Fast Flux
What is Fast Flux?
Fast FluxA botnet DNS technique that rapidly rotates the IP addresses behind a malicious domain across many compromised hosts to resist takedown and blocking.
Fast flux is a resilience technique used by criminal networks to keep malicious content reachable. The attacker assigns a domain a very short TTL and rotates its A records through a pool of compromised devices, often residential routers or IoT bots, every few minutes. Single-flux changes only the front-end IPs; double-flux also rotates the authoritative name servers, making takedown even harder. Storm Worm, Avalanche, and many phishing kits used fast flux to host command-and-control or credential-harvesting pages. Defences include passive DNS analysis, RPZ feeds that block fluxing FQDNs, monitoring of abnormally low TTLs, and registry-level takedown coordination led by organisations such as CISA, EU LE and ISPs.
● Examples
- 01
Storm Worm botnet rotated thousands of compromised home PCs to serve its malware download domain.
- 02
The Avalanche network used double-flux to shelter phishing and banking-trojan distribution before its 2016 takedown.
● Frequently asked questions
What is Fast Flux?
A botnet DNS technique that rapidly rotates the IP addresses behind a malicious domain across many compromised hosts to resist takedown and blocking. It belongs to the Attacks & Threats category of cybersecurity.
What does Fast Flux mean?
A botnet DNS technique that rapidly rotates the IP addresses behind a malicious domain across many compromised hosts to resist takedown and blocking.
How does Fast Flux work?
Fast flux is a resilience technique used by criminal networks to keep malicious content reachable. The attacker assigns a domain a very short TTL and rotates its A records through a pool of compromised devices, often residential routers or IoT bots, every few minutes. Single-flux changes only the front-end IPs; double-flux also rotates the authoritative name servers, making takedown even harder. Storm Worm, Avalanche, and many phishing kits used fast flux to host command-and-control or credential-harvesting pages. Defences include passive DNS analysis, RPZ feeds that block fluxing FQDNs, monitoring of abnormally low TTLs, and registry-level takedown coordination led by organisations such as CISA, EU LE and ISPs.
How do you defend against Fast Flux?
Defences for Fast Flux typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Fast Flux?
Common alternative names include: Single-flux, Double-flux.
● Related terms
- attacks№ 350
Domain Shadowing
An attack in which a criminal compromises a legitimate domain owner's registrar account and silently creates malicious subdomains beneath the trusted parent domain.
- attacks№ 348
Domain Generation Algorithm (DGA)
An algorithm used by malware to deterministically generate large numbers of candidate domain names so infected hosts can find their command-and-control server.
- malware№ 119
Botnet
A network of internet-connected devices infected with malware and remotely controlled by an attacker to perform coordinated activities.
- malware№ 201
Command and Control (C2)
The infrastructure and channels attackers use to maintain communication with compromised systems and send them instructions.
- network-security№ 344
DNS Tunneling
A covert channel that encodes arbitrary data inside DNS queries and responses on UDP/TCP port 53, frequently used for command-and-control and data exfiltration.