The US National Security Agency has warned that fast flux, a technique used by hostile nation-states and financially motivated ransomware groups, poses a significant threat to critical infrastructure and national security. Fast flux allows decentralized networks operated by these actors to hide their infrastructure and evade detection.
Here’s how it works: the networks cycle through a range of IP addresses and domain names to connect to the internet. This constant change makes it difficult for defenders to isolate the true origin of the infrastructure. The technique also provides redundancy, as new IP addresses and domains are assigned before old ones are blocked.
The NSA, FBI, and their counterparts in Canada, Australia, and New Zealand have warned that fast flux enables malicious cyber actors to evade detection. This is achieved through the use of Wildcard DNS records, which map domains to IP addresses, allowing attackers to assign an attacker’s IP to a non-existent subdomain. This technique conceals malicious operations and creates resilient command and control infrastructure.
Source: https://arstechnica.com/security/2025/04/nsa-warns-that-overlooked-botnet-technique-threatens-national-security