What Is a Fast Flux Network?
Cycling quickly through bots and DNS records is an effective way for cybercriminals to bypass detection. The technique, called fast flux, can wreak havoc on your enterprise. Find out what it is and why it’s hard to detect.
Fast flux is a popular technique cybercriminals use to make it more difficult for law enforcement to take down their servers. The technique is called “fast” because it cycles quickly through many bots and DNS records. Cybercriminals create fast flux networks for phishing, malware distribution, scams and botnet operations.
Related Video
The Evolution of Modern Phishing Attacks
How Does Fast Flux Work?
The main idea behind fast flux is having multiple IP addresses per malicious domain name and changing them in quick succession. The malicious domain is often a typosquat: a variation of a popular domain name that will fool users into visiting it. One example is bankiamerica[.]com, a misspelling of the domain for Bank of America. Users who visit such a domain will usually be directed to a phishing site that resides on the cybercriminal’s server. The site can then start collecting credentials and sensitive information or deliver malware. Alternatively, in this example, the attacker may send a phishing email to customers of Bank of America that contains the URL of the phishing site.
Figure 1 shows an example of multiple IP addresses associated with a malicious domain. Each IP address may only “live” for as few as five minutes – long enough to lure unsuspecting users without the risk of being detected.
Domain name |
IP address |
bankiamerica[.]com |
101.14.66.2 |
bankiamerica[.]com |
222.14.10.4 |
bankiamerica[.]com |
23.124.228.102 |
bankiamerica[.]com |
101.14.66.22 |
Figure 1: One malicious domain with multiple IP addresses
A new set of IP addresses will subsequently get created automatically for the same domain name, often by botnets, and the old ones will be dropped (see figure 2).
Domain name |
IP address |
bankiamerica[.]com |
181.214.153.22 |
bankiamerica[.]com |
96.44.162.82 |
bankiamerica[.]com |
106.253.253.5 |
bankiamerica[.]com |
139.99.91.95 |
Figure 2: Additional IP addresses for the same domain
This example scenario is a simple fast flux network. More advanced techniques, such as double flux – in which a fast flux network is set up to replace the name server – are common and make detection a cat-and-mouse game between cybercriminals and law enforcement.
Fast Flux Detection
The multiple IP addresses and the frequency with which they change mislead law enforcement and make the malicious servers difficult to trace. Investigators have to spend significant time analyzing each connection created by the botnet. Often, the domains are hosted by internet service providers (ISPs) in countries that may not cooperate quickly with law enforcement requests. One example detected by Palo Alto networks was the domain heygamersnort[.]at, which resolved through more than 200 IP addresses in fewer than two months. The IP addresses were hosted with different ISPs in Eastern Europe, the Middle East, and Central and South America, which made it complicated for law enforcement to trace and dismantle.
Protection against fast flux networks is critical for any enterprise. Learn more about fast flux from Unit 42.
