For anyone looking to create their own global compute cloud, the botnet serves as the perfect blueprint for a resilient fault tolerant network. Lately botnets are proving to more resilient and harder to shut down then any other form of cloud technology. So needless to say we can learn a lot of our criminal counter parts.
One of the big reasons botnets are so hard to take down is in how they obscure the domain by constantly mapping to different bots within the network, according to a recently released study (PDF). This approach to fault tolerant may be the model for our work in the cloud.
The study's authors, Jose Nazario of Arbor Networks and Thorsten Holz of the University of Mannheim, tracked the traffic of 900 fast-flux domain names used by botnets within the first six months of 2008 and learn quite about the inner works of the most power botnet and specifically the use of Fast-Flux.
According to Wikipedia, "Fast-flux" is a term to describe how the botnets use constant changes in the mapping of the hard-coded domain name to different bots within the network. The Fast flux technique is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load-balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures and is ideally suited for the management of cloud based infrastructures.
The simplest type of fast flux, referred to as "single-flux", is characterized by multiple individual nodes within the network registering and de-registering their addresses as part of the DNS A (address) record list for a single DNS name. This combines round robin DNS with very short TTL (time to live) values to create a constantly changing list of destination addresses for that single DNS name. The list can be hundreds or thousands of entries long. (This is very similar to the way we handle distributing the user access / load within our Enomaly Elastic Computing Platform)
A more sophisticated type of fast flux, referred to as "double-flux", is characterized by multiple nodes within the network registering and de-registering their addresses as part of the DNS NS record list for the DNS zone. This provides an additional layer of redundancy and survivability within the malware network.
The study found that fast-flux botnets were often active for a few hours to a few months. The domains that were used were registered, but sometimes laid dormant for several months. Online fraud and crime most associated with these botnets included phishing sites, pharmacy sites, and malware distribution sites.
I'll keep you posted as I learn more about this fast flux approach.
