Contents:
Fast flux is a DNS-based evasion technique used by botnet operators to stay under the radar. With fast flux, threat actors can quickly switch between compromised hosts, rendering themselves invisible to detection tools.
In this article, we will break down what fast flux is and explore how it works, what are its security implications and how can businesses do their best to deal with this constantly evolving threat.
What Is Fast Flux?
Fast flux is a domain name system (DNS) evasion technique used by cyber criminals to hide phishing and malware delivery sites behind a network of compromised hosts that act as reverse proxies for the backend botnet master.
But first, let’s clarify what a botnet is. Apart from being a mix between the words ‘robot’ and ‘network’, a botnet is a network of infected computers or other internet-connected devices that communicate with one another to carry out the same malicious acts, such as spam campaigns or distributed denial-of-service (DDoS) attacks.
Online criminals can manipulate the network remotely to serve their goals, allowing the hackers to escape detection or legal action by law enforcement. If you want to learn more about botnets, my colleague Cezarina wrote an extensive article that covers the topic of What Is a Botnet & How to Prevent Your PC From Being Enslaved.
Going back to fast flux, the idea behind this technique is to make it easier for botnets to rapidly switch between IP addresses, allowing them to exploit compromised hosts. When using a fast-flux network, botnets change their IP addresses every few minutes. By changing its behavior while using a compromised host, a cybercriminal can conceal the origin of phishing, malware, and other attacks.
The History of Fast Flux
Fast flux is not a new or sophisticated technique, it’s been around since 2007, when it was first identified by security researchers of the Honeynet Project, according to Wikipedia. This method has been around for a while and plans to stick around and wreak havoc on the internet, as law enforcement and security researchers struggle with it on a daily basis.
How Does it Work? The Process Behind Fast Flux
Attackers will associate several IP addresses with a single domain name by rapidly modifying the DNS records connected with that domain name. Every few minutes or seconds, an IP address is registered, deregistered, and replaced with a new IP address.
Threat actors can accomplish this by utilizing a load balancing technique known as round-robin DNS and setting an extremely short time to live (TTL) for each IP address. Typically, some or all of the IP addresses used will be web hosts that the attackers have compromised. The machines at these IP addresses will operate as proxies for the attacker’s origin server.
Using round robin DNS, a domain can be pointed at numerous available web servers, each of which will have a different IP address. Each time a query comes in, the domain’s authoritative nameserver assigns a new IP address to it, ensuring that no single web server is overloaded. In spite of the fact that load balancing is the intended and proper usage of round robin DNS, attackers might exploit this feature to hide their malicious intentions.
Fast Flux Types: Single Flux Vs. Double Flux
In a single-flux network, a fast-fluxing domain name’s authoritative name server continuously permutes DNS resource records with short time to live (TTL) values, which are typically between 180 and 600 seconds. The zone file’s permuted records comprise A, AAAA, and CNAME records, and disposal is often carried out using the round-robin method using a registry containing the IP addresses and DDNS names of compromised hosts.
It is already hard to block a domain and trace the origin of harmful activity, but double-flux adds another layer of DNS fluxing, making it even more complex. During double-fast fluxing, the IP address of the authoritative nameserver is also often swapped out. In technical terms, this means that both the domain’s DNS A records and the zone’s DNS NS records are frequently updated.
Cybercriminals use a double-flux network to get into the computer systems of their victims in different ways, such as by breaking email and web security. In a double-flux network, a zombie computer is used. This is a computer that has been hacked by a virus or Trojan. Botnets use zombie computers to add an extra layer of security between the changing IP addresses and the source of the attack, which is the cybercriminal’s host machine.
The Security Implications of Fast Flux
Fast flux is used by botnets to perform DDoS attacks or hide phishing campaigns, distribute malware, ransomware, or spyware. So, basically, the fast flux technique brings all the dangers that come with a botnet, one of the worst cybersecurity enemies of enterprises, governments, and individuals alike.
In order to deliver commands to infected devices and retrieve information stolen from targets, cybercriminals who launch fast-flux attacks frequently use a command-and-control (C2) server. By exploiting the user’s machine’s changing IP address and domain host, a hacker can get access to the system. A C2 server allows an attacker to keep in touch and continue relaying instructions and stealing data. And once in control, the possibilities to cause damage are limitless.
How to Prevent Fast Flux
The most reliable method of stopping fast fluxing would be to take down the domain name. But unfortunately, domain name registrars are not always ready or able to help with that for various reasons, including the lack of jurisdiction-independent terms of service agreements and the fact that fast-flux operators and cybersquatters are frequently an important source of revenue for the domain name registrars.
Another strategy would be to take additional measures to prevent fast flux from happening in the first place. Administrators can mandate that all clients on their network use only trusted DNS servers and block queries for known malicious domains. This protects consumers from entering harmful websites by preventing their domains from being resolved. This method is known as Domain Name System (DNS) filtering.
How Can Heimdal® Help?
If you need a professional DNS filtering solution, we are more than happy to help you with a product specially designed to combat threats that target your DNS traffic. Heimdal® Threat Prevention filters DNS, HTTP and HTTPS traffic and scans in in real-time, banning malicious domains and blocking communication with cybercriminal infrastructures.
With Threat Prevention you can spot malicious URLs, processes, and backtrack the attacker’s origins. Empower your team with the perfect tools and gain complete visibility and control over your endpoints and network.
Threat Prevention – Endpoint also allows you to do category-based web page filtering, assuring the security of your private information regardless of where you or your employees (if you’re an enterprise) choose to work from. It works in conjunction with any existing antivirus product to prevent malicious domains and communications to and from C2 centers and other malicious servers.
Heimdal® DNS Security Solution
Wrapping Up
Fast flux enables botnet operators to associate multiple IP addresses to a single domain and change them rapidly. In some cases, hundreds or even thousands of IP addresses are used. With fast fluxing hackers keep their web properties active, hide the true origin of their malicious activity, and prevent security teams from blocking their IP address during a botnet attack.
Don’t underestimate the power of this technique and make sure you take all the necessary measures to prevent the botnet operators from taking control over the infrastructure of your business. Stay one step ahead of their game by choosing a trustworthy DNS filtering solution!
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.