1(520) 261-1728

info@threatintel-solutions.net

Threat Intel Solutions

Let’s Talk

![Picture of Nate Nelson, Contributing Writer](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltc840fc26c7ba7fcd/67803c54966e69ee10fe0d01/Nate_Nelson_bio_pic_2-crop.jpg?width=100&auto=webp&quality=80&disable=upscale ‘Picture of Nate Nelson, Contributing Writer’) [Nate Nelson, Contributing Writer](/author/nate-nelson)April 4, 2025 3 Min Read ![The word ‘domain’ spelled out in Scrabble-like board game pieces](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt699d247c0db29f01/67f029bf2c4eae4cc007a633/Domain-Agus_D._Laksono-Alamy.jpg?width=1280&auto=webp&quality=95&format=jpg&disable=upscale ‘The word -‘domain-‘ spelled out in Scrabble-like board game pieces’) Source: Agus D. Laksono via Alamy Stock Photo [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/cyber-risk/cisa-dns-trick-fast-flux-thriving)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/cyber-risk/cisa-dns-trick-fast-flux-thriving)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/cyber-risk/cisa-dns-trick-fast-flux-thriving)[](https://www.reddit.com/submit?url=https://www.darkreading.com/cyber-risk/cisa-dns-trick-fast-flux-thriving&title=CISA%20Warns%3A%20Old%20DNS%20Trick%20’Fast%20Flux’%20Is%20Still%20Thriving)[](mailto:?subject=CISA Warns: Old DNS Trick ‘Fast Flux’ Is Still Thriving&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20CISA%20Warns%3A%20Old%20DNS%20Trick%20’Fast%20Flux’%20Is%20Still%20Thriving%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fcyber-risk%2Fcisa-dns-trick-fast-flux-thriving) Phishers, ransomware groups, and state-sponsored actors are using a decades-old domain name system (DNS) abuse technique to supercharge their malicious infrastructure.[‘Fast flux’ has been around for years](https://www.darkreading.com/perimeter/attackers-hide-in-fast-flux), and it doesn’t involve any kind of exotic technologies or tools. It’s all about abusing legitimate DNS features to make detecting and taking down malicious domains extra difficult. On April 3, the Cybersecurity and Infrastructure Security Agency (CISA) published an [advisory about fast flux](https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-093a). The agency wrote that organizations have a ‘gap in their defenses’ for detecting and blocking it, and warned that a variety of threat actors are taking advantage, such as Russia’s Gamaredon advanced persistent threat (APT) group, the Hive ransomware collective, and [various phishing cybercriminals](https://www.darkreading.com/cyberattacks-data-breaches/phishing-in-fast-flux). Not everyone agrees, though, that fast flux is a serious issue worth worrying about today. Renée Burton, vice president of threat intelligence at Infoblox, [called CISA’s warning ‘a head scratcher’](https://www.linkedin.com/posts/ren%C3%A9e-burton-b7161110b_dns-threatintel-malware-activity-7313703840619315200-29Uf/?rcm=ACoAACDAIr4B4f_vadFUvfjLNTC6TVOWuqGdhNY) in a LinkedIn post. The technique is rare and somewhat irrelevant for organizational cybersecurity decision making, she said, adding that ‘if this advisory were in a trade publication, I’d think it was sponsored content.’ How Fast Flux Works——————-One of the simplest, most common ways to detect and defend against any cyberattack campaign is to identify and blacklist the attackers’ infrastructure, like the Internet Protocol (IP) addresses they use to carry out their attacks. Such indicators of compromise (IoCs) can be found at the foot of any relevant security advisory. Related:[New PCI DSS Rules Say Merchants on Hook for Compliance, Not Providers](/cyber-risk/new-pci-dss-rules-merchants-on-hook-compliance)Persistent attackers won’t just sit idly by after they’re blocked. They might burn their old infrastructure and cycle in new stuff, though this requires time and effort. Or, they can design their infrastructure to be more robust using a technique like fast flux.The first step in fast flux is to [enlist a botnet](https://www.darkreading.com/perimeter/on-the-trail-of-fast-flux-botnets) — swathes of infected computers, each with their own IP, that act as proxies. With this in hand, an attacker can configure a malicious domain’s DNS address (A) record so that rather than resolving to just one IP, it will resolve to many. Those many addresses will be rotated frequently — in minutes, or even seconds — to ensure that the domain they support won’t be taken down if one or even many of them get blocked. If that’s not enough, attackers can layer on the obscurity with the ‘double flux’ technique. In a double flux, threat actors also rotate the name servers (NS) responsible for connecting the domain and IP address together, providing additional vertigo for any potential cybersecurity defenders. Attackers can layer on even more levels of security from here by, for example, hosting all of this rotating infrastructure with bulletproof services.Related:[DoJ Seizes Over $8M From Sprawling Pig Butchering Scheme](/cyber-risk/doj-seizes-8m-pig-butchering-scheme)Should You Worry About Fast Flux?