Overview

In April 2025, the U.S. National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) jointly released a cybersecurity advisory (Fast Flux: A National Security Threat), in which the Fast-Flux Network was again designated as a key threat. Since the technique was first detected in the Storm botnet in 2007, it has been used as a key means to hide and evade the detection of Command and Control (C2) servers in numerous malware campaigns.

Fast-Flux takes advantage of the operation of the existing domain-based infrastructure to make it difficult for threat actors to detect their C2 infrastructure, posing a significant challenge to security companies in Korea and abroad in detecting and blocking such threats. This post will examine the operation of Fast-Flux technology and how threat actors configure it, along with actual cases of its exploitation.

 

What Is Fast-Flux?

In the typical domain-based communication structure, one domain is mapped to one or a few fixed IP addresses, and users are always connected to the same server when making requests. This way, users can communicate with the server using a meaningful domain name instead of having to remember a complex numerical IP address.

Figure 1. IP lookup and communication structure through the domain

 

In contrast, Fast-Flux is a technique in which threat actors manipulate DNS settings to change the IP address of a domain held by the threat actor to multiple IP addresses within a short period of time.

As a result, even if security devices block the IP, communication is maintained as a new IP is soon allocated. The DNS TTL value is reduced from several seconds to several minutes, creating a structure where the IP changes every time the domain is queried.

Figure 2. Mapping between domain and IP

 

Threat actors operate a large number of proxy nodes to form a Fast Flux network, which are commonly infected regular user PCs or randomly generated virtual container environments. Multiple proxy nodes or zombie hosts owned by the threat actors participate in DNS responses, and the IP addresses of the nodes are exposed when domains are queried. This allows the actual C2 server to remain hidden behind these nodes, achieving a C2 concealment effect. Each proxy node is configured as an A record for the domain and communicates with the actual C2 server to relay commands.

The Fast Flux technique is broadly divided into two methods. The first one is Single-Flux, a single structure that only rotates the A record of DNS. The second one is Double-Flux, which rotates not only the A record, but also the NS (Name Server) record. These two methods differ in implementation complexity and detection evasion performance, and can be selectively used according to the threat actor’s goals and infrastructure.

 

Single-Flux

Single-Flux refers to the technique of rapidly rotating the A records, which are the IP list of the DNS. The domain continuously responds by changing the IP list, and each IP is connected to the threat actor’s proxy server or zombie host. This configuration allows users to continue accessing the domain even if one IP address is blocked or goes down.

Figure 3. An example of configuring a Single-Flux environment from the threat actor’s perspective

Figure 3. Single-Flux structure⁽¹⁾

 

The operating method of Single-Flux can also be used for legitimate purposes to enhance performance in dynamic hosting environments such as Content Delivery Networks (CDNs) and Load Balancers. From the defender’s perspective, the structure is designed to make it difficult to block the network by detecting it.

From a user’s perspective, it is important to check how IP addresses are retrieved when querying a domain configured with Fast Flux. To do this, a Single Flux DNS Server in a virtual environment was configured. As shown in Figure 4, when querying the IP address for the domain “attack.lab,” a different list of IP addresses is returned each time the user requests information.

Figure 4. IP rotation when domain IP is looked up

 

Double-Flux

This is achieved by rapidly changing not only the A record but also the NS (Name Server) record. The NameServer that resolves the domain is also disguised as a proxy node, and the double-disguise structure enhances its ability to evade detection. In fact, sophisticated botnets like GameOver Zeus utilized this method.

Figure 5. An example of configuring a Double-Flux environment from the threat actor’s perspective.

Figure 5. Double-Flux configuration⁽²⁾

 

Cases of Exploitation

Storm botnet (2006~2007)

The Storm botnet is one of the early cases that actively used Fast-Flux technology. This botnet massively distributed malicious links via email and rapidly rotated through hundreds of IPs connected to its domain, making it difficult for law enforcement agencies and security systems to detect them. It was during this time that the Fast-Flux technique, which drastically reduces the TTL, began to be actively used. For more information on this case, please refer to the Storm Botnet | Encyclopedia MDPI.

 

GameOver Zeus (2014)

GameOver Zeus is a sophisticated malware that steals financial information. It not only uses a simple P2P communication structure, but also actively employs the Double-Flux technique, which involves rotating Fast Flux-based NS records periodically. In particular, the number of infected systems reached several million, and it established itself as a global threat until the FBI and Europol performed an international joint operation to dismantle it. For more information on the case of a GameOver Zeus variant that used both domain generation algorithm (DGA) and Fast Flux, refer to the report “New Zeus Gameover Employs DGA and Fast Flux Techniques” by Trend Micro (US).

 

Gamaredon (2022~2024)

The Russia-based APT group Gamaredon launched a long-term reconnaissance and information collection operation against NATO member countries using a Fast-Flux Network from 2022 to 2024. They made detection difficult by not only changing IPs, but also using a variety of ASNs and IP address ranges, and built an infrastructure that could be operated for a long period of time. This is a case of a state-sponsored organization continuously operating Fast-Flux, not a simple cybercrime group. For a detailed analysis on the technical characteristics and operation methods of the infrastructure, please refer to Silent Push’s report, “From Russia with a 71: Uncovering Gamaredon’s fast flux infrastructure”.

 

BPH Service

Bulletproof Hosting (BPH) is an Internet hosting service that supports malicious activities and ignores requests from law enforcement and security agencies. BPH providers offer Fast Flux as a core service. Threat actors utilize these services as the infrastructure for various illegal activities, such as malicious marketplaces, phishing sites, and spam distribution.

Figure 6. Fast Flux service page⁽³⁾

 

To prevent their customers’ servers from being exposed, many BPH services use a “dummy interface.” This involves setting up a fake intermediate node that responds to DNS queries, so the actual attack infrastructure remains hidden and only the intermediate node is blacklisted.

In reality, many BPH services provide each user with their own IP pool and use a global domain registration system to distribute the infrastructure’s location worldwide. This means that even if a single node or domain is blocked, it does not affect the overall operation of the attack infrastructure. This approach further enhances the stealth and resilience of Fast Flux, enabling the continuous operation of malicious infrastructures.

 

Conclusion

The Fast Flux technique goes beyond disrupting the simple domain-IP mapping structure, serving as a sophisticated attack method designed to evade detection and conceal infrastructures. Threat actors employ this technique to bypass IP-based blocking and exploit the weaknesses of conventional security systems.

To effectively counter such threats, organizations need to enhance their technical capabilities in both detection and prevention, as well as review their internal DNS policies. For instance, detection techniques such as TTL-based analysis, anomaly detection of A/NS records, and IP distribution analysis can be employed. In addition, prevention strategies such as changing internal DNS resolver policies (strengthening caching), restricting the use of external DNS, and integrating threat intelligence should be implemented.

To prevent damage from Fast Flux-based attacks, it is necessary to improve DNS-based attack detection capabilities within the overall security system and to trace the infrastructure in the long term. It is also essential to develop visibility and analysis capabilities to trace the entities within the rapidly rotating domain structure.

 

Source

(1) Created with reference to Figure 1 in the contents of CSA-FAST-FLUX.PDF

(2) Created with reference to Figure 2 in the contents of CSA-FAST-FLUX.PDF

(3) Fast Flux Bulletproof Hosting Accept Bitcoin – Host’s Book