Fast Flux is a DNS technique which involves frequent and rapid changing of the IP addresses associated with a Fully Qualified Domain Name (FQDN) by using a network of compromised hosts (Bots) acting as reverse proxies.

The core concept of a Fast Flux network is to have multiple IP addresses associated with a domain name, and then constantly swapping those IP addresses in quick succession by changing DNS A or AAAA Records with a very low TTL value. These IP addresses belong to compromised hosts which are known as bots or fast-flux agents. Fast Flux technique is employed by the adversary (Botmaster) to evade C&C server detection and IP based Blacklisting by hiding the C&C server behind a network of compromised hosts acting as reverse proxies. Fast-Flux network ensures that a victim client will only connect to fast flux agents, but never to the real C&C server.

There are two types of Fast-Flux Service Network:

1. Single-Flux Network.
2. Double-Flux Network.




Basics of Fast-Flux Service Network (FFSN):
To implement a fast-flux network the attacker first leverages a botnet. The botnet contains thousands of bots and all of these bots are connected with the attacker’s C&C server. The bots that take part in a Fast-Flux Network are also known as fast-flux agents. The main purpose of using botnets is to employ thousands of bot machines (fast-flux agents) as reverse proxies. Basically, the Fast-Flux agents work as a reverse proxy server by forwarding the client request to the C&C server and reply the answers came from the C&C server back to the client.

In a fast-flux network, the attacker assigns new IP addresses for a Domain Name or for a Name Server within a very short period of time from thousands of bots (fast-flux agents). The different IP addresses of the malicious domain name in a fast-flux network are the IP addresses of fast-flux agents.

In a single-flux network, only the malicious Domain Name uses IP addresses from the fast-flux agents and the Authoritative Nameserver is hosted in a bulletproof hosting server. But In a double-flux network, the malicious Domain Name and the Authoritative Nameserver both use IP addresses that belong to the fast-flux agents.

Fast-Flux Mothership / C&C Server:
Fast-Flux C&C Servers are the backbone of fast-flux service networks. The C&C server is a complex server which is used to control or manage the botnet and fast-flux network. The C&C server has a lot of server running on the backend to deliver various services as needed. Such as a DNS server for the malicious domain name resolution, HTTP server for delivering malware files or setting up phishing sites etc. In a fast-flux network the C&C server is also refereed as mothership server. Fast-Flux Service Network (FFSN) is not only limited to HTTP application moreover any application that uses DNS can use the Fast-Flux Service Network (FFSN).

Single-Flux Network:

Single-Flux refers to the frequent and rapid changing of IP addresses associated with a domain name. In single flux networks the DNS A or AAAA records for a domain are constantly updated with the address of fast-flux agents that act as reverse proxies.

In single flux networks, the attacker manages an Authoritative Name Server for name resolution of the malicious domain name and dynamically updates the DNS A record with the IP addresses of fast-flux agents with a very short TTL value. The Authoritative Name Server is hosted in a bulletproof hosting server.

At the expiration of TTL, new IP addresses replace the old ones for these DNS A records in the DNS Zone file. Thousands of fast-flux agent’s IP addresses are used in a cyclic order for the DNS A record. DNS A record changes as often as every 3-10 minutes, which means that the victim client connecting to the malicious domain every 3 minutes would actually be connecting to a different IP address each time.

When a victim client wants to resolve a malicious domain name, it sends the DNS query to the Recursive DNS Server. The Recursive DNS Server in turn resolves the queried domain name (FQDN) and returns a set of IP addresses back to the client. These IP addresses are actually the IP addresses of fast-flux agents which work as a reverse proxy server. The victim client then initiates connection to one of the resolved IP addresses and send its HTTP query there. The fast-flux agent at that address forwards the client request to the C&C server and deliver the content received from the C&C server back to the client. Hence, the victim client cannot communicate directly with the C&C server; instead the victim client communicates with C&C server via fast-flux agents which acts as reverse proxies.

