When law enforcement agencies take down a botnet or a major spam or phishing operation, it usually involves disabling servers and hosting services. To counter these measures, criminals have started turning towards a new technique called “fast flux”.
This is according to a new report from cybersecurity firm Unit 42, which explains that fast flux increases criminal infrastructure resilience by making takedown of their servers and blacklisting of their IP addresses harder.
Describing the practice, Unit 42 says fast flux is, in theory, not that much different from contingency plans made by benign service providers and that the motivation is basically the same: ensuring uptime. This is achieved by utilizing round-robin in the Domain Name System (RRDNS) or Content Delivery Networks (CDNs), the company said.
Cybercriminals also use DNS to quickly rotate through many bots, using each one for only a brief period of time, which makes it harder for law enforcement agencies to block known IP addresses.
“While more basic techniques can be easily countered, advanced techniques result in a cat-and-mouse game between cybercriminals and law enforcement,” said Unit 42.
“Double fluxing can make IP-based blocklists and host takedowns ineffective. Domain Generation Algorithm (DGA) domains make static domain blocklists and domain takeovers less effective.”