What is fast flux DNS?

Next Steps

Fast flux DNS is a technique that a cybercriminal can use to prevent identification of his key host server's IP address. By abusing the way the domain name system works, the criminal can create a botnet with nodes that join and drop off the network faster than law enforcement officials can trace them.

Fast flux DNS takes advantage of the way load balancing is built into the domain name system. DNS allows an administrator to register a number of IP addresses with a single host name. The alternate addresses are legitimately used to distribute Internet traffic among multiple servers. Typically, the IP addresses associated with a host domain do not change very often, if at all. 

However, criminals have discovered that they can hide key servers by using a sixty-second time-to-live (TTL) setting for their DNS resource records and swapping the records' associated IP addresses in and out with extreme frequency. Because abuse of the system requires the cooperation of a domain name registrar, most fast flux DNS botnets are believed to originate in emerging countries or other countries without laws for cybercrime. 

According to a white paper from the Honeypot Project, fast-flux botnets are responsible for many illegal practices, including  money mule recruitment sites, phishing websites, illicit online pharmacies,extreme or illegal adult content sites, malicious browser exploit sites and Web traps for distributing malware.

Learn More:

Security expert Ed Skoudis explains how fast flux DNS can be used to create a phishing botnet.

This paper from the Honeypot Project explains how criminals have abused the domain name system to create fast flux botnet systems.

This was last updated in November 2008
Posted by: Margaret Rouse

Related Terms

Definitions

  • virtual patching

    - Virtual patching is the quick development and short-term implementation of a security policy meant to prevent an exploit from occurring as a result of a newly discovered vulnerability. A virtual pa... (WhatIs.com)

  • out-of-band patch

    - An out-of-band patch is a patch released at some time other than the normal release time. Microsoft, for example, normally releases patches on the second Tuesday of every month. (WhatIs.com)

  • egress filtering

    - Egress filtering is a process in which outbound data is monitored or restricted, usually by means of a firewall that blocks packets that fail to meet certain security requirements. (WhatIs.com)

Glossaries

  • Security threats and countermeasures

    - Terms related to security threats, including definitions about anti-virus programs or firewalls and words and phrases about malware, viruses, Trojans and other security attacks.

  • Network security

    - Terms related to network security, including definitions about intrusion prevention and words and phrases about VPNs and firewalls.

  • Internet technologies

    - This WhatIs.com glossary contains terms related to Internet technologies, including definitions about port numbers, standards and protocols and words and phrases about how the Internet works.

Dig Deeper

People Who Read This Also Read...

Tech TalkComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top