Fast Flux Botnet

Botnets employ fast flux techniques to obfuscate the specific host involved in their phishing schemes, malware delivery or other criminal enterprises. A fast-flux domain name service (DNS) enables bots to utilize a shifting number of compromised hosts. Fast flux uses many IP addresses that are hidden behind a single, legitimate domain name. The IP addresses are then swapped in and out with great frequency (usually under 5 minutes) without changing DNS records. A single-flux is where multiple nodes within a network register and unregister their addresses as part of the DNS record list for a single DNS name. A double-flux is where the same is done, except the record list isn’t just for a single DNS name, but for the entire DNS zone, which can involve multiple domains and sub-domains. A double-flux can provide extra secrecy to malware networks and make it hard to determine the source of the attack.

Fast flux effectively hides the computer or server that is performing the malicious attacks from being detected and results in defenders being unable to find a single point of weakness on which to focus their efforts. Fast flux is used regularly to overwhelm corporate networks with denial-of-service attacks or to send large amounts of spam email.

Comments are closed.