Cybersecurity officials in the US, Australia, Canada, New Zealand, and the UK have collectively warned against a new cyber threat dubbed “fast flux.” This tactic is being used by hackers to hide malicious websites and avoid shutdown.
What is Fast Flux?
Fast flux is a method whereby malicious attackers quickly change the IP addresses that a domain name is linked to so that it becomes more difficult for defenders to block or track malicious sites because they’re always on the move.
There are two main types:
- Single Flux: One domain keeps changing IP addresses.
- Double Flux: Both the domain and its name servers keep changing, offering an added layer of protection.
Keeping Malicious Content Online
Fast flux is often used to keep phishing sites, malware downloads, and crime platforms available on the web even when law enforcement tries to take them down. It hides hackers from view and makes it much harder for defenders to retaliate.
How to Fight Fast Flux
Cybersecurity experts recommend monitoring DNS activity to identify quickly changing domains, search for unusual network traffic patterns, and employ defensive DNS services to block known attacks.
They further recommend that organizations, governments, and other stakeholders share threat information.
The collaborative advisory also urged companies, internet service providers, and government agencies to step up their detection and defense strategies as fast flux becomes more widespread and contagious.
Fast Flux CNS is Not New
Fast Flux DNS is not new, says Aamir Lakhani, Lead Researcher and Cyber Security Expert at Fortinet’s FortiGuard Labs. “In fact, it has been used by various threat actors for well over a decade now. FortiGuard Labe saw some of the early botnets back between 2007–2010, like Zeus and Conficker, using fast flux to distribute malware and manage their command-and-control (C2) communications.”
Lakhani says while the technique is older, it can still be effective. “It’s not used as often as people think it is because it does require some work and knowledge from threat actors and there are much easier ways to conduct an attack. But if they have the infrastructure already setup, or they can rent fairly cheaply, it is still a viable tool in the toolkit.”
Alarming Scale and Sophistication
Fast flux’s recent resurgence and the attention it’s getting now highlight a shift in how threat actors are leveraging it, adds Casey Ellis, Founder at Bugcrowd. “What makes this advisory stand out is the scale and sophistication of its use by nation-state actors and cybercriminals. Fast flux isn’t just about hiding malicious infrastructure anymore—it’s about creating a resilient, almost bulletproof command-and-control system that’s harder to disrupt. That’s a big deal, especially for sectors like defense, where the stakes are incredibly high.”
The timing of this advisory likely reflects two things, Ellis adds. “First, we’re seeing an uptick in fast flux being used in active campaigns, particularly by advanced persistent threats (APTs). Second, it’s a recognition that traditional defenses aren’t keeping up. The NSA, CISA, and FBI are signaling that this isn’t just a technical nuisance—it’s a national security issue that demands immediate attention.”
Ellis says the recommendation to adopt multi-layered detection and Protective DNS (PDNS) services is critical. PDNS, for example, can help organizations block malicious domains before they’re even resolved, cutting off access to the infrastructure that fast flux relies on. “But it’s not just about tools—it’s about mindset. Organizations need to assume that attackers will innovate and adapt, and they need to do the same. This isn’t a routine warning. It’s a call to action for organizations to step up their game and treat fast flux as the serious, evolving threat that it is.”
A Significant Wakeup Call
This latest advisory will hit many organizations like a double espresso, comments John DiLullo, CEO at Deepwatch. “Any enterprise relying on IP reputation as a credible means of securing their infrastructure or proprietary data is a soft target for this type of exploit. Fortunately, correlative detection techniques, especially those leveraging “low and slow” Machine Learning methods, can defeat these intrusions handily. However, many companies’ infrastructures simply aren’t there yet. This is a significant wakeup call.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.