Used by a threat actor to hide malicious activity using compromised hosts on a botnet. This TTP was first introduced by storm-worm in 2006 and is effective at making the connection between malware and its C2C harder to discover.
"To understand the boundaries and relations between the network entities, an undirected network graph was created (Figure 2). The graph represents the following entities and relations between them: domains (shown in red), IP addresses (purple), and nameservers (green). The inspected network is composed of two subnetworks sharing a strong relation. These subnetworks are connected based on the similarity between their shared IP addresses associated with different nameservers." - Akamai
A fast flux network hides the origin of its C2 by constantly changing its domains, IP addresses, and nameservers. This allows it to hide the true nature of the network by making it harder to study and defend against.
The amount of IP addresses associated w/ a fast flux network changes rapidly.
This image shows the avg number of times IP addresses associated a single domain name changed in one day (over 2 months) - Akamai
Threat actors cycle between making activating and deactivating domains in the network. A domain is considered inactive when a DNS query returns w/ NX-DOMAIN.
When the threat actor activates a domain, it stays active for a limited time while malicious activity is taking place. Once the malicious activity associated w/ that ends its deactivated again and a new domain is activated to take its place. This is to ensure network services remained intact. This is called "Double Flux".
Double Flux ensures redundancy and survivability w/i the network. Following the DNS trail and shutting down servers/domains used by the botnet does not end the activities of the larger botnet.
Nameservers associated w/ the fast flux network are are usually registered to different entities, rotated in and out of usage, and registered to owners w/ spoofed personal information:
Akamai
Even though the faked-personal information of the alleged owners of different nameservers seem unrelated (different countries, etc) analysis of their IP addresses proves they are actually closely related nameservers.
"To further investigate the initial assumption of having two different subnetworks as observed in “Fast Flux network — overview”, we created a network graph, but this time without showing the relation to the name-server. Doing that showed us that we can see two distinct subnetworks segregated in terms of associated IP addresses." - Akamai
[!Resources]