{"id":2640,"date":"2025-04-04T19:24:50","date_gmt":"2025-04-04T19:24:50","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2640"},"modified":"2025-04-04T19:24:50","modified_gmt":"2025-04-04T19:24:50","slug":"cyber-agencies-urge-organizations-to-collaborate-to-stop-fast-flux-dns-attacks","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2640","title":{"rendered":"Cyber agencies urge organizations to collaborate to stop fast flux DNS attacks"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>IT leaders in governments, critical infrastructure providers, and businesses must work closely with their ISPs and cybersecurity providers to block a tactic increasingly being used by threat actors to hide the locations of malicious servers, says the Five Eyes intelligence partnership of countries.<\/p>\n<p>In a joint warning <a href=\"https:\/\/media.defense.gov\/2025\/Apr\/02\/2003681172\/-1\/-1\/0\/CSA-FAST-FLUX.PDF\">issued this week<\/a>, the cyber and intelligence agencies of the US, the UK, Canada, Australia, and New Zealand said the tactic, called fast flux, is \u201ca national security threat.\u201d<\/p>\n<p>Fast flux allows attackers to obfuscate the locations of malicious command and control (C2) servers by rapidly changing Domain Name System (DNS) records.<\/p>\n<p>It\u2019s \u201ca defensive gap in many networks,\u201d the report says.<\/p>\n<p>The agencies recommend that all stakeholders, both government and providers, collaborate on developing and implementing scalable solutions to close this gap.<\/p>\n<p>However, the report admits, differentiating fast flux from legitimate activity \u201cremains an ongoing challenge.\u201d For example, some common content delivery network (CDN) behaviors may look like malicious fast flux activity. To avoid blocking or impeding legitimate content, Protective DNS services (PDNS), service providers, and network defenders should make \u201creasonable efforts,\u201d such as allowlisting expected CDN services, the report says.<\/p>\n<p>One problem: Fast flux domains frequently cycle though tens or hundreds of IP addresses a day.<\/p>\n<h2 class=\"wp-block-heading\">Not a new tactic<\/h2>\n<p>Fast flux isn\u2019t new. A criminal network called Avalanche, believed to have been active since at least 2009, used it to operate as many as a half million infected computers to distribute 20 malware families. <a href=\"https:\/\/www.networkworld.com\/article\/958067\/major-cybercrime-network-avalanche-dismantled-in-global-takedown-2.html\">Avalanche was taken down by law enforcement agencies in 2018 after a four year effort.<\/a> However, many organizations today are unaware of the tactics.<\/p>\n<p>Ed Dubrovsky, COO and managing partner of Cypfer, an international incident response firm, says that more IT departments and providers need to know about the tactic. But he\u2019s not sure if most ISPs and their customers, particularly firms that host their own DNS servers, are up to defending themselves.<\/p>\n<p>For example, he said in an interview, defenders have to quickly detect abnormal DNS query patterns. But most firms, even large ones, can\u2019t do that, he said. Defenders will also have to quickly integrate and digest DNS threat intelligence. But he also doubted that can be done with current firewalls and DNS servers.<\/p>\n<p>This is why the report urges more collaboration among ISPs, cybersecurity device manufacturers, and their customers to develop scalable solutions.<\/p>\n<p>\u201cThere\u2019s going to be a need to revamp of many technologies in small and medium-sized businesses,\u201d he added, \u201cThe only organizations that might have the resources [to handle fast flux attacks] are really critical infrastructure organizations and larger businesses.\u201d<\/p>\n<h2 class=\"wp-block-heading\">How to mitigate DNS attacks<\/h2>\n<p>Fast flux is one of many types of DNS attack. But there are tactics organizations can use to <a href=\"https:\/\/www.networkworld.com\/article\/967645\/worst-dns-attacks-and-how-to-mitigate-them.html\">mitigate them<\/a>.<\/p>\n<p>In the case of fast flux, the report recommends that:<\/p>\n<p>defenders should use cybersecurity and PDNS services that detect and block fast flux. \u201cBy leveraging providers that detect fast flux and implement capabilities for DNS and IP blocking, sinkholing, reputational filtering, enhanced monitoring, logging, and collaborative defense of malicious fast flux domains and IP addresses, organizations can mitigate many risks associated with fast flux and maintain a more secure environment,\u201d says the report;<\/p>\n<p>ISPs and cybersecurity service providers, especially PDNS providers, should implement a multi-layered approach in co-ordination with customers for detection.<br \/>Tactics include:using threat intelligence feeds and reputation services to identify known fast flux domains and associated IP addresses;implementing anomaly detection systems for DNS query logs to identify domains exhibiting high entropy or IP diversity in DNS responses and frequent IP address rotations;analyzing the time-to-live (TTL) values in DNS records, because fast flux domains often have unusually low TTL values;reviewing DNS resolution for inconsistent geolocation;<\/p>\n<p>monitoring for signs of phishing activities, such as suspicious emails, websites, or links and correlating these with fast flux activity, and more.<\/p>\n<p>As might be expected because fast flux tries to hide C2 servers, it\u2019s linked to phishing attacks. So the advisory says all IT departments should watch for signs of phishing activity and correlate these with fast flux activity. One defensive tactic: phishing awareness training.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>IT leaders in governments, critical infrastructure providers, and businesses must work closely with their ISPs and cybersecurity providers to block a tactic increasingly being used by threat actors to hide the locations of malicious servers, says the Five Eyes intelligence partnership of countries. In a joint warning issued this week, the cyber and intelligence agencies [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":2641,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2640","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2640"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2640"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2640\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2641"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2640"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2640"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2640"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}