Disrupting Fast Flux and Much More with Protective DNS

Share On Facebook
Share On Twitter
Share On Linkedin

A recent cybersecurity advisory (1) from the Cybersecurity and Infrastructure Security Agency (CISA) discussed the use by threat actors of a DNS technique known as fast flux. CISA encouraged “service providers, especially Protective DNS (PDNS) providers, to help mitigate this threat by taking proactive steps to develop accurate, reliable, and timely fast flux detection analytics and blocking capabilities for their customers”.

Infoblox is aware of fast flux, a technique first described nearly two decades ago, and our protective DNS solutions protect customers from threat actors who use the technique. As the CISA advisory notes, distinguishing fast flux from legitimate network activity is extremely difficult. Infoblox incorporates dozens of algorithms, including ones that consider IP variation, into our detectors for suspicious domains.

This advisory has gained a great deal of coverage in the media and raised questions from our customers. We will address those concerns in this response blog.

What is fast flux?

  • It is the rapid changing of DNS records, typically A and NS records, in order to avoid IP blocking. Originally described in 2007 by researchers, it has been used by various actors since then but is not considered common.

How hard is fast flux to detect?

  • Fast flux is the malicious use of legitimate mechanisms for load balancing and operating a global network efficiently. As the advisory admits, distinguishing fast flux from legitimate traffic is extremely difficult. Without a global perspective across many DNS networks, as Infoblox has, a single detection method is likely to cause regrettable false positives. Infoblox began research into fast flux over a decade ago and we are very familiar with the pitfalls a provider can encounter. We have included IP diversity, as suggested by the advisory, for years.

How can my network be protected against actors that use fast flux?

  • This technique aims to maintain malicious infrastructure by distributing it across many IP addresses, but the domain names stay the same. The protective DNS solution should block suspicious and malicious domains with a high degree of efficacy regardless of the techniques used by the threat actor to ensure continuous operations. A good measure of this ability is the protection before impact, meaning how often the protective DNS provider blocks a domain *before* your organization makes a query.

Will I see fast flux in my network?

  • Fast flux is not a common deliberate technique, although it has been reported in the last few years to be used by Russian APT actors. However, there are many legitimate uses of dynamic DNS, the fundamental concept behind fast flux. Because DNS responses are cached, the chances that an individual organization will see evidence in their network will heavily depend on the operation. In our experience, it is rare and is mitigated by domain blocking.

What threat actor techniques should I worry about?

  • The use of adtech to advance all manner of malicious activity, including credential theft reported as initial access to major data breaches over the past year, is alarming and underreported. Threat actors are both abusing legitimate adtech companies, but also founding their own adtech companies, to create an ecosystem in which the true nature of their activity is well hidden. Protective DNS providers should be aware of these trends and have strong mechanisms in place to identify and track these threat actors. While there is growing awareness of the role of adtech, specifically traffic distribution systems (TDS) in the attack chain, the domains used by these actors remain largely undetected by most major security vendors.

The recent CISA advisory on fast flux shines a light on the importance of blocking malicious activity at the DNS layer. By using protective DNS solutions, enterprises and individuals can be safeguarded from all manner of threats in a very cost-effective way. Over the past years, we blocked over 75% of all threat domains prior to the very first DNS query from our customers, with success rates exceeding 90% in most individual customer networks. Whether the actor uses fast flux, domain generation algorithms, CNAME obfuscation, or traffic distribution systems to hide their operations, we’ve got it covered.

Footnotes

  1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-093a

Labels:

Infoblox Threat Intel

Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allows us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.

View All Posts

You might also be interested in

You might also be interested in

×