Infosecurity Adviser warns on fast-flux DNS link dangers
March 2009 by Emmanuelle Lamandé
Infosecurity Adviser, the online community for the information security industry, created by the organisers of Infosecurity Europe, has generated a discussion on one of the latest threats to the integrity of the Internet, fast-flux DNS linking.
In a discussion posting, Andrew Yeomans, an ISAF and Infosecurity Europe Advisory Board member, cross-references security guru Bruce Schneier’s blog on a Wikileaks article on how child porn is being distributed on the Internet.
"These include the use of fast-flux DNS links to proxy servers used to anonymise connections to the hosting servers which have hidden encrypted partitions," says Yeomans.
According to Yeomans, from a technical perspective, the process is quite ingenious, since the servers used to distribute the illegal images are effectively sealed from external access, except by IP calls from specific IP addresses and using specific protocols.
Using this approach means that the chances of detection by legal agencies - including those set up to prosecute child pornography offences - are vanishingly small.
Perhaps worse, even if a `member’ of an illegal ring accesses the data, they do so in an anonymous fashion - in both directions – which means that the member is unaware of the IP mechanisms being used, let alone the addresses and protocols being used, to download the images.
There is, however, one method by which this awful trade in illegal pictures can be blocked and, says Yeomans, he personally supports the blocking by major Internet service providers - at the DNS level – of host names used by illegal and criminal organisations.
This would also, Yeomans notes, include those host names used by botnets and phishers.
"I believe this would allow a much more rapid response than the current take-down system and would significantly reduce the risk to the UK public," he said.