Glossary
What Is Fast Flux DNS?
Fast flux is a DNS technique that rapidly rotates the IP addresses associated with a hostname — sometimes every few minutes — across a large pool of compromised hosts. The hostname stays alive while the IPs underneath churn, which makes IP-based blocking ineffective and helps malicious infrastructure stay reachable.
How Fast Flux Works
An attacker controls a botnet of compromised end-user machines, each with a residential IP. The C2 domain's authoritative DNS publishes very short TTLs (often 60–300 seconds) and a rotating set of A records pointing at those bots. As soon as one bot is taken offline, the next resolution returns a different live IP. The hostname stays usable; the IPs underneath are disposable.
Single vs. Double Flux
- Single flux — only the A records rotate. The nameservers stay fixed.
- Double flux — both the A records and the nameservers rotate, which makes the operation harder to take down at the DNS level.
Signs of a Fast-Flux Hostname
- Very low TTL (often 60–300 seconds).
- Many distinct A records over a short window.
- IPs spread across many ASNs, often residential.
- Short-lived bot IPs in passive DNS history.
- Whois on the domain often shows recent registration through abuse-tolerant registrars.
Why Fast Flux Is Hard to Stop
Blocking IPs is useless because the IPs change. Blocking the hostname helps, but operators rotate hostnames too. The durable defense is to take down the domain — and that requires the registrar or registry to act, which is much slower than blocking IPs.
Fast Flux in Whisper
Whisper sees the rotation directly: every IP a hostname has ever resolved to, with timestamps, alongside the ASN and reputation of each IP. Analysts can ask "show me hostnames in the last 24 hours with more than 30 distinct A records across more than 5 ASNs" and surface the fast-flux operations active right now.