In April 2025, a joint cybersecurity advisory was issued about an ongoing threat known as fast flux attacks. Fast flux attacks help attackers in two main ways. Firstly, they help attackers maintain persistent covert access to a victim's network to carry out command and control (C2) operations and secondly fast flux attacks help ensure that cyber criminal C2 infrastructure and malware hosting operations can maintain resilience against law enforcement efforts.
The advisory was produced by leading national security and cyber defense agencies—including the U.S. National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), and New Zealand’s National Cyber Security Centre (NCSC-NZ).
In this article, we will understand what fast flux attacks are, how they are being used in cyber attacks, and how organizations have been advised to protect themselves from fast flux attacks.
What Are Fast Flux Attacks?
Fast flux is a cyberattack technique that leverages rapidly changing DNS records [T1568.001]. As discussed below, there are distinct single flux and double flux techniques. For a refresher, the Domain Name System (DNS) functions like the internet’s phone book—it translates human-readable domain names (like example.com) into IP addresses. When you enter a URL web address, your device sends a DNS query to find the correct IP address associated with the URL's domain. This IP address is then used by the TCP/IP stack to route the request to the intended server hosting the URL you were originally looking for.
DNS records are stored on authoritative name servers, and most systems query public DNS servers that are globally synchronized. Using fast flux, attackers rotate DNS records frequently, so when the client looks up the IP address for a domain name, it may be different than the previous lookup. This makes it harder to block malware from "calling home" to contact attacker controlled C2 servers. It also reduces the effectiveness of law enforcement efforts to take down malicious servers hosting C2 or malware. By simply changing the DNS records, attackers can point to a different server.
Firewalls and Intrusion Detection Systems (IDS) struggle to keep up, as newly assigned IPs may not yet be flagged as malicious. Combined with botnets that act as residential proxies, attackers have virtually unlimited IP addresses to avoid defender's security controls. Sharing cyber threat intelligence (CTI) becomes less effective because by the time indicators like IP addresses are distributed and actioned across networks, the attacker has already moved on to a new set. Fast flux networking is even offered by bulletproof hosting providers as a service to attract cybercriminal customers.
How Do Fast Flux Networks Benefit Threat Actors
The fast flux attack supports more resilient C2 operations, better uptime for Dark Web marketplaces, and other cyber crime infrastructure such as credential-stealing operations, and spam distribution platforms.
The benefits of fast flux for attackers include:
High Resilience: The frequent rotation of IP addresses across a wide botnet makes it hard for defenders or authorities to block or disable malicious infrastructure.
Defeat IP Blocking: Traditional IP-based blocking used by many firewalls becomes ineffective, because each IP tied to a malicious domain is only active for a short period of time before DNS records are modified.
Operational Anonymity: Constant infrastructure changes hinder attribution efforts and allow attackers to hide the true origin of malicious traffic.
Phishing Campaign Resillience: Attackers use fast flux to keep phishing websites live longer, even after being flagged or blocked, which increases the success rate of social engineering attacks.
Dark Web Resilience: Cybercriminal forums and marketplaces use fast flux to resist takedowns, ensuring continued access to illicit services and goods.
Malware and Credential Theft Infrastructure: Services like botnet controllers, fake e-commerce sites, and information stealers remain online through fast flux techniques, making disruption much harder.
How Does Single Flux Work?
Single flux is a technique where one domain name is tied to many IP addresses that rotate frequently. When one address is blocked or taken down, others quickly take its place, keeping the domain online and reachable. This makes it hard for defenders to block access via IP filtering alone.
Figure 1: Illustration of the Single Flux Technique. In single flux, a domain resolves to a rotating set of IP addresses to avoid detection. Source: CISA Cybersecurity Advisory AA25-093A.
How Does Double Flux Work?
Double flux builds on single flux by also rotating the DNS name servers responsible for resolving the domain. This adds another layer of redundancy and obscurity, making the infrastructure even more difficult to block or shut down.
Figure 2: Diagram Showing Double Flux DNS Behavior. Both the domain’s IP addresses and name servers are rotated frequently. Source: Joint Cybersecurity Advisory AA25-093A.
How to Protect Yourself Against Fast Flux Attacks?
Defending against fast flux attacks requires a strategy that combines DNS monitoring, threat intelligence, and collaboration with security service providers. Since fast flux activity can resemble legitimate behavior (such as content delivery networks), detection must be both reliable and context-aware.
Key protection steps include:
Use Protective DNS (PDNS) Services: Utilize a PDNS provider to actively detect and block fast flux via their domain name rather than IP filtering. This depends on real-time analytics and filtering traffic by domain reputation. Organizations should confirm if their PDNS service provides fast flux detection. Organizations at high risk should conduct security testing such as objective-based penetration testing campaigns to proactively verify the effectiveness of their PDNS service.
Monitor DNS Activity Closely: Look for domains with low TTL (Time To Live) values, frequent IP changes, or other anomalies such as inconsistent ASN (Autonomous System Number) or geolocation in DNS responses. Use network and DNS anomaly detection systems to identify patterns that deviate from normal behavior.
Implement Domain-Level Blocking and Sinkholing: Since IP-based blocking is not effective, block access to known fast flux domains using DNS filtering or sinkholing techniques to analyze malicious traffic. Sinkholing involves redirecting requests to a controlled server for monitoring, enabling defenders to observe attacker behavior and identify infected systems.
Participate in Threat Sharing: Share Indicators of Compromise (IOCs) with trusted partners and cyber threat intelligence (CTI) sharing communities to improve early detection across the ecosystem.
Educate Employees About Phishing: Since fast flux often supports phishing campaigns, regular training can help reduce the risk of initial compromise.
[ What is Protective DNS (PDNS)?
Protective DNS (PDNS) is a cyber security service that blocks access to malicious domains by analyzing DNS queries in real time. By intercepting and blocking suspicious DNS requests early, PDNS reduces risk without needing to inspect the full content of network traffic—making it a lightweight yet powerful tool for protecting organizations. PDNS helps prevent a wide range of threats, including malware downloads, phishing sites, and C2 communications.
Conclusion
Fast flux attacks use rapidly changing DNS records to conceal malicious infrastructure and sustain cyber operations. Backed by multiple national cybersecurity agencies, the April 2025 advisory urges organizations to adopt multi-layered defenses, including Protective DNS (PDNS), anomaly detection, and threat intelligence sharing, to detect and mitigate this stealthy and persistent threat to national and organizational security.
