Fast flux is a technique used by cybercriminals to increase their infrastructure’s resilience by making law enforcement takedown of their servers and blocklisting of their IP addresses harder. It is critical for these cybercriminals to maintain their networks’ uptime to avoid losses to their revenue streams, including phishing and scam campaigns, botnet rental and illegal gambling operations.
The motivation for cybercriminals to build fast flux networks is similar to that of benign service providers, who build redundancy in their systems to ensure uptime, for example, by utilizing Round Robin in the Domain Name System (RRDNS) or Content Delivery Networks (CDNs). The main difference is that fast flux networks are used to enable illegal and malicious activities. Therefore, operators need to rely on peculiar techniques such as frequently changing their IP addresses and using botnets or bulletproof hosting (hosting providers who tend not to respond to takedown requests). A fast flux network is “fast” because, using DNS, it quickly rotates through many bots, using each one for only a short time to make IP-based blocklisting and takedown efforts difficult.
In this blog, Palo Alto Unit 42 researchers provide a fictional scenario of a cat-and-mouse game between cybercriminals and law enforcement. We illustrate how cybercriminals use single fast flux networks and more advanced techniques such as double flux (when the domain name resolution becomes part of the fast flux network) and Domain Generation Algorithms (DGAs) to hamper domain blocklisting and takedown efforts.
Source: Palo Alto