A joint cybersecurity advisory was recently issued by the United States National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and their counterparts from Australia, Canada, and New Zealand. The advisory highlights the escalating threat of "fast flux" techniques employed by cyber adversaries to obscure malicious activities and evade detection.
Fast flux is a method used by cybercriminals to rapidly change Domain Name System (DNS) records, such as IP addresses, associated with a single domain. This rapid rotation makes it challenging for defenders to pinpoint and block malicious servers. There are two primary variants:
Single flux: A domain is linked to multiple IP addresses that are frequently rotated. If one IP is blocked, the domain remains accessible through others.
Double flux: In addition to rotating IP addresses, the DNS name servers resolving the domain also change frequently, adding layers of redundancy and anonymity.
These techniques often leverage compromised devices, forming botnets that act as proxies, complicating efforts to identify and mitigate malicious traffic.
"Fast flux DNS is not new. In fact, it has been used by various threat actors for well over a decade now," said Aamir Lakhani, Lead Researcher and Cyber Security Expert at Fortinet's FortiGuard Labs. "FortiGuard Labs saw some of the early botnets back between 2007-2010, like Zeus and Conficker, using fast flux to distribute malware and manage their Command and Control (C2) communications. While the technique is older, it can still be effective. It's not used as often as people think it is because it does require some work and knowledge from threat actors and there are much easier ways to conduct an attack. But if they have the infrastructure already set up, or they can rent fairly cheaply, it is still a viable tool in the toolkit."
Casey Ellis, Founder at Bugcrowd, had this to say:
"Fast flux is a technique that's been around for quite a while, but its recent resurgence and the attention it's getting now highlight a shift in how threat actors are leveraging it. What makes this advisory stand out is the scale and sophistication of its use by nation-state actors and cybercriminals. Fast flux isn't just about hiding malicious infrastructure anymore—it's about creating a resilient, almost bulletproof command-and-control system that's harder to disrupt. That's a big deal, especially for sectors like defense, where the stakes are incredibly high."
"The timing of this advisory likely reflects two things. First, we're seeing an uptick in fast flux being used in active campaigns, particularly by advanced persistent threats (APTs). Second, it's a recognition that traditional defenses aren't keeping up. The NSA, CISA, and FBI are signaling that this isn't just a technical nuisance—it's a national security issue that demands immediate attention."
Ellis continued: "The recommendation to adopt multi-layered detection and Protective DNS (PDNS) services is critical. PDNS, for example, can help organizations block malicious domains before they're even resolved, cutting off access to the infrastructure that fast flux relies on. But it's not just about tools—it's about mindset. Organizations need to assume that attackers will innovate and adapt, and they need to do the same. This isn't a routine warning. It's a call to action for organizations to step up their game and treat fast flux as the serious, evolving threat that it is."
The use of fast flux poses significant challenges:
Evasion of detection: Rapid changes in DNS records hinder traditional detection methods, allowing malicious infrastructure to persist.
Resilient Command and Control (C2): Fast flux enables robust C2 infrastructures, facilitating sustained malicious operations.
Compromised host utilization: By exploiting numerous compromised hosts, attackers create a network of relay points, making takedown efforts more complex.
The advisory emphasizes a multi-layered approach to counter fast flux:
DNS analysis: Monitor for unusual patterns in DNS queries and responses indicative of fast flux behavior.
Network monitoring: Implement continuous monitoring to detect anomalies associated with fast flux activities.
Threat intelligence sharing: Collaborate with industry peers and government agencies to stay informed about emerging threats and mitigation strategies.
Protective DNS (PDNS) providers are encouraged to develop and deploy analytics capable of detecting and blocking fast flux techniques, enhancing overall network defense.
Addressing the fast flux threat necessitates cooperation among stakeholders, including government entities, ISPs, and cybersecurity service providers. By sharing intelligence and implementing coordinated defense mechanisms, the cybersecurity community can better detect, disrupt, and dismantle malicious infrastructures leveraging fast flux.
"This latest advisory will hit many organizations like a double espresso. Any enterprise relying on IP reputation as a credible means of securing their infrastructure or proprietary data is a soft target for this type of exploit," said John DiLullo, CEO at Deepwatch. "Fortunately, correlative detection techniques, especially those leveraging 'low and slow' Machine Learning methods, can defeat these intrusions handily. However, many companies' infrastructures simply aren't there yet. This is a significant wakeup call."
Here is a non-PDF version of the advisory.