The sub-techniques beta is now live! Read the release blog post for more info.

Fast Flux DNS

A technique in which a fully qualified domain name has multiple IP addresses assigned to it which are swapped with extreme frequency, using a combination of round robin IP address and short Time-To-Live (TTL) for a DNS resource record. [1] [2] [3] [4]

ID: T1325
Tactic: Adversary Opsec
Version: 1.0
Created: 14 December 2017
Last Modified: 17 October 2018


Detectable by Common Defenses (Yes/No/Partial): Partial

Explanation: In general, detecting usage of fast flux DNS is difficult due to web traffic load balancing that services client requests quickly. In single flux cases only IP addresses change for static domain names. In double flux cases, nothing is static. Defenders such as IPS, domain registrars, and service providers are likely in the best position for detection.

Difficulty for the Adversary

Easy for the Adversary (Yes/No): Yes

Explanation: Fast flux is generally simple for an adversary to set up and offers several advantages. Such advantages include limited audit trails for defenders to find, ease of operation for an adversary to maintain, and support for main nodes.


  1. Jamie Riden. (2008, August 16). HOW FAST-FLUX SERVICE NETWORKS WORK. Retrieved March 6, 2017.
  2. Misnomer. (2012, May 4). RESEARCH TO DETECTION – IDENTIFY FAST FLUX IN YOUR ENVIRONMENT. Retrieved March 6, 2017.
  1. Lohit Mehta. (2014, December 17). Fast Flux Networks Working and Detection, Part 1. Retrieved March 6, 2017.
  2. Lohit Mehta. (2014, December 23). Fast Flux Networks Working and Detection, Part 2. Retrieved March 6, 2017.