Fast Flux Networks
What Is a Fast Flux Network?
The concept of a fast-flux network revolves around enabling botnets to move from one Internet Protocol (IP) address to the next in rapid succession, taking advantage of a host that has been fully compromised.
What is fast flux in cybersecurity? With a fast-flux network, botnets will shift each IP address after just a few minutes. This shifting, using the host it has compromised, enables cybercriminals to make the hosts act as proxies to cause problems, as well as run phishing, malware, and other types of attacks without being detected.
Another term for a fast-flux network is "flux domain." With the flux-domain technique, cybercriminals can use botnets to rotate IP addresses with a legitimate domain name behind the scenes.
How Does Fast Flux Work?
A fast-flux network uses a variety of IP addresses and rotates them in rapid succession. All the IP addresses will point to one malicious domain name, but how users connect to that domain will vary.
The malicious domain the IP addresses rotate around is known as a typosquatting, which takes a popular domain name—such as from a big brand—and add a variation to it, such as a spelling variation. This way, attackers trick users into thinking they went to the site of a major bank or another retailer. But in reality, they landed on a phishing site located on the cybercriminals server, ready to steal their information.
Although the domain is consistent in terms of the site each user lands on, the IP address rotates constantly. Botnets will deploy a variety of IP addresses with a malicious domain. Each will be live for just a few minutes before cycling in new, with the domain stealing credentials and other sensitive information as soon as users connect. Because the IP address constantly rotates, it is extremely difficult to identify the source and shut it down.
Types of Fast-Flux Networks
There are two common types of fast-flux networks: single flux and double flux. With each type, the cybercriminal does much of the same process.
A single-flux network has many different individual nodes registering IP addresses as part of a Domain Name System (DNS). These nodes also act to deregister those same IP addresses. All of this is done for a single malicious domain name to which users connect. Most of the registered IP addresses only live for about 3–5 minutes. Then the botnets move on to the flow of new IP addresses to enable ongoing access and pillaging by the cybercriminal.
Numerous nodes work to register an IP address, which immediately takes the place of the prior IP address once it is out of commission. Because the domains themselves will likely live on a server with ultra protection—a bulletproof server, essentially—authorities will have little luck having it shut down.
Double-flux networks take the concept of a fast-flux network and put it into HyperSpeed in terms of advancement and complexity. They make it nearly impossible for authorities to locate the source computer driving forward the phishing attack, malware, or whatever else is running rampant on the domain.
Cybercriminals rely on a double-flux network to connect to their victim's system in unique ways, including breaking down email security and web security. A double-flux network puts to use a zombie computer, a system that has been compromised by a virus or Trojan. Botnets rely on zombie computers for an extra layer of protection between the rotating IP addresses and the source of the attack: the cybercriminals host machine.
How a Fast-Flux Network Can Be Used as a Platform for Malicious Activities
With fast flux, a cybercriminal can carry out various malicious attacks, including web proxying, malware delivery, and phishing. Fast flux is not a new concept. It has been around for over 15 years and continues to wreak havoc on the internet.
The fast-flux approach was first identified by researchers in 2007 as part of the Honeynet Project. Since then, a lot of research has gone into understanding its makeup, as well as how to detect and prevent the havoc it causes.
Hosting Malware: Dropper
With a fast-flux network, droppers can be used to assist cybercriminals with malware delivery and installation. Droppers help get around antivirus programs that quarantine malicious code. When users connect to a fast-flux domain, the dropper installs or "drops" malware onto their device.
Cybercriminals that launch fast-flux attacks typically use a command-and-control (C2) server, which is where they issue commands to compromised devices and receive stolen data from target systems. A cybercriminal can gain access to a user's machine via the rotating IP address and domain host. With a C2 server, they can maintain that communication, sending commands and pillaging sensitive information using malware.
Fast-Flux Detection and Monitoring Techniques
The best way to deal with a fast-flux network is to prevent accessing a compromised domain in the first place, but that is not always possible. Organizations should therefore do their best to detect and monitor for fast-flux networks.
Fast-flux networks are easy to set up but difficult to trace and are likely to mislead investigators trying to get to the root cause. With IP addresses and random domains constantly rotating, it is a wild goose chase for authorities.
- Using machine learning (ML): ML is one of the most prominent and current techniques being used to detect fast-flux networks. By analyzing networks' temporal and DNS-based features, machine learning can help predict whether or not fast flux is in use.
- Evaluating domain servers' geographic distribution: Another common technique is examining the geographic distribution of the domain servers. Rotating IP addresses and changing geographic location can be a clue that a fast-flux network is in use.
- Fast-flux monitors: These help detect fast-flux and double-flux behaviors in real time. They examine activity, footprint, and time-to-live indexes to detect whether or not a fast-flux or double-flux network is in use.
How to Stop Fast-Flux Attacks
Fast-flux networks have a high level of resiliency. They are hard to detect and even harder to take down once they are identified. The network, which is difficult to identify in the first place, will use a common domain name. Even though the domain name can be taken down, the network still exists. But without a domain, the network cannot do anything.
The best way for organizations to stop a fast-flux network is to identify its domain name and have it taken down. By doing this, it no longer matters how many IP addresses rotate in and out. There is no domain for a user to connect to that can result in them being taken advantage of. Identifying and taking down fast-flux domains as fast as possible are key to eliminating the effectiveness of fast-flux networks.
How Fortinet Can Help
The Fortinet Secure Web Gateway (SWG) solution has been helping organizations in the fight against fast-flux and double-flux networks. With the Fortinet SWG, you get multiple security capabilities in one solution. These include DNS security, inline cloud access security broker (CASB), antivirus, web filtering, and more. With multiple layers of protection and full-spectrum web security, Fortinet SWG can prevent users from stumbling onto a domain that is part of a fast-flux or double-flux scheme.
What is fast flux?
Fast flux is a technique used by cybercriminals to hide malware delivery and phishing websites by rapidly cycling through IP addresses tied to a malicious domain.
What are the types of fast-flux network?
The two types of fast-flux networks are single-flux and double-flux networks.
How to detect fast-flux networks?
A variety of methods, theories, and tools have been created to assist in the detection of fast-flux networks, such as machine learning and fast-flux monitors. There is no magic tool that everyone relies on.