SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Ransomware
#
Phishing
#
Advanced Persistent Threat Protection

Fast Flux DNS tactics escalate cyber defence challenges

Tue, 8th Apr 2025
Author image
By Melania Watson, Interview Editor

The tactic known as Fast Flux DNS has become a critical tool in the arsenal of modern cybercriminals, allowing them to efficiently conceal their activities and avoid detection far more effectively.

Fast Flux is a method used by cybercriminals to frequently change the IP addresses linked with a domain name. Typically driven by a network of compromised devices, the process allows threat actors to obscure the location of their servers, complicating any efforts to dismantle their operations.

"The Australian Cyber Security Centre (ACSC) explains that "Fast flux is a domain name system technique that allows a domain name to resolve to a constantly changing set of IP addresses."

Cybercriminals use two primary forms of Fast Flux. The first, Single Flux, involves one domain that can resolve to numerous IP addresses, with these addresses rotating rapidly within the DNS records.

The second, Double Flux, not only sees the IP addresses rotate but also includes the movement of name servers, creating a highly dynamic and distributed system architecture.

Initially linked to phishing and spam activities, the use of Fast Flux has expanded significantly to underpin more severe threats. Recently, it has been adopted by ransomware groups and state-backed actors to enhance their operations' stealth and resilience.

Ransomware operations, including those linked to Hive and Nefilim groups, have utilized Fast Flux to conceal their command-and-control (C2) infrastructures. This makes it much more challenging for security defenders to track down and disrupt these networks. Entire data leak sites are occasionally hosted on Fast Flux networks, thus maintaining their availability despite law enforcement efforts or interventions by security researchers.

Nation-state affiliated groups have also leveraged Fast Flux in their cyber activities. The Gamaredon Group, frequently referenced in security reports for its intelligence gathering operations in Eastern Europe, has used Fast Flux to ensure their infrastructure remains adaptive and harder to trace over time.

The technique's intricacies have placed additional strain on the DNS layer, making its operation difficult to track.

Notably, thousands of IP addresses can now be associated with a single domain, and specific configurations include TTL values set to less than 300 seconds, necessitating constant DNS refreshes. This effectively nullifies many traditional DNS-based security measures.

Both the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have recognised how these tactics hinder mitigation efforts.

The ACSC has expressed concern over the growing prevalence of Fast Flux, particularly for Australian entities. The method's design fundamentally weakens conventional detection approaches, as it results in ongoing IP address rotations that complicate tracking efforts.

The ACSC advises that organisations heighten their defences by employing layered protections paired with thorough DNS monitoring.

Despite the difficulty in detecting Fast Flux, advancements in strategy present new detection opportunities.

Approaches including heightened DNS traffic monitoring, which focuses on identifying frequent IP changes and low TTL values; network behaviour analysis to detect unusual connection patterns; and AI-driven DNS services can counter these sophisticated threats. Collective threat intelligence sharing has also been recommended to accelerate response times.

Australian entities across various sectors are now prioritising the enhancement of cyber defence capabilities, recognising the rising threat level posed by these techniques. Local consultancies such as Borderless CS are aiding organisations by strengthening cyber resilience through incident response planning, conducting security risk evaluations, and providing managed security services. These efforts are crucial in counteracting the challenges presented by evasion tactics like Fast Flux.

The increase in Fast Flux usage highlights the rapid evolution of cybercriminal strategies, standing as a reminder of the pivotal role DNS plays in the ongoing skirmish of cyber security. Understanding and devising countermeasures for such techniques is essential to safeguard infrastructure and maintain public confidence.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Zscaler report urges shift from VPNs to Zero Trust
N-able launches new feature to boost vulnerability management
Gigamon appoints Lisa Harrup Mieuli as Chief Marketing Officer
EclecticIQ unveils Intelligence Center 3.5 to fight cybercrime
Infoblox & Google Cloud partner for hybrid networking
Top stories
Cloudflare enhances AI development with new MCP server
Microsoft April Patch Tuesday highlights zero-day risks
Market volatility & cyber threat increase amid US tariffs
AI amplifies cyber threat; non-human identities at risk
Delinea partners with Microsoft for Entra Permissions change