Fast Flux

A DNS evasion technique used by botnets and phishing kits that rapidly rotates the A records for a hostname through hundreds of compromised IPs, often every few minutes.

Fast flux is the practice of binding a hostname to a constantly-rotating set of IP addresses, usually compromised residential or small-business hosts acting as reverse proxies in front of the real C2 server. Single-flux changes only the A records (TTLs of 60-300 seconds, dozens of IPs per response). Double-flux also rotates the authoritative nameservers themselves, making takedown harder. The pattern is a strong indicator of malicious infrastructure: legitimate services almost never need to rotate IPs that aggressively. Passive DNS feeds surface fast-flux clusters by tracking IPs per name and names per IP over time.

Related terms

Passive DNS
TTL
DNS Sinkhole
GeoDNS

Referenced on

Complete Guide to DNS Attacks and DNS Security (Prevention, Testing & Mitigation)
Fast Flux DNS: How Botnets Hide Behind Rapidly Rotating IP Addresses
What Is DNS TTL? How Time to Live Controls Caching, Propagation, and Performance

Back to the full glossary

Related terms

See also

Referenced on