Dynamic Resolution: Fast Flux DNS

Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.[1][2][3]

The simplest, "single-flux" method, involves registering and de-registering an addresses as part of the DNS A (address) record list for a single DNS name. These registrations have a five-minute average lifespan, resulting in a constant shuffle of IP address resolution.[3]

In contrast, the "double-flux" method registers and de-registers an address as part of the DNS Name Server record list for the DNS zone, providing additional resilience for the connection. With double-flux additional hosts can act as a proxy to the C2 host, further insulating the true source of the C2 channel.

ID: T1568.001
Sub-technique of:  T1568
Platforms: Linux, Windows, macOS
Version: 1.0
Created: 11 March 2020
Last Modified: 27 March 2020

Procedure Examples

ID Name Description
S1025 Amadey

Amadey has used fast flux DNS for its C2.[4]

S0032 gh0st RAT

gh0st RAT operators have used dynamic DNS to mask the true location of their C2 behind rapidly changing IP addresses.[5]

G0045 menuPass

menuPass has used dynamic DNS service providers to host malicious domains.[6]

S0385 njRAT

njRAT has used a fast flux DNS for C2 IP resolution.[7]

G0092 TA505

TA505 has used fast flux to mask botnets by distributing payloads across multiple IPs.[8]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections that may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution.

Network Traffic Flow

In general, detecting usage of fast flux DNS is difficult due to web traffic load balancing that services client requests quickly. In single flux cases only IP addresses change for static domain names. In double flux cases, nothing is static. Defenders such as domain registrars and service providers are likely in the best position for detection.

References