Three U.S. cybersecurity-focused agencies, alongside similar agencies in Australia, Canada and New Zealand, recently issued a warning about fast flux, a type of tactic threat actors use to avoid detection and eviction from networks.
Fast flux provides threat actors with network redundancy and enables them to avoid drawing too much attention to any specific network resource — such as an IP address, a name server or a domain name. It is useful for hiding compromises in a network that institutions would typically detect by, for example, figuring out which IP addresses computers are connecting to most often.
“This resilient and fast changing infrastructure makes tracking and blocking malicious activities that use fast flux more difficult,” reads the report from the FBI, the National Security Agency and the other agencies that issued
Fast flux is a tactic threat actors most often use in command and control (C2) infrastructure. These are systems that threat actors use to control computers in the target’s network. Often, these computers have malware installed on them, but installing the malware is only part of the battle; the threat actor then has to have the computer “phone home” (i.e., connect to the threat actor’s own computer) while avoiding detection.
One of the key malicious technologies that enable the fast flux tactic is botnets. A botnet consists of internet-connected devices that, often unbeknownst to the device’s owner, are controlled by a threat actor. These devices might be laptops, IoT devices or anything else that connects to the internet.
Botnets arm threat actors with huge numbers of computers through which they can proxy web requests, to obfuscate their behavior. This is most helpful when attacking institutions that have dedicated cybersecurity staff to detecting this behavior.
At the most basic level, fast flux allows a threat actor to use a huge number of unconnected IP addresses, so that no single address looks too suspicious. If a computer consistently makes numerous requests to a single IP address, that address will likely get the attention of a network analyst, eventually leading to the intruder getting noticed.
For this and other reasons, threat actors often use pools of IP addresses. This allows them to spread activity over numerous addresses, so that no single address draws too much attention.
This is part of the fast flux approach. The threat actor changes the IP address they are using to connect to a compromised host, often every five minutes or so, to the next address in the pool.
The threat actor changes the IP address they are using to connect to the compromised host by changing the DNS records on the name server the host uses. Name servers take a domain name (such as americanbanker.com) and map it to the IP address (such as 15.197.254.45) to which the computer can actually connect. DNS records define these mappings.
More advanced fast flux schemes involve rotating not just IP addresses but the name server as well.
Rather than hitting the same name server with DNS requests every time the compromised host tries to connect to the malicious network, the threat actor rotates through a number of name servers. Just like rotating through IP addresses makes each IP address less suspicious, rotating through name servers prevents any one of the servers from getting too much attention.
Another technical advancement a malicious actor can make to fast flux is rotating through domain names. This ensures not only that no single domain name draws too much attention, but that if a domain name gets shut down or blacklisted, the threat actor can rely instead on a different one to connect to compromised hosts.
Few methods exist for directly disrupting fast flux behavior. Rather, the agencies that issued the warning recommended stakeholders develop and implement scalable solutions to close “this ongoing gap in network defenses” and issued a number of indirect countermeasures.
“Quickly detecting malicious fast flux activity and differentiating it from legitimate activity remains an ongoing challenge to developing accurate, reliable, and timely fast flux detection analytics,” reads the warning.
The warning specifically called out protective DNS, or PDNS, providers as needing to help mitigate the threat of fast flux. These providers support the DNS system that malicious actors exploit to avoid detection; the warning implored these providers to implement anomaly detection to identify domains that frequently switch between IP addresses, especially if those addresses have inconsistent geolocations.
As for other organizations, the agencies encouraged the practice of sinkholing malicious activity once it is discovered. Sinkholing means redirecting traffic from malicious domains to a server that can capture and analyze the traffic — essentially intercepting messages meant for compromised hosts, to help identify other compromises.
While fast flux is meant to circumvent blacklists, the agencies nonetheless recommend blocking traffic to and from IP addresses with poor reputations, especially ones identified as participating in fast flux activity.
Sharing indicators of compromise, especially IP addresses that are involved in these schemes, can also help other institutions avoid it.