The US government’s cybersecurity agencies, including CISA, the FBI, and the NSA, are warning organizations and DNS providers about the “Fast Flux” cybercrime evasion technique used by state-sponsored threat actors and ransomware gangs. This technique involves rapidly changing DNS records to evade detection and maintain resilient infrastructure for command and control, phishing, and malware delivery.
Fast Flux is often powered by botnets formed from compromised systems that act as proxies or relays. There are two main types of the technique: Single Flux and Double Flux. In Single Flux, attackers rotate IP addresses associated with a domain name in DNS responses. In Double Flux, both the IP addresses and DNS name servers change rapidly, adding an extra layer of obfuscation.
CISA says Fast Flux is widely used by threat actors of all levels, from low-tier cybercriminals to highly sophisticated nation-state actors. The agency highlights cases where Gamaredon, Hive ransomware, Nefilim ransomware, and bulletproof hosting service providers have used Fast Flux to evade law enforcement and takedown efforts.
To detect and stop Fast Flux, CISA recommends analyzing DNS logs for frequent IP address rotations, integrating external threat feeds and DNS/IP reputation services, using network flow data and DNS traffic monitoring, identifying suspicious domains or emails, and implementing organization-specific detection algorithms. For mitigation, CISA suggests using DNS/IP blocklists and firewall rules to block access to Fast Flux infrastructure.
The agencies emphasize the need for organizations to take action to mitigate this technique and protect themselves from cyber threats.
Source: https://www.bleepingcomputer.com/news/security/cisa-warns-of-fast-flux-dns-evasion-used-by-cybercrime-gangs