How does Single‐Flux Network work

Depicted in the figure above the attacker has registered a domain name flux.com and manages an Authoritative Name Server(ns.flux.com) for the name resolution of flux.com. The Authoritative Name Server is hosted in a bulletproof hosting server. The attacker leverages a botnet to implement the fast-flux network. The botnet contains thousands of bots and all of these bots are connected with the attacker’s C&C server. In a fast-flux network, these bots are also called as fast-flux agents. The attacker’s C&C server address is c2.flux.com. The C&C server is used for malicious activity such as hosting phishing sites, delivering malware, controlling the malware-infected hosts and botnet etc.

A malware-infected client wants to connect with its C&C server at c2.flux.com. To resolve that c2.flux.com domain name, the malware-infected client sends a DNS query to the Recursive DNS Server. The Recursive DNS Server sends a DNS query to the Root Server asking for the IP address of c2.flux.com domain name. The Root Server answers with a referral IP address of the .COM Name Servers. Then the Recursive DNS Server sends DNS query to that .COM name server. The .COM name server replies with the referral IP address of Authoritative Names Server of the c2.flux.com. Finally, the Recursive DNS Server sends DNS query to the Authoritative Name Server (ns.flux.com) and gets list of IP addresses (36.10.85.230 and 215.126.9.18) for the domain name c2.flux.com. After that the Recursive DNS Server sends those resolved IP addresses to the client.
Note that, the attacker manages Authoritative Name Server (ns.flux.com) by himself and has dynamically updated DNS A record with the IP addresses 36.10.85.230 and 215.126.9.18 of fast-flux agents. Hence the Authoritative Name Server has replied IP addresses 36.10.85.230 and 215.126.9.18 of fast-flux agents as the resolved IP of c2.flux.com.

The infected client then initiates a connection with one of the resolved IP address 36.10.85.230 and sends HTTP content request to that fast-flux agent.
The fast-flux agent at that address (36.10.85.230) forwards the client request to the C&C server and deliver the content received from the C&C server back to the client. Hence, the client cannot communicate directly with the C&C server; instead the malware-infected client communicates with C&C server via fast-flux agents which acts as reverse proxies.

As we can see in the figure, the TTL (Time to Live) value is 300 seconds.

c2.flux.com.    300    IN    A    36.10.85.230
c2.flux.com.    300    IN    A    215.126.9.18

After TTL value expires, the attacker will dynamically update DNS A records with the new IP addresses of fast-flux agents from the botnet. That means the victim client connecting to c2.flux.com every 5 minutes would actually be connecting to a different fast-flux agent each time.

For example, 5 minutes later, the DNS A record may look like this.

c2.flux.com.    300    IN    A    86.11.14.158
c2.flux.com.    300    IN    A    239.4.13.123

And the infected client would connect to a fast-flux agent with an IP address of 86.11.14.158.

Double-Flux Network:

Double-flux refers to dynamically and repeatedly changing the IP addresses of both the Domain Name and its Authoritative Nameservers with a very low TTL value.
The Double-Flux process is done by changing the DNS A and DNS NS Glue record frequently in the DNS Zone file with the IP address of fast-flux agents. Thousands of fast-flux agents get involves in the process and frequently register and deregister their IP addresses as part of a DNS A record and DNS NS Glue record, for the domain name and for the authoritative name server respectively.

A glue record is the IP address (A record) of a Nameserver at the domain name registry. Glue records are required when the Nameservers for a domain name are the sub-domains of the domain name itself.

Suppose the attacker registered a domain name flux.com and its Authoritative Nameserver address is configured as ns.flux.com. The ns.flux.com Nameserver is assigned with the IP address 215.126.9.18 of a fast-flux agent and the flux.com domain is assigned with IP address 36.10.85.230 of another fast-flux agent.

flux.com.        300    IN    NS    ns.flux.com
ns.flux.com    300    IN    A      215.126.9.18 (Glue Record)

flux.com.        300    IN    A      36.10.85.230

In a double flux network, the IP address (A Record) of the ns.flux.com (Authoritative Nameserver) and also the IP address (A Record) of flux.com (Domain) changes constantly.

