News – CISA Advisory

FAST FLUX: A CYBER SECURITY THREAT

CISA Advisory: “Fast Flux” poses a national security threat.

We sourced this information in its entirety from here. [PDF]

Summary

“This technique poses a significant threat to national security, enabling malicious cyber actors to consistently evade detection. Malicious cyber actors, including cybercriminals and nation-state actors, use fast flux to obfuscate the locations of malicious servers by rapidly changing Domain Name System (DNS) records. Additionally, they can create resilient, highly available command and control (C2) infrastructure, concealing their subsequent malicious operations. This resilient and fast-changing infrastructure makes tracking and blocking malicious activities that use fast flux more difficult.”

This technique exploits a vulnerability in DNS where the attacker changes CNAME records to reflect alternate IP addresses. This makes it difficult for cyber defenders and law enforcement to block, detect, and prosecute malicious actors who distribute malware. Single and Double Flux describe two sub-techniques of Fast Flux. Each sub-technique allows an attacker to disguise and hide their activities using an intended feature of DNS. By directing and changing DNS records (in the case of single flux) or changing the DNS server altogether (in the case of double flux) attackers can effectively disguise themselves. Attackers may choose this method to avoid hard-coding their CNC server’s IP address in exchange for a domain.

Steps 5-6 allow the adversary to send commands with their botnet directly to the infected computer(s) without additional lookups.

In step 7 the adversary changes the CNAME record of the domain to another IP address under their control.

The adversary then repeats steps 1-7 in step 8 every 5 minutes, changing the server address for the domain under their control.

In step 8, the adversary changes the IP address of the DNS server that the domain is using.

Step 9 is similar to step 8 of Single Flux where the attacker repeats steps 1-8 every five minutes.

Considerations

• Adversaries may use bulletproof hosting services that disregard or evade law enforcement requests and abuse notices.
• Fast Flux has been used in the Hive and Nefilim ransomware attacks
• Adversaries gain an advantage by using fast flux because it allows them to change information quickly, which gives them increased resilience, resistance to IP blocking, and a layer of anonymity.

Detection and Mitigation

• Threat intelligence feeds allow for the identification of fast flux domains and IP addresses blocking/sinkholing those addresses or domains is an effective mitigation.
• DNS TTL record values are typically low since they change frequently.
• DNS query logs may show domains with high entropy or IP diversity in the server’s responses.
• Consider reputational filtering blocking traffic to and from domains or IP addresses of low reputation.
• Implement enhanced monitoring and logging to allow for the detection of fast flux patterns.

Final Words From the Authors

We’re excited for this to be the first of hopefully many news reports and articles like this one.

Join us on Reddit and X to continue the discussion.

If you enjoyed this report consider signing up for an account for updates and access to our community.

If you have comments, questions, concerns, or want to see us write about a topic you’re interested in, you can visit us on Reddit or X or contact us privately by emailing [email protected].

Citations:

https://media.defense.gov/2025/Apr/02/2003681172/-1/-1/0/CSA-FAST-FLUX.PDF

Haven’t Had Enough?

Check out the rest of our blog for more.