Fast Flux: The Evasive DNS Tactic Now Considered a National Security Threat
In April 2025, a joint advisory from the NSA, CISA, FBI, and allied international agencies elevated a longstanding cyber evasion technique fast flux to the status of a national security threat. While fast flux isn’t new, its persistent use in high-impact attacks and the defensive blind spots it exposes have prompted this global call to action. What is Fast Flux? At its core, fast flux is a method attackers use to stay one step ahead of defenders. It works by rapidly rotating the IP addresses associated with a single domain, often every few minutes. This dynamic resolution makes malicious infrastructure, such as phishing sites or command-and-control (C2) servers, extremely hard to locate and shut down. There are two variants: single flux, which changes the IPs behind a domain, and double flux, which also rotates the DNS name servers. Both approaches rely on networks of compromised devices, often forming large botnets that serve as proxies for malicious activity. Why Fast Flux is Back in the Spotlight Fast flux has been part of the cybercriminal toolkit for years, but its resurgence is driven by its use in sophisticated operations. Ransomware groups like Hive and Nefilim, as well as the Gamaredon APT group, have employed fast flux to maintain operational resilience. It’s also being actively promoted by bulletproof hosting providers as a “feature” for customers looking to evade takedown efforts. The concern today is not just the technique’s persistence, but its ability to render traditional defenses ineffective. IP-based blocking, once a standard containment tactic, simply doesn’t work when the destination IP is constantly changing. What Security Teams Should Know The joint advisory outlines the challenges and calls on service providers and enterprises to step up detection and mitigation efforts. Key takeaways include the importance of DNS visibility, monitoring for unusual resolution patterns (such as low TTLs or high IP churn), and correlating fast flux activity with phishing and malware campaigns. Crucially, the guidance recommends using Protective DNS (PDNS) solutions to block fast flux domains before a connection is ever made. The advisory also stresses the need for better collaboration across the public and private sectors to share threat intelligence and response strategies. A DNS-Layer Approach to Resilience Fast flux exemplifies how attackers adapt and exploit weak points in infrastructure. The good news? Defenders can adapt too. At OpenText Cybersecurity, our DNS protection technology helps detect and block fast flux-enabled domains in real time, preventing malicious activity at the earliest possible stage. To learn more, read or download the full advisory from NSA, CISA, and international partners.
