The group also identifies methods for detecting flux and suggests that flux detection should be built into the domain name system itself. Since using the technique likely means a site is fraudulent, the system itself could help protect unsuspecting users from visiting these sites.
Shortening detection time by even a few hours can make a significant difference, says Alper Caglayan, president of Milcord, a company based in Waltham, MA, that collects real-time data about botnets. “If they can operate even a day, they’ve already made too much money,” he adds.
Caglayan notes that there are some legitimate ways to use flux–for example, to deliver multimedia content efficiently–but says that the way a botnet uses flux should look different. For example, a botnet’s machines are scattered around the world in a pattern that wouldn’t make sense for a legitimate business.
Some experts believe that a multipronged approach is needed to stop phishing sites. Caglayan’s company provides a service that helps Internet service providers and other large network administrators find and shut down infected machines within their networks.
Some Web browsers also use blacklists to warn users away from fraudulent sites. But tricks like flux make it almost impossible for those blacklists to stay current enough to be useful. Caglayan expects that, in the future, browsers will need to build in systems that can detect fraud on their own.
Detecting flux will only help people who are using blocking services of some kind, says Manoj Srivastava, chief technical officer of Cyveillance, a security company based in Arlington, VA. “To effectively deal with an attack involving fast flux, it is necessary to take the domain off the Internet, and that requires working with either the registrar or registry of that domain,” he says. This can be hard because some domains are located in countries with loose regulations for Internet fraud. Simpler obstacles such as a language barrier can also leave a fraudulent site in operation for a longer period of time.
Gupta says that, as with most Internet crime, flux is a just one component in a larger game of cat and mouse. “You can’t win this game,” she says. “You just have to continually detect their means and adjust to them.”