Cyber Agencies Warn of Fast Flux Threat Bypassing Network Defenses

Organizations, Internet service providers (ISPs) and cybersecurity service providers have been issued a warning of the ongoing threat of Fast Flux enabled malicious activities by US and international cybersecurity agencies.

According to the joint cybersecurity advisory (CSA), issued on April 3, many networks have a gap in their defenses for detecting and blocking Fast Flux techniques, which poses a significant threat to national security.

Fast Flux is used by malicious actors to obfuscate the locations of malicious servers by rapidly changing Domain Name System (DNS) records, for example IP addresses. Additionally, they can create resilient, highly available command and control (C2) infrastructure, concealing their subsequent malicious operations.

This resilient and fast changing infrastructure makes tracking and blocking malicious activities that use fast flux more difficult, the advisory mentioned.

Service providers, especially Protective DNS (PDNS) providers, are being encouraged to help mitigate this threat by taking proactive steps to develop accurate, reliable and timely fast flux detection analytics and blocking capabilities for their customers. 

Meanwhile, government and critical infrastructure organizations are being urged to coordinate with their ISPs, cybersecurity service providers and/or their Protective DNS services to implement mitigation measures.

Organizations should use cybersecurity and PDNS services that detect and block fast flux. The advisory noted that some PDNS providers may not have the capability to do so and firms should confirm coverage of this threat with them.

“By implementing robust detection and mitigation strategies, organizations can significantly reduce their risk of compromise by fast flux-enabled threats,” said the CSA.

All mitigation strategies can be found on the Cybersecurity and Infrastructure Security Agency (CISA) advisory page.

Two Common Fast Flux Variants

The CSA noted that Fast Flux has been used in Hive and Nefilim ransomware attacks and has been used by Russian APT Gamaredon to limit the effectiveness of IP blocking.

There are two widely used variants of Fast Flux, single and double Flux.

Single flux sees a single domain name linked to numerous IP addresses, which are frequently rotated in DNS responses. This setup ensures that if one IP address is blocked or taken down, the domain remains accessible through the other IP addresses.

Double Flux adds to this technique by rapidly changing the DNS name servers responsible for resolving the domain.

This provides an additional layer of redundancy and anonymity for malicious domains. Double flux techniques have been observed using both Name Server (NS) and Canonical Name (CNAME) DNS records.

Both techniques leverage a large number of compromised hosts, usually as a botnet from across the Internet that acts as proxies or relay points. This makes it difficult for network defenders to identify the malicious traffic and block or perform legal enforcement takedowns of the malicious infrastructure. 

Fast flux is not only used for maintaining C2 communications, it also can play a significant role in phishing campaigns to make social engineering websites harder to block or take down.

In addition, bulletproof hosting providers promote Fast Flux as a service differentiator that increases the effectiveness of their clients’ malicious activities.

The joint CSA was issued by the US National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), and New Zealand National Cyber Security Centre (NCSC-NZ).