Transnational cybersecurity agencies published on Thursday a joint cybersecurity advisory warning organizations, internet service providers (ISPs), and cybersecurity service providers of the ongoing threat of Fast Flux-enabled malicious activities and guide detection and mitigations to safeguard critical infrastructure and national security. The technique is used to obfuscate the locations of malicious servers through rapidly changing Domain Name System (DNS) records associated with a single domain name, and the threat exploits a gap commonly found in network defenses, making the tracking and blocking of malicious fast flux activities difficult.
Government and critical infrastructure organizations should close this ongoing gap in many networks’ defenses by using cybersecurity and Protective DNS services that block malicious fast flux activity. Service providers, especially protective DNS providers (PDNS), should track, share information about, and block fast flux as part of their provided cybersecurity services.
Titled ‘Fast Flux: A National Security Threat,’ and published by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), and New Zealand National Cyber Security Centre (NCSC-NZ), the advisory detailed that when malicious cyber actors compromise devices and networks, the malware they use needs to ‘call home’ to send status updates and receive further instructions. “To decrease the risk of detection by network defenders, malicious cyber actors use dynamic resolution techniques, such as fast flux, so their communications are less likely to be detected as malicious and blocked.”
Fast flux refers to a domain-based technique that is characterized by rapidly changing the DNS records (like IP addresses) associated with a single domain. These hackers use two common variants of fast flux to perform operations – Single flux where a single domain name is linked to numerous IP addresses, which are frequently rotated in DNS responses. This setup ensures that if one IP address is blocked or taken down, the domain remains accessible through the other IP addresses.
Double flux, where in addition to rapidly changing the IP addresses as in single flux, the DNS name servers responsible for resolving the domain also change frequently. This provides an additional layer of redundancy and anonymity for malicious domains. Double flux techniques have been observed using Name Server (NS) and Canonical Name (CNAME) DNS records.
“Both techniques leverage a large number of compromised hosts, usually as a botnet from across the Internet that acts as proxies or relay points, making it difficult for network defenders to identify the malicious traffic and block or perform legal enforcement takedowns of the malicious infrastructure,” according to the advisory. “Numerous malicious cyber actors have been reported using the fast flux technique to hide C2 channels and remain operational.”
The key advantages of fast flux networks for malicious cyber actors include increased resilience. As a fast flux network rapidly rotates through botnet devices, it is difficult for law enforcement or abuse notifications to process the changes quickly and disrupt their services. It also renders IP blocking ineffective, as the rapid turnover of IP addresses renders IP blocking irrelevant since each IP address is no longer in use by the time it is blocked. This allows criminals to maintain resilient operations. Lastly, the advisory listed anonymity. Investigators face challenges in tracing malicious content back to the source through fast flux networks. This is because malicious cyber actors’ C2 botnets are constantly changing the associated IP addresses throughout the investigation.
Apart from using fast flux is for maintaining C2 communications, the advisory said that it also can play a significant role in phishing campaigns to make social engineering websites harder to block or take down. “Phishing is often the first step in a larger and more complex cyber compromise. Phishing is typically used to trick victims into revealing sensitive information (such as login passwords, credit card numbers, and personal data), but can also be used to distribute malware or exploit system vulnerabilities. Similarly, fast flux is used for maintaining high availability for cybercriminal forums and marketplaces, making them resilient against law enforcement takedown efforts.”
The authoring agencies recommend that ISPs and cybersecurity service providers, especially PDNS providers, implement a multi-layered approach in coordination with customers to aid in detecting fast flux activity. However, the advisory noted that quickly detecting malicious fast flux activity and differentiating it from legitimate activity remains an ongoing challenge to developing accurate, reliable, and timely fast flux detection analytics.
Organizations must leverage threat intelligence feeds and reputation services to identify known fast flux domains and associated IP addresses, such as in boundary firewalls, DNS resolvers, and/or SIEM solutions. Implement anomaly detection systems for DNS query logs to identify domains exhibiting high entropy or IP diversity in DNS responses and frequent IP address rotations. Fast flux domains will frequently cycle through tens or hundreds of IP addresses per day. They must analyze the time-to-live (TTL) values in DNS records. Fast flux domains often have unusually low TTL values. A typical fast flux domain may change its IP address every two to five minutes.
They must also review DNS resolution for inconsistent geolocation. Malicious domains associated with fast flux typically generate high volumes of traffic with inconsistent IP geolocation information. They must use flow data to identify large-scale communications with numerous different IP addresses over short periods and develop fast flux detection algorithms to identify anomalous traffic patterns that deviate from usual network DNS behavior.
Organizations must monitor for signs of phishing activities, such as suspicious emails, websites, or links, and correlate these with fast flux activity. Fast flux may be used to spread phishing campaigns and to keep phishing websites online despite blocking attempts. They must implement customer transparency and share information about detected fast flux activity, ensuring to alert customers promptly after the confirmed presence of malicious activity.
“We have been informing FBI, CISA, NSA, GCHQ, NCSC for 5 years after discovering Chinese and Russian root certs in the Trident Submarine program – we were blackballed for our expertise,” Andrew Jenkinson, group chief executive officer at Cybersec Innovation Partners, wrote in a message. “Despite the fact CISA issued an Emergency Directive on DNS Tampering and Abuse in January 2019, CISA have failed miserably as have all others, to address DNS suitably and remain exposed as a result despite this new paper.”
He added, “Make no mistake, the Agencies have exploited DNS for over 2 decades and now are forced to identify DNS as a major issue.”
To defend against fast flux, government and critical infrastructure organizations should coordinate with their Internet service providers, cybersecurity service providers, and/or their protective DNS services to implement mitigation actions utilizing accurate, reliable, and timely fast flux detection analytics. These measures include DNS and IP blocking and sinkholing of malicious fast flux domains and IP addresses, reputational filtering of fast flux enabled malicious activity, enhanced monitoring and logging, collaborative defense and information sharing, and phishing awareness and training.
The authoring agencies call upon organizations to use cybersecurity and PDNS services that detect and block fast flux. By leveraging providers that detect fast flux and implement capabilities for DNS and IP blocking, ‘sinkholing,’ reputational filtering, enhanced monitoring, logging, and collaborative defense of malicious fast flux domains and IP addresses, organizations can mitigate many risks associated with fast flux and maintain a more secure environment. However, some PDNS providers may not detect and block malicious fast flux activities.
Moreover, organizations should not assume that their PDNS providers block malicious fast flux activity automatically and should contact their PDNS providers to validate coverage of this specific cyber threat.
Last May, the CISA released Encrypted Domain Name System (DNS) Implementation Guidance for federal civilian executive branch (FCEB) agencies to meet encryption requirements for DNS traffic and enhance the cybersecurity resilience of their IT networks.
