home

Fast flux

Fast flux

(also fast fluxing)

Fast flux definition

Fast flux is a technique used to rapidly change the IP addresses associated with domain names. Fast flux makes it difficult to track down malicious domains and block them. Fast flux is often used by hackers to frustrate law enforcement efforts to take down criminal servers.

While possible to execute manually, the rapid pace of IP turnover in fast flux is typically accomplished with the help of a botnet (a network of compromised devices directed by the hackers to act in concert). The bots act as reverse proxies between the victim and the server hosting the malicious content, preventing the latter’s discovery by law enforcement forces.

See also: IP address blocking, virtual IP address, bot herder, botnet, DNS record, DNS query, DNS TTL

Main types of fast flux networks

• Single flux: In a single flux network, each IP address is associated with a different node, with malicious activities shifting from node to node to evade cybersecurity responses. Each IP address only lives for a short period of time, typically between 3 and 10 minutes — once the time is up, the node deregisters the IP address from the Domain Name System (DNS) and the next node takes its place.
• Double flux: Double flux networks not only rotate the IP addresses associated with different nodes, but also change the IP addresses of their authoritative name servers. This adds an extra layer of obfuscation to the network, making it even more challenging for security systems to track down malicious activities.