Article Preview
Top1. Introduction
Networks of compromised pcs remotely controlled by attackers are the foundation of various cyber threats to cloud environments, including distributed denial-of-service (DDoS) attacks, identity theft, phishing and spam (Al-Fayoumi et al., 2019; Alauthaman et al., 2018; Alauthman et al., 2020; Almomani et al., 2018; Almomani et al., 2015; Almomani, Wan, et al., 2013; Alomari et al., 2016; Alomari et al., 2014; Barford et al., 2007; Dagon et al., 2008; Fabian et al., 2007; Grizzard et al., 2007; Gu et al., 2008; B. Gupta, 2011; Karasaridis et al., 2007; Levy et al., 2005; Rajab et al., 2006).
Fast flux networks (FFNs) are a unique form of a botnet that criminals use to give high availability and flexibility for their malicious websites, in the same way as roundrobin domain names (RRDNS) and content delivery networks (CDNs) (Alieyan et al., 2015). Botnet writers disguise their malicious activities and design new tactics and mechanisms to hide their communications. One method is the IP fast-flux, which is a mechanism that frequently changes IP addresses corresponding to a unique domain name. Another method is the domain flux, which is a mechanism that automatically and periodically generates domain names related to a URL of a C&C server (Alieyan et al., 2019; Zou et al., 2018). FFNs ' key concept is to use bot pcs as proxies (flux agents) to forward user queries to backend servers called “motherships”.
These rapid changes in proxy IP addresses is crucial to avoid detection and prospective shutdown and guarantee high availability for that backend servers. FFNs are regarded as a fresh growth in spam campaign operation and leadership. In addition to campaigns, spammers send thousands of emails containing interesting product or service advertisements (e.g., pharmaceutical, adult content, and phishing) to users’ email inboxes (Al-Duwairi et al., 2014). These advertisements generally contain hyperlinks of malicious websites for the campaigns. Until recently, only a single static IP address is related to a website for a certain period; such characteristic provides security defenders with the chance to take down that website. According to FFNs, the domain name of a malicious website points to more than one IP address (FF-agents), which is frequently and rapidly changing.
According to (Kalige et al., 2012), HTTP botnets are considered dangerous because they attack and exploit systems. Current HTTP botnets use the strongest techniques to perform attacks. An example is the Asprox botnet, which has affected about 3.5 billion computers in the United States. The Asprox botnet uses an advanced double fast-flux, called the hydra fast-flux, as its main technique (Al-Bataineh et al., 2012). This technique renders the efforts to take down C&C serves useless. Additional details are presented in Subsection 2.3.
The Cost of CyberCrime study Study (Enterprise, 2015) points out that notes that 252 benchmarked organisations have an annualized average cost of $7.7 million a year. The study also demonstrates that either a botnet or a web-based attack performs or supports these exploits, and fast-flux is used as an avoidance method to provide accessibility and resilience.
The report mentions that the most dangerous cyber-crimes are those caused by denial of services (DoS) and web-based attacks. The fast-flux evasion technique has been widely used in botnets and web-based botnets to carry out DoS and other attacks (e.g., phishing and spam), with fast-flux serving as the backbone C&C communication between the compromised computers and the mothership/malicious website.