The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday is urging internet and cybersecurity service providers to secure their networks against an evasive threat technique known as "fast flux.”
Fast flux is a domain-based, dynamic resolution technique that "rapidly changes the DNS (Domain Name System) records associated with a single domain," according to a joint advisory released by the CISA, FBI, and the National Security Agency (NSA) on Thursday.
Malicious actors have been observed leveraging the national security threat against internet security providers (ISPs), cybersecurity service providers, and Protective Domain Name System (PDNS) providers, CISA said, making networks vulnerable to phishing attacks, command and control of botnets, and data exfiltration.
CISA warns that cybercriminals and nation-state actors are using the highly evasive technique to "obfuscate the locations of malicious servers," making it more difficult for organizations to detect and prevent cybercriminal activities within their own infrastructure.
The technique has also been seen in ransomware attacks carried out by the HIVE and Nefilim groups, the Russian cyber espionage Gamaredon Group, and by Bulletproof Hosting (BPH) services, which are often utilized by threat actors because of their disregard for law enforcement requests and abuse notices.
And, because many provider networks have security gaps for detecting this type of technique, fast flux poses a significant threat to critical national security, it said.
🚨 Cyber actors are using a technique called #FastFlux to evade detection. Our joint guide with @NSACyber, @FBI & international partners offers #cybersecurity service providers and #ISPs with steps to develop detection analytics and blocking capabilities. https://t.co/TZAfKsoE44 pic.twitter.com/PZ5YJi2wKC
undefined CISA Cyber (@CISACyber) April 3, 2025
How it works
"Threat actors leveraging fast flux techniques remain a threat to government and critical infrastructure organizations. Fast flux makes individual computers in a botnet harder to find and block. A useful solution is to find and block the behavior of fast flux itself,” said CISA Deputy Executive Assistant Director for Cybersecurity Matt Hartman.
Categorized as either a “single” or “double” flux, threat actors are using two common variants of fast flux to evade detection, create resilient, highly available command and control (C2) infrastructure, and perform malicious operations.
In a single flux, threat actors link a single domain name to numerous IP addresses, which are then frequently rotated in DNS responses. “This setup ensures that if one IP address is blocked or taken down, the domain remains accessible through the other IP addresses.”
In a double flux, threat actors add a double layer of redundancy and anonymity by directing the DNS name servers (responsible for resolving the domain) to also change frequently.
Carried out in addition to the single flux, the double layered technique has been seen using both “Name Server (NS) and Canonical Name (CNAME) DNS records.”
"Both techniques leverage a large number of compromised hosts, usually as a botnet from across the Internet that acts as proxies or relay points, making it difficult for network defenders to identify the malicious traffic and block or perform legal enforcement takedowns of the malicious infrastructure," the advisory states.
How to defend and mitigate
Hartman said the agency “encourages organizations to implement the advisory recommendations to reduce risk and strengthen resilience."
To defend against fast flux, the CISA advisory urges government and critical infrastructure organizations to coordinate with their Internet service providers, cybersecurity service providers, and/or their Protective DNS services, and that providers should attempt to “block fast flux activities” for their customers.
Actions to take include monitoring threat intelligence feeds to keep track of known fast flux domains and associated IP addresses, implementing anomaly detection systems for DNS query logs to identify domains with high IP address rotations or IP diversity in DNS responses, and analyzing the time-to-live (TTL) values in DNS records.
Other suggestions are to review DNS resolution for inconsistent geolocation regularly, examine flow data to identify large-scale communications with numerous different IP addresses over short periods, and to develop fast flux detection algorithms to help identify anomalous traffic patterns.
Finally, CISA reminds organiztions to actively monitor for signs of phishing activities and implement customer transparency and information sharing.
Additionally, CISA is recommending the following multi-layered approaches for all organzations to mitigate the threat if discovered in their networks:
- DNS and Internet Protocol (IP) blocking and sinkholing
- Enhanced monitoring and logging
- Collaborative defense and information sharing
- Phishing awareness and training for users
- Reputational filtering of fast flux enabled malicious activity
CISA further notes that detecting and differentiating "malicious fast flux activity from legitimate activity" can present an ongoing challenge for every organization and recommends the development of “accurate, reliable, and timely detection analytics.”
Your email address will not be published. Required fields are markedmarked