Description
Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity)
The simplest, "single-flux" method, involves registering and de-registering an addresses as part of the DNS A (address) record list for a single DNS name. These registrations have a five-minute average lifespan, resulting in a constant shuffle of IP address resolution.(Citation: Fast Flux - Welivesecurity)
In contrast, the "double-flux" method registers and de-registers an address as part of the DNS Name Server record list for the DNS zone, providing additional resilience for the connection. With double-flux additional hosts can act as a proxy to the C2 host, further insulating the true source of the C2 channel.
Platforms
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G0045 | menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has used dynamic DNS service providers to host malicious domains.(Citation: District Court of NY APT... |
| G0092 | TA505 | [TA505](https://attack.mitre.org/groups/G0092) has used fast flux to mask botnets by distributing payloads across multiple IPs.(Citation: Trend Micro ... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used fast flux DNS to mask their command and control channel behind rotating IP addresses... |
Associated Software (3)
| ID | Name | Type | Context |
|---|---|---|---|
| S1025 | Amadey | Malware | [Amadey](https://attack.mitre.org/software/S1025) has used fast flux DNS for its C2.(Citation: Korean FSI TA505 2020) |
| S0032 | gh0st RAT | Malware | [gh0st RAT](https://attack.mitre.org/software/S0032) operators have used dynamic DNS to mask the true location of their C2 behind rapidly changing IP ... |
| S0385 | njRAT | Malware | [njRAT](https://attack.mitre.org/software/S0385) has used a fast flux DNS for C2 IP resolution.(Citation: Trend Micro njRAT 2018) |
References
- Mehta, L. (2014, December 17). Fast Flux Networks Working and Detection, Part 1. Retrieved March 6, 2017.
- Mehta, L. (2014, December 23). Fast Flux Networks Working and Detection, Part 2. Retrieved March 6, 2017.
- Albors, Josep. (2017, January 12). Fast Flux networks: What are they and how do they work?. Retrieved March 11, 2020.
Frequently Asked Questions
What is T1568.001 (Fast Flux DNS)?
T1568.001 is a MITRE ATT&CK technique named 'Fast Flux DNS'. It belongs to the Command and Control tactic(s). Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified dom...
How can T1568.001 be detected?
Detection of T1568.001 (Fast Flux DNS) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1568.001?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1568.001?
Known threat groups using T1568.001 include: menuPass, TA505, Gamaredon Group.