ICANN ponders ways to stop scammy Web sites

The overseer of the Internet's addressing system is soliciting ideas for how to fix a problem that is enabling spammers and fraudulent Web sites to flourish.

The Internet Corporation for Assigned Names and Numbers (ICANN) has issued an initial report on fast flux, a technique that allows a Web site's domain name to resolve to multiple IP addresses.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

Fast flux allows an administrator to quickly point a domain name to a new IP address, for example if the server at the first address fails or comes under a denial-of-service attack. It is legitimately used by content distribution networks such as Akamai to balance loads, improving performance and lowering data transmission costs.

But the technique has also been embraced by hackers and cybercriminals, who use it to make it harder for ISPs and law enforcement officials to close down phishing Web sites and other sites illegally hawking goods such as pharmaceuticals.

"Those engaged in these activities can frustrate the efforts of investigators to locate and shut down their operations by using fast-flux service networks to rapidly and continuously change the topology of the network on which their content is hosted," according to the report.

The main aim of cybercriminals is to keep their fraudulent Web sites up and running longer. Fast flux "is not an attack itself -- it is a way for an attacker to avoid detection and frustrate the response to the attack," the report said.

That's done in part by modifying how long name servers around the Internet cache the IP address corresponding to the domain name. When a person visits a Web site, a local name server caches the IP address of the domain name. How long the local name server refers to its cached record for a Web site is controlled by the "time-to-live" setting in the official DNS record for a site, set by Web site's operator.

While "time-to-live" is typically set to hours or even days, a Web site's IP address can be change as often as every few minutes, redirecting to countless servers belonging to different ISPs, all of which would have to be taken down. In combination with the use of proxy servers and redirect commands, antiphishing efforts can turn into endless game of chase.

Consumers can be defrauded, as cybercriminals try to hack into Web hosting accounts in order to set up new nodes on their fast-flux networks, the report said.

The security community is faced with the challenge of trying to mitigate criminal use of fast flux but also not inadvertently restricting its legitimate uses.

One solution is quicker identification and shut down of domain names identified with abusive activity. Domain names could be revoked by a registrar, which in most cases would stop the site from working. Another solution would be to limit the ability of a registrant to repeatedly change name servers or eliminate automated name-server hopping, the report said.

The 121-page report, written by ICANN's Generic Names Supporting Organization (GNSO) lays out a series of other methods that could be used to mitigate the problem. GNSO will accept comments for 20 days and then do a final redraft of the report.