Joint Advisory Flags Fast Flux Infrastructure, Enables Resilient C2 Operations

A joint advisory issued by CISA, NSA, FBI, ACSC, CCCS, and NCSC-NZ warns of the ongoing use of fast flux techniques by cybercriminal and nation-state actors to evade detection and maintain resilient infrastructure. Fast flux is a domain-level obfuscation method that rapidly rotates DNS records—often every few minutes—to prevent effective IP blocking and takedown efforts. Two variants are commonly used: single flux, where multiple IPs are rotated for one domain, and double flux, which also rotates the domain’s name servers. This dynamic infrastructure provides an advantage to attackers, enabling persistent command and control (C2) communications while masking the origin of malicious activity.

The technique involves leveraging large botnets as proxies, which not only act as relays for C2 traffic but also obscure the attacker’s location and infrastructure. These botnets update DNS records frequently, with associated IPs often exhibiting inconsistent geolocation, low TTL values, and high entropy, making detection difficult. While fast flux can be used for legitimate purposes like load balancing, it has been widely adopted for malicious operations, including ransomware delivery, phishing campaigns, and infrastructure for criminal marketplaces. According to CISA and partners, threat actors such as those behind Hive and Nefilim ransomware, and the Gamaredon group, have used fast flux.

The advisory recommends the use of DNS analysis, threat intelligence feeds, anomaly detection, and flow data analysis to identify domains exhibiting fast flux characteristics. Organizations are encouraged to increase DNS logging, implement automated alerting for abnormal activity, and utilize sinkholing or IP blocking for identified malicious domains. Reputational filtering and proactive sharing of indicators with trusted partners further strengthen defenses. Protective DNS (PDNS) services, especially those able to differentiate malicious flux from legitimate CDN traffic, are a key mitigation layer but are not guaranteed to be implemented by default.

Lastly, the advisory stresses that fast flux is not just a technical concern but a broader threat to national security, enabling long-term, resilient access to compromised environments. By exploiting the lack of DNS validation and the speed of infrastructure rotation, malicious actors gain stealth and durability. CISA and its counterparts advise continuous collaboration between government, ISPs, and cybersecurity service providers to reduce exposure. Organizations are urged to work closely with their PDNS vendors to ensure fast flux detection is part of their coverage and to adopt phishing awareness training and incident response policies to counter the broader ecosystem in which fast flux operates.