for .COM, not surprising), while the average number of domains was 1350; the median was 99. The mean is heavily skewed by this disproportionate number for .COM. A total of 21 distinct TLDs were seen in this time frame, up from previous measures earlier in 2008.

Looking at new discoveries by date, we can see a major spike when we discovered a very large, active botnet using fast flux and captured all of its names (over 5500 in total in that one day)

We usually saw between 80 and 90 new fast flux domains per day over the quarter.

Q4 2008

The TLD data for Q4 shows that .CN is on the rise, proportionally, as a fast flux registration point (see below). It also reflects a greater number of TLDs in use, 39 in total for the quarter, nearly double from the previous quarter.

The median number of domains per TLD is 56, but .COM still takes the cake with over 6000 in the quarter alone. What’s interesting is that we saw a drop when McColo was dropped out. We’re nearly back at pre-McColo numbers almost two months later.

Again, looking at the quarter by day we can see a huge spike as we again discovered and dissected a huge fast flux botnet on a day and added over 3000 domains that day. On a typical day, however, we saw between 40 and 50 new domains fluxing.

Comparison and Trends

We’re seeing two trends of note with respect to 2008 with fast flux domain registrations and use. The first is the growth of .CN as a fast flux TLD. Most of the .CN domains we see registered and fluxing come through a registrar like BIZCN, whom we now treat with some suspicion. This could be due to them being negligent or completely subverted, but either way we’re not surprised to see a BizCN registration of a fluxy .CN domain name. We also think that this rapid growth in .CN as a fluxing TLD may be due to a fire sale of .CN domain registrations that occurred late in 2008.

The second big trend over 2008 is the migration away from .COM and .CN to a lot more TLDs. As we noted in our paper earlier this year, by the middle of 2008 more TLDs were being used that had been seen in Thorsten’s previous paper. By the end of 2008 even more TLDs were in use. The long tail is getting longer, meaning more registrars have to be educated and empowered to response to abuse notices with takedowns.

2008 was a very big year for fast flux service hosting, and we’ll continue to see it in 2009. We’re working with more people to analyze such botnets and track their activities, and we’ll be reporting it here.

One Response to “2008 H2 Fast Flux Data Analysis”

January 08, 2009 at 5:01 pm, Andrew Hay » Blog Archive » links for 2009-01-08 said:

[…] 2008 H2 Fast Flux Data Analysis | Security to the Core | Arbor Networks Security (tags: fast flux data analysis botnet) […]

Comments are closed.