- What Is Cyber Threat Intelligence (CTI)?
- What Are Cyberthreat Intelligence Tools?
- What is the Threat Intelligence Lifecycle?
- What is an Exploit Kit?
-
What is a Threat Intelligence Platform (TIP)?
- The Value of a Threat Intelligence Platform
- How Threat Intelligence Works
- Types and Examples of Threat Intelligence
- Why Do Organizations Need a Threat Intelligence Platform (TIP)?
- Key Characteristics of a Threat Intelligence Platform
- Types of Threat Intelligence Data
- Implementation of a Threat Intelligence Platform
- Threat Intelligence Platforms FAQs
- What is a Payload-Based Signature?
- What Are Unknown Cyberthreats?
- What are the Types of Cyberthreat Intelligence (CTI)?
- Threat Intelligence Use Cases and Examples
- What is Digital Forensics and Incident Response (DFIR)?
-
What is URL Filtering?
- What Is Remote Browser Isolation (RBI)?
-
What Is Dynamic DNS?
-
What Is a Cybersecurity Risk Assessment?
- Cybersecurity Risk Assessment Explained
- Why Is Cyber Risk Assessment Important?
- Common Cybersecurity Risks and Threats
- Different Approaches to Cyber Risk
- How to Perform a Cybersecurity Risk Assessment
- Determine the Scope of the Assessment
- Cybersecurity Risk Assessment Benefits
- Cyber Risk Assessment FAQs
-
What Is DNS?
- What is an Intrusion Prevention System?
- What is an Intrusion Detection System?
- What Is Spear Phishing?
- What Is a Circuit Level Gateway?
- What Are Malicious Newly Registered Domains?
- Firewall | Antivirus — What Is the Difference?
What Is a Fast Flux Network?
Cycling quickly through bots and DNS records is an effective way for cybercriminals to bypass detection. The technique, called fast flux, can wreak havoc on your enterprise. Find out what it is and why it’s hard to detect.
Fast flux is a popular technique cybercriminals use to make it more difficult for law enforcement to take down their servers. The technique is called “fast” because it cycles quickly through many bots and DNS records. Cybercriminals create fast flux networks for phishing, malware distribution, scams and botnet operations.
Related Video
The Evolution of Modern Phishing Attacks
How Does Fast Flux Work?
The main idea behind fast flux is having multiple IP addresses per malicious domain name and changing them in quick succession. The malicious domain is often a typosquat: a variation of a popular domain name that will fool users into visiting it. One example is bankiamerica[.]com, a misspelling of the domain for Bank of America. Users who visit such a domain will usually be directed to a phishing site that resides on the cybercriminal’s server. The site can then start collecting credentials and sensitive information or deliver malware. Alternatively, in this example, the attacker may send a phishing email to customers of Bank of America that contains the URL of the phishing site.
Figure 1 shows an example of multiple IP addresses associated with a malicious domain. Each IP address may only “live” for as few as five minutes – long enough to lure unsuspecting users without the risk of being detected.
Domain name |
IP address |
bankiamerica[.]com |
101.14.66.2 |
bankiamerica[.]com |
222.14.10.4 |
bankiamerica[.]com |
23.124.228.102 |
bankiamerica[.]com |
101.14.66.22 |
Figure 1: One malicious domain with multiple IP addresses
A new set of IP addresses will subsequently get created automatically for the same domain name, often by botnets, and the old ones will be dropped (see figure 2).
Domain name |
IP address |
bankiamerica[.]com |
181.214.153.22 |
bankiamerica[.]com |
96.44.162.82 |
bankiamerica[.]com |
106.253.253.5 |
bankiamerica[.]com |
139.99.91.95 |
Figure 2: Additional IP addresses for the same domain
This example scenario is a simple fast flux network. More advanced techniques, such as double flux – in which a fast flux network is set up to replace the name server – are common and make detection a cat-and-mouse game between cybercriminals and law enforcement.
Fast Flux Detection
The multiple IP addresses and the frequency with which they change mislead law enforcement and make the malicious servers difficult to trace. Investigators have to spend significant time analyzing each connection created by the botnet. Often, the domains are hosted by internet service providers (ISPs) in countries that may not cooperate quickly with law enforcement requests. One example detected by Palo Alto networks was the domain heygamersnort[.]at, which resolved through more than 200 IP addresses in fewer than two months. The IP addresses were hosted with different ISPs in Eastern Europe, the Middle East, and Central and South America, which made it complicated for law enforcement to trace and dismantle.
Protection against fast flux networks is critical for any enterprise. Learn more about fast flux from Unit 42®.
