The Cybersecurity and Infrastructure Security Agency (CISA) is warning about cybercriminals and state-sponsored threat actors using the Fast Flux DNS evasion technique to avoid detection.
The attackers use the tactic to obfuscate their locations and “create resilient, highly available command and control (C2) infrastructure” for subsequent malicious operations.
“This resilient and fast-changing infrastructure makes tracking and blocking malicious activities that use fast flux more difficult,” the agency warned.
It leverages a network of compromised devices (botnets) as proxies to rapidly change Domain Name System (DNS) records, such as name servers and IP addresses, to evade IP blacklisting and takedown efforts and maintain anonymity.
United States’ CISA, FBI, and NSA, Australia’s ASD’s ACSC, Canadia’s CCCS, and New Zealand’s NCSC-NZ issued the joint advisory, warning that the technique posed a serious national security threat.
How threat actors use Fast Flux DNS evasion technique to avoid detection
The DNS evasion technique exists in two flavors: Single Flux and Double Flux. With the Single Flux, the attackers simply rapidly rotate IP addresses, making them harder to trace and block. The evasion technique ensures that the malicious domain remains accessible through other IP addresses if one is taken down or blocked.
In contrast, the Double Flux evasion technique involves changing both the IP addresses and DNS name servers, providing an additional “layer of redundancy and anonymity for malicious domains.” The method can involve altering both the Name Server (NS) and the Canonical Name (CNAME) records.
“Fast Flux is a tactic that thrives on poor visibility, disconnected tools, and delayed response,” noted Om Moolchandani, CISO and CPO at Tuskira. “Specifically, it’s a method attackers use to evade detection and persist within networks by manipulating Domain Name Systems (DNS) infrastructure. When defenses operate in silos, malicious infrastructure can stay hidden in plain sight.”
Numerous threat groups, ranging from entry-level cybercriminals to prolific ransomware gangs such as Gamaredon, Hive ransomware, and Nefilim ransomware, and nation-state actors have leveraged the Fast Flux DNS evasion technique.
Bulletproof hosting (BPH) services, which ignore law enforcement notices and requests, also apply the DNS evasion technique to maintain anonymity and weather takedown attempts.
CISA also warned that Fast Flux plays a significant role in phishing and social engineering campaigns and maintaining cybercriminal forums. Fake shops, botnet managers, spam mailing services, and credential stealers could also leverage the Fast Flux DNS evasion technique to remain operational.
“Fast Flux DNS is not new. In fact, it has been used by various threat actors for well over a decade now,” said Aamir Lakhani, Lead Researcher and Cyber Security Expert, Fortinet’s FortiGuard Labs. “FortiGuard Labs saw some of the early botnets back between 2007-2010, like Zeus and Conficker, using fast flux to distribute malware and manage their command-and-control (C2) communications.”
Detecting and mitigating Fast Flux
The coalition of national agencies listed various detection techniques that organizations should implement to identify and mitigate the Fast Flux DNS evasion behavior.
“By implementing robust detection and mitigation strategies, organizations can significantly reduce their risk of compromise by fast flux-enabled threats,” they stated.
They include leveraging threat intelligence and reputation services to identify Fast Flux domains and IP addresses. They should also monitor DNS logs to identify domains with high entropy or frequent IP rotations, typically up to hundreds per day.
Network defenders should also check for domains with low time-to-live (TTL) values, usually lasting between 3 to 5 minutes, which is characteristic of Fast Flux domains. They should also check for DNS resolutions with inconsistent IP-geolocation information.
Other tell-tale signs of Fast Flux domains include large-scale communication with numerous IP addresses over short periods, and anomalous traffic deviating from usual network DNS behavior. Phishing activities such as suspicious emails, websites, or links also point to the presence of fast flux infrastructure.
The agencies urged organizations to implement various mitigations, including DNS and IP blocking, reputational filtering, enhanced monitoring and logging, collaborative defense and information sharing, and phishing awareness and training.
