A newly released joint cybersecurity advisory from multiple national security agencies is raising alarms about a sophisticated technique that’s allowing malicious cyber actors to slip past network defenses: Fast Flux. The advisory, issued by agencies including the NSA, CISA, FBI, ASD’s ACSC, CCCS, and NCSC-NZ, warns organizations, ISPs, and cybersecurity providers about the significant threat posed by this method.
Fast flux is a domain-based technique used by malicious actors to hide the locations of their malicious servers. This is achieved by rapidly and continuously changing the Domain Name System (DNS) records associated with a single domain.
The advisory highlights that Fast Flux is not just a concern for individual networks; it’s a threat to national security. This is because it enables malicious actors to create resilient and highly available command and control (C2) infrastructure. By obscuring their C2 infrastructure, these actors can effectively conceal their malicious operations, making tracking and blocking their activities a formidable challenge.
The cybersecurity advisory details two common variants of the Fast Flux technique:
- Single Flux: This involves linking a single domain name to numerous IP addresses that are frequently rotated in DNS responses. This ensures that even if one IP address is blocked, the domain remains accessible through others.
- Double Flux: Taking evasion a step further, double flux involves not only rapidly changing IP addresses but also frequently changing the DNS name servers responsible for resolving the domain. This adds an extra layer of anonymity and redundancy to the malicious infrastructure.
The use of Fast Flux provides malicious cyber actors with several key advantages:
- Increased Resilience: Fast flux networks are highly resilient because the rapid rotation of botnet devices makes it difficult to quickly disrupt their services.
- Ineffective IP Blocking: Traditional IP blocking methods become largely ineffective due to the constantly changing IP addresses.
- Anonymity: Tracing malicious content back to its source becomes a significant challenge for investigators as the C2 botnets continuously change associated IP addresses.
The advisory emphasizes that Fast Flux is not limited to just maintaining C2 communications. It also plays a significant role in:
- Phishing Campaigns: Fast flux makes social engineering websites harder to block, aiding in phishing attacks that can steal sensitive information or distribute malware.
- Cybercriminal Forums and Marketplaces: It helps maintain high availability for these platforms, making them more resilient against law enforcement takedowns.
The advisory also sheds light on the connection between Fast Flux and “bulletproof hosting” (BPH) services. BPH providers offer hosting services that disregard law enforcement requests and abuse notices, often providing anonymity for malicious cyber actors. Some of these BPH companies also offer Fast Flux services, further enhancing the resilience and reliability of malicious infrastructure.
The CISA advisory provides detailed guidance on detecting and mitigating Fast Flux activity. It emphasizes a multi-layered approach that combines:
- DNS Analysis: Analyzing DNS query logs for anomalies like high entropy or IP diversity and frequent IP address rotations.
- Network Monitoring: Using flow data to identify large-scale communications with numerous different IP addresses over short periods.
- Threat Intelligence: Leveraging threat intelligence feeds and reputation services to identify known Fast Flux domains and associated IP addresses.
The advisory also outlines mitigation strategies for organizations and network defenders, including:
- DNS and IP Blocking and Sinkholing: Blocking access to malicious Fast Flux domains and IP addresses and redirecting traffic for analysis.
- Reputational Filtering: Blocking traffic to and from domains or IP addresses with poor reputations, especially those involved in malicious Fast Flux activity.
- Enhanced Monitoring and Logging: Increasing logging and monitoring of DNS traffic and network communications.
- Collaborative Defense and Information Sharing: Sharing detected Fast Flux indicators with trusted partners and threat intelligence communities.
- Phishing Awareness and Training: Implementing employee training programs to identify and respond to phishing attempts.
