Threat Management, Incident Response, TDR

ICANN proposals on fast-flux not tough enough: Experts

Security experts have expressed skepticism that recent recommendations from ICANN (Internet Corporation for Assigned Names and Numbers) for combatting fast-flux hosting will do much to stop the practice, which is utilized by criminal bot herders to mask their activities.

While generally lauding ICANN's effort, experts told that more is needed to address the use of fast-flux hosting by bot herders to rapidly shift their malicious web servers and domain-name servers (DNS) from machine to machine to evade detection.

“I believe the ICANN recommendations are a worthwhile effort and would make things harder for the bad guys,” Randy Abrams, ESET director of technical education, said. “In addition to ICANN's proposals, there have to be more stringent guidelines [regarding] how registrars react to complaints and the time it takes to resolve issues. Registrars need to be accountable.”

ICANN, a non-profit private sector group formed in 1998 to govern domain name registration, has proposed that registrars uniformly authenticate any requests for configuration changes to names servers; prevent automated changes to these configurations; and set a minimum “time-to-live” threshold of 30 minutes for a server so bot herders can't shift them repeatedly.

 also called for standard quarantining of suspected fast-flux DNS domain name servers in a honeypot, and blacklisting of domains that have been used for illegal purposes.

Mary Landesman, a senior security researcher at ScanSafe, said ICANN's recommendations represent an outmoded “Web 1.0” approach to the problem.

"People are being impacted because they are trying to shoehorn a solution that doesn't fit the problem. Where fast-flux causes a problem is when you are trying to police the internet through some outdated mode like honeypotting or blacklisting. That just doesn't work in this environment,” Landesman told

Landesman maintained that aggressive scanning is the most effective way to deal with a malicious botnet, regardless of whether the bot herders are deploying fast-flux hosting.

“Fast-flux is a means of masking the source of a malicious site. If you are doing real-time scanning on access, it doesn't matter what the source is. You will detect the maliciousness, and it's game over,” she said, adding that the scanning technology now deployed by large ISPs should be made available to end-users.

Landesman also indicated that the “time-to-live” threshold proposed by ICANN already was in general use before the new recommendations were issued.

"I have a hard time believing that anybody has their time-to-live set as low as 3 minutes,” Landesman told “ISP providers already were [at 30 minutes], if not higher. A lot of local caching that happens on the DNS servers is pretty tightly controlled by the ISPs, so I don't think that your big ISPs, like Time Warner, are going to have to make any kind of a change. This is not a problem that is effective or being launched through those large ISPs anyway.”

According to Abrams, the current domain registration process “is a pretty sick joke.”

“It would be surprising if there weren't several registrars actively participating in the groups controlling some of the botnets,” he added.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.