DNS fast fluxing is a way of rapidly swapping out the IP addresses associated with a domain, so that malicious domains used for phishing attacks and other criminal activity are harder to block.
After reading this article you will be able to:
Related Content
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
DNS fast fluxing is a technique that involves associating multiple IP addresses with a single domain name and changing out these IP addresses rapidly. Sometimes, hundreds or even thousands of IP addresses are used. Attackers use DNS fast fluxing to keep their web properties up and running, hide the true origin of their malicious activity, and stop security teams from blocking their IP address. This technique is commonly used by botnets.
Attackers need their websites to stay up in order to carry out phishing attacks, host malware, sell stolen credit card information, and perform other illegal activities. With DNS fast flux, malicious domains have more uptime and are harder to block, enabling cyber criminals to carry out more attacks. Essentially, DNS fast fluxing turns malicious domains into a moving target.
Think of a bank robber making their getaway: if the police know what car the robber is driving, they can be on alert for cars with that license plate number and stop them before they leave town. Now imagine that bank robber has a trunkful of license plates, and they get out and switch plates every couple of miles. It becomes far more difficult for the police to identify the bank robber's car. DNS fast flux has a similar effect: with a website's IP address changing constantly, it is much harder to identify and block the website.
Attackers will associate multiple IP addresses with one domain name by rapidly changing the DNS records associated with that domain name. An IP address will be registered and then deregistered and replaced with a new IP address every few minutes or seconds. Attackers are able to do this by exploiting a load balancing technique called round robin DNS, and by setting a very short time to live (TTL) for each IP address. Often, some or all of the IP addresses used will be web hosts that the attackers have compromised. The machines at these IP addresses will act as proxies for the attacker's origin server.
Round robin DNS is a way of associating multiple redundant web servers, each with their own IP address, with a domain. When the authoritative nameserver for that domain receives a query, it hands out a different IP address each time, and as a result no one web server gets overwhelmed with traffic (theoretically). While load balancing is the legitimate, intended use of round robin DNS, attackers can use this feature to obfuscate their malicious activity.
Attackers using fast flux will also set a very short TTL for these IP addresses, sometimes as short as 60 seconds. Once the TTL expires, that IP address will no longer be associated with that domain name.
Double fast fluxing adds another layer of DNS fluxing, making it even more difficult to block a domain and track down the origin of malicious activity. With double fast fluxing, the IP address of the authoritative nameserver is also changed out rapidly. (A more technical way to say this is that both the DNS A records for the domain and the DNS NS records for the zone are changed constantly.)
This would be like if the bank robber described above not only changed their license plate continually but also switched cars continually.
The most effective way to stop DNS fast fluxing is to simply take down the domain name. For a variety of reasons, domain name registrars are not always willing or able to do so.
Network administrators can also require users within their network to use DNS servers they control, and to blackhole, or discard, queries for malicious domains. This way, malicious domains are not resolved, and users are unable to access them. This technique is called DNS filtering.