“The primary characteristic of the Fast Flux network is that the network constantly changes its domains, IP addresses, and nameservers.
The botnet was working for both hosting phishing websites and malware C&C servers, it was also utilized for carrying out automated attacks such as web scraping, SQL injections, and credentials abuse. Stolen credentials for popular e-commerce websites.The Fast Flux Network works as an illegal websites hosting provider for illegal websites “The technique allows the botnet to “hide” behind an ever-changing network of compromised hosts, ultimately acting as proxies and making detection incredibly difficult.”Įxperts were able to track a botnet composed of more than 14,000 IP addresses, most of them originating from eastern Europe. “Fast Flux, a DNS technique first introduced in 2006 and widely associated with the Storm Worm malware variants, can be used by botnets to hide various types of malicious activities – including phishing, web proxying, malware delivery, and malware communication.
The Fast Flux technique was first implemented in 2016 by the Storm Worm malware variants. The IP addresses are swapped in and out with extremely high frequency, through changing DNS records. Treat actors implementing the Fast Flux technique hosts a domain using multiple IP addresses by switching the domain from one IP to another.