Adversary uses malware to attack users’ computer in order to compromise them. The malware can take control of the compromised machines and turn compromised machines into remotely controlled bots. A bot is a machine that is compromised by a malware. The stealthy malware agent, running on the compromised machine, enables the bot to be remotely controlled by the adversary (Botmaster) via a Command and Control (C&C) Server. A botnet is a network of compromised machines (bots) under control of a Command and Control (C&C) Server. Each individual compromised machine in a botnet is referred to as a bot.
After successful malware infection the malware report back to the command-and-control (C&C) server to get new command and updates from the adversary.
Fast flux is a DNS technique which involves frequent and rapid changing of the IP addresses associated with a Fully Qualified Domain Name (FQDN) by using a network of compromised hosts (Bots) acting as proxies. Fast-flux technique is employed by the adversary to evade C&C server detection and IP based Blacklisting by constantly changing the IP addresses of the C&C server domain within very short period of time.
In a Fast flux network adversary configures a number of bots from his controlled botnet to serve as proxies to the C&C server. These bots are known as flux-agents and they work as the redirectors. Fast flux network provides a constantly changing proxy layer between the malware infected bots and the C&C server of a botnet.
Flux-agents act as a relay station between the client bots (malware infected host) and the C&C server. So the malware cannot communicate directly with the C&C server instead the malware communicates with C&C server via compromised hosts (Bots) acting as proxies. The different IP addresses in the fast flux network are IP addresses of the flux-agents (Bots).
The basic concept of a Fast Flux network is to have multiple IP addresses associated with a domain name, and then constantly swapping those IP addresses in quick succession by changing DNS A or AAAA Records with a very low TTL value.
Fast Flux is referred as repeated and rapid IP address changing in DNS A and/or DNS NS resource records. which result in rapidly changing the IP address to which the domain name of an Internet host or name server resolves.
The infected machines (Bots) are used as proxies that relay client requests to the C&C server.
The compromised machines (Bots) which are also known as fast-flux agents are used as proxies that act as a relay station between the client (Bots) and the C&C server.
Fast flux is a DNS technique used by the adversary to rapidly change the IP addresses of C&C server within very short period of time. This technique is accomplished to hide the C&C server behind a network of compromised hosts act as proxies.
Types of Fast Flux networks:
- Single Flux Networks
- Double Flux Networks