The different IP addresses of both the malicious Domain Name and the Authoritative Nameserver in a double-flux network are the IP addresses of fast-flux agents. The attacker uses thousands of fast-flux agents from his botnet and periodically register and deregister these IP addresses for the Domain Name and for the Authoritative Nameserver.

Double-Flux Network

How does Double‐Flux Network work

Depicted in the figure above, the attacker registered a domain name flux.com and its Authoritative Nameserver address is configured as ns.flux.com. The attacker is using c2.flux.com domain as the web address of his C&C server.

The attacker designated a fast-flux agent with IP address of 215.126.9.18 as an Authoritative Nameserver of flux.com by adding a DNS Glue Record in the .COM Nameserver’s DNS Zone file.

DNS Record in .COM Nameserver:
flux.com.        300    IN    NS    ns.flux.com
ns.flux.com    300    IN    A      215.126.9.18 (Glue Record)

The attacker also points another fast-flux agent with IP address of 36.10.85.230 for the domain c2.flux.com by adding a DNS A Record for the c2.flux.com in the internal DNS Server of his C&C Server.

DNS Record in C&C Server:
c2flux.com.    300    IN    A      36.10.85.230

In double-flux network, the attacker frequently updates the IP addresses of both the Nameservers and the Domain Name with the IP address of new fast-flux agents. IP addresses are dynamically updated after the TTL (Time to Live) get expired. In this figure TTL value is set to 300 seconds, which is 5 minutes.

5 minutes later, the DNS Glue Record of the Nameserver will be dynamically updated with the IP address of new fast-flux agent.

flux.com.        300    IN    NS    ns.flux.com
ns.flux.com    300    IN    A      86.11.14.158 (Glue Record)

Also 5 minutes later, the DNS A Record for the Domain Name will be dynamically updated with the IP address of new fast-flux agent.

c2flux.com.    300    IN    A      239.4.13.123


How does Double‐Flux Network work:

DNS Name resolution and HTTP content retrieval process in double fast-flux network:

In a double fast-flux network when a client wants to resolve a malicious domain name, it sends the DNS query to the Recursive DNS Server. The Recursive DNS Server asks the Root Server which name server is responsible for the malicious domain and the Root Server refers to ask the .COM server. Then the Recursive DNS Server again asks the .COM Server. As the attacker configured DNS NS record pointing to fast-flux agent’s IP address on the .COM server’s DNS zone file. The .COM server replies back with the IP address of a fast-flux agent as the Authoritative Nameserver of queried malicious domain name. Now the Recursive DNS Server sends DNS query to the Authoritative Nameserver (fast-flux agent) to resolve the IP of malicious domain name.

Though the attacker designated a fast-flux agent as Authoritative Nameserver. However, the fast-flux agent does not perform any name resolution of the malicious domain. When the fast-flux agent (Authoritative Nameserver) receives a DNS query from any client, the fast-flux agent forwards that DNS query to the actual malicious DNS Server controlled by the attacker, under his C&C server. Once the malicious DNS Server answers the DNS query to that fast-flux agent then the fast-flux agent sends that answer back to the query issuer client, in this case to the Recursive DNS server. Now the Recursive DNS Server sends the resolved IP addresses of malicious domain to the actual client.

The malicious DNS Server deployed by the attacker doesn’t resolve to the IP of the C&C server or the actual web server used for hosting malicious content but instead resolve to any other fast-flux-agents IP address.

The client then establishes a connection with the resolved IP of malicious domain, which is actually the IP address of another fast-flux agent. And sends HTTP request to that fast-flux agent. Again, that fast-flux agent forwards the HTTP request to the actual Web Server running under attacker C&C server. After retrieving the content from attacker C&C server this fast-flux agent delivers the content to the client. Fast-Flux network ensures that a victim will only connect to fast flux agents, but never to the real C&C server.