Longtime ‘Fast Flux’ Evasion Technique Now a National Security Threat
Cybercriminal groups ranging from ransomware and state-sponsored gangs to hackers using phishing techniques are using a long-known tactic known as “fast flux” to evade detection and hide the locations of their infrastructure.
CISA, the FBI, and the National Security Agency, along with counterparts in other countries, are urging cybersecurity service providers, Domain Name System (DNS) companies, ISPs, and government agencies to collaborate to mitigate the capabilities of fast flux, calling the ongoing use of the technique a national security issue.
“Fast flux represents a persistent threat to network security, leveraging rapidly changing infrastructure to obfuscate malicious activity,” the agencies – including those in Canada, Australia, and New Zealand – wrote in a bulletin this week. “By implementing robust detection and mitigation strategies, organizations can significantly reduce their risk of compromise by fast flux-enabled threats.”
Fast flux has been a used by cybercriminals for more than two decades, with threat intelligence researchers at Fortinet’s FortiGuard Labs group and other cybersecurity firms publishing details on the tactic. Aamir Lakhani, lead researcher and cybersecurity expert at FortiGuard Labs, said the company tracked botnets like Zeus and Conficker as far back as 2007 that used fax flux to distribute malware and manage their command-and-control (C2) communications.
“While the technique is older, it can still be effective,” Lakhani said. “It’s not used as often as people think it is because it does require some work and knowledge from threat actors and there are much easier ways to conduct an attack. But if they have the infrastructure already setup, or they can rent fairly cheaply, it is still a viable tool in the toolkit.”
Ransomware Group, Russian Actors Using the Tactic
The security agencies noted the use of fast flux more recently in attacks by the ransomware groups Hive and Nefilim and the Russia-linked Gamaredon hackers, which used the technique to limit the effectiveness of IP blocking. It also can be used in phishing campaigns to make it more difficult to block or take down social engineering websites, with the agencies noting that phishing often is used by attackers as a first step in larger cybercriminal campaigns.
Bulletproof hosting (BPH) services that provide internet infrastructure that come with lenient security policies pitch fast flux to buyers.
“Some BPH providers promote fast flux as a service differentiator that increases the effectiveness of their clients’ malicious activities,” the agencies wrote. “For example, one BPH provider posted on a dark web forum that it protects clients from being added to Spamhaus blocklists by easily enabling the fast flux capability through the service management panel.”
The same BPH provider noted that other malicious activities beyond C2 communications, such as botnet managers, fake shops, credential stealers, viruses, and spam mailers, also could use fast flux to evade detection and blocking.
Hiding and Evading Detection
Fast flux is among the dynamic resolution techniques such threat groups use to evade the detection of the communications between their malware and C2 systems or the location of their infrastructures. The agencies outlined two variants of the tactic, with the first being “single flux.” With this, a single domain name is linked to a range of IP addresses that are rotated in DNS responses. The process “ensures that if one IP address is blocked or taken down, the domain remains accessible through the other IP addresses,” they wrote.
With “double flux,” the bad actors not only use the single-flux technique of rapidly changing the IP addresses, but also frequently change the DNS name servers used to resolve the domain, adding another layer of protection for malicious domains.
To pull this off, threat actors create botnets of compromised hosts to act as proxies or relay points, which makes it difficult for network protecters to identify, block, or take down malicious infrastructure.
A Shift in Use
“Fast flux is a technique that’s been around for quite a while, but its recent resurgence and the attention it’s getting now highlight a shift in how threat actors are leveraging it,” Bugcrowd founder Casey Ellis said. “What makes this advisory stand out is the scale and sophistication of its use by nation-state actors and cybercriminals. Fast flux isn’t just about hiding malicious infrastructure anymore – it’s about creating a resilient, almost bulletproof command-and-control system that’s harder to disrupt. That’s a big deal, especially for sectors like defense, where the stakes are incredibly high.”
The timing of the bulletin by the government agencies reflects not just an jump in fast flux being used now by advanced persistent threats (APTs), but also a recognition that traditional defenses aren’t keeping up, Ellis said, adding that “the NSA, CISA, and FBI are signaling that this isn’t just a technical nuisance, it’s a national security issue that demands immediate attention.”
Mitigation Steps
The agencies outlined fast flux detection techniques – from identifying known fast flux domains and IP addresses, using anomaly detection systems for DNS query logs, and reviewing DNS resolution for inconsistent geolocation – and mitigation strategies. Those include DNS and IP blocking and sinkholing of malicious fast flux domains and IP addresses, reputational filtering of fast flux-enabled malicious activity, and enhanced monitoring and logging.
Other mitigations are collaborative defense and information sharing with the security community and phishing awareness and training for employees.
Deepwatch CEO John DiLullo said the agencies’ notice “will hit many organizations like a double espresso. Any enterprise relying on IP reputation as a credible means of securing their infrastructure or proprietary data is a soft target for this type of exploit.”
That said, while there are detection techniques that can defeat fast flux – including what he called “low and slow machine learning methods” – the infrastructure for many companies is not prepared to use some of those methods, DiLullo said, adding that “this is a significant wakeup call.”
