In a newly issued joint advisory, the U.S. Cybersecurity and Infrastructure Security Agency, alongside the NSA, FBI, and cybersecurity agencies from Australia, Canada, and New Zealand, identified the “fast flux” DNS technique as a growing national security threat. The method, used to obscure the location of malicious infrastructure, is gaining traction among ransomware groups and state-backed threat actors.
Fast flux allows attackers to rotate IP addresses linked to malicious domains so frequently that tracking or blocking them becomes extremely difficult. This tactic is now being used in data-extortion campaigns, phishing attacks, botnet operations, and the evasion of command-and-control takedowns.
While fast flux has been seen in the wild since the mid-2000s, its renewed use and refinement by a broader array of adversaries reflect how adaptable the technique has become.
Cybersecurity officials now warn that it undermines traditional defenses and complicates law enforcement efforts to dismantle malicious networks.
Why It Matters: Fast flux has become a method of strategic obfuscation used to undermine law enforcement and threaten national infrastructure. As both governments and private entities struggle to track malicious traffic, this aging technique is proving more potent than ever, requiring a multi-layered defense to mitigate growing risks.
- Multi-Agency Advisory Flags National Threat: CISA, NSA, and international cyber agencies have formally recognized fast flux as a national security issue. The joint advisory urges protective DNS (PDNS) providers, ISPs, and organizations managing critical infrastructure to prioritize detection and blocking of fast flux-enabled traffic.
- How Fast Flux Works: Fast flux involves continuously rotating DNS records for a domain, masking the IP addresses of malicious servers. Two forms exist: single flux, which rotates IPs, and double flux, which also rotates DNS name servers, adding an extra layer of complexity.
- Used by Ransomware and Nation-State Groups: The Hive and Nefilim ransomware groups, as well as Russia-backed Gamaredon, are actively using fast flux to obscure their infrastructure. Making it harder for defenders to trace or take down malicious networks, increasing the longevity and impact of cyberattacks.
- Botnets Powering the Network: Fast flux networks often rely on large botnets of compromised devices that serve as proxies. These distributed setups make it nearly impossible for defenders to pinpoint a single origin, complicating both technical and legal takedown efforts.
- Commercialized on the Dark Web: Some bulletproof hosting services now advertise fast flux as a premium feature to attract cybercriminals. These services offer resilience against IP blocks and law enforcement action, marketing fast flux as a way to stay “untouchable.”
- Defense Recommendations: Agencies strongly urge a layered cybersecurity strategy, emphasizing behavioral DNS monitoring, trusted PDNS services, and real-time information sharing to detect and disrupt fast flux infrastructure.
US, Australia, Canada warn of ‘fast flux’ scheme used by ransomware gangs – The Record