———————————Fast flux might sound perfectly effective in theory. But it’s not as impenetrable as it once might have been.’This technique is very old and to run it independently requires significant skill,’ Burton tells Dark Reading. ‘It requires resources and thought from the actors and doesn’t provide that much advantage in an attack. Protective DNS (PDNS) providers can identify bad domain behavior in many ways and block at the domain level, so having numerous IPs actually works against them from a detection perspective.’In other words, when one focuses not on the malicious endpoints, but the connections made to them, suddenly this carousel of IP addresses and name servers starts to look less like a stealth tactic than a raging red flag. ‘Identifying and blocking suspicious domains can be done in many ways, including -[by analyzing-] the variety of IP addresses. The goal with protective DNS is to block the domain resolution, regardless of the IP address and regardless of the technique,’ she explains. Related:[How CISA Cuts Impact Election Security](/cyber-risk/how-cisa-cuts-impact-election-security)These days, Burton reports, fast flux is quite rare — particularly those double flux schemes. From her vantage point, modern attackers seem to be hiding their infrastructure even more effectively with technologies commonly used by shady adtech services, like domain cloaking and [traffic distribution systems (TDS)](https://www.darkreading.com/threat-intelligence/vextrio-tds-biggest-cybercrime-operation-web). ‘This isn’t to say that fast flux isn’t happening. There may be some rise that the government sees but didn’t articulate. However, there are many ways to skin a cat,’ she says. [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/cyber-risk/cisa-dns-trick-fast-flux-thriving)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/cyber-risk/cisa-dns-trick-fast-flux-thriving)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/cyber-risk/cisa-dns-trick-fast-flux-thriving)[](https://www.reddit.com/submit?url=https://www.darkreading.com/cyber-risk/cisa-dns-trick-fast-flux-thriving&title=CISA%20Warns%3A%20Old%20DNS%20Trick%20’Fast%20Flux’%20Is%20Still%20Thriving)[](mailto:?subject=CISA Warns: Old DNS Trick ‘Fast Flux’ Is Still Thriving&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20CISA%20Warns%3A%20Old%20DNS%20Trick%20’Fast%20Flux’%20Is%20Still%20Thriving%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fcyber-risk%2Fcisa-dns-trick-fast-flux-thriving) About the Author—————-![Nate Nelson, Contributing Writer](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltc840fc26c7ba7fcd/67803c54966e69ee10fe0d01/Nate_Nelson_bio_pic_2-crop.jpg?width=400&auto=webp&quality=80&disable=upscale ‘Nate Nelson, Contributing Writer’) [Nate Nelson, Contributing Writer](/author/nate-nelson)
Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote ‘Malicious Life,’ an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts ‘The Industrial Security Podcast.’ [See more from Nate Nelson, Contributing Writer](/author/nate-nelson) Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. [Subscribe](https://dr-resources.darkreading.com/free/w_defa3135/prgm.cgi) More Insights Webinars* [Unifying Cloud Security: A Blueprint for Modern Threat Resilience](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_palo270&ch=SBX&cid=_upcoming_webinars_8.500001533&_mc=_upcoming_webinars_8.500001533)Apr 4, 2025* [DPRK’s Hidden Insider Workforce: Their Evolving Tactics + Your Strategy to Detect and Defend](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa8046&ch=SBX&cid=_upcoming_webinars_8.500001540&_mc=_upcoming_webinars_8.500001540)Apr 8, 2025* [Every Second Counts: Accelerating Cyber Recovery with Proactive Threat Analytics](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_rubr136&ch=SBX&cid=_upcoming_webinars_8.500001547&_mc=_upcoming_webinars_8.500001547)Apr 9, 2025* [My Server is Secure. Why Should I Bother about my Mobile App?](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_guas12&ch=SBX&cid=_upcoming_webinars_8.500001539&_mc=_upcoming_webinars_8.500001539)Apr 15, 2025* [VPNs, RMMs, and Beyond: How Are Attackers Adapting?](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_goog82&ch=SBX&cid=_upcoming_webinars_8.500001544&_mc=_upcoming_webinars_8.500001544)Apr 16, 2025[More Webinars](/resources?types=Webinar) Events* [-[Conference-] Black Hat USA – August 2-7 – Learn More](https://www.blackhat.com/us-25/?_mc=we_bhas25_drcuration&cid=_session_16.500330)Aug 2, 2025[More Events](/events)You May Also Like*** ** * ** ***[Cyber RiskRemote Access Infra Remains Riskiest Corp. Attack Surface](https://www.darkreading.com/cyber-risk/remote-access-infra-remains-riskiest-corp-attack-surface) [Cyber RiskAnubis Threat Group Seeks Out Critical Industry Victims](https://www.darkreading.com/cyber-risk/anubis-threat-group-seeks-out-critical-industry-victims) [Cyber RiskFor Just $20, Researchers Seize Part of Internet Infrastructure](https://www.darkreading.com/cyber-risk/researchers-seize-internet-infrastructure-for-20) [Cyber RiskCrowdStrike Will Give Customers Control Over Falcon Sensor Updates](https://www.darkreading.com/cyber-risk/crowdstrike-will-give-customers-control-over-falcon-sensor-content-updates)

Related Tags:
NAICS: 519 – Web Search Portals

Libraries

Archives

Other Information Services

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 92 – Public Administration

NAICS: 922 – Justice

Public Order

Safety Activities

NAICS: 51 – Information

NAICS: 928 – National Security And International Affairs

Blog: Dark Reading

Phishing

Software Discovery: Security Software Discovery

Associated Indicators: