Home/ATT&CK Technique/Fast Flux DNS
ATT&CK Technique

Fast Flux DNS

T1568.001 · command-and-control

Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record. The simplest, "single-flux" method, involves registering and de-registering an addresses as part of the DNS A (address) record list for a single DNS name.

These registrations have a five-minute average lifespan, resulting in a constant shuffle of IP address resolution. In contrast, the "double-flux" method registers and de-registers an address as part of the DNS Name Server record list for the DNS zone, providing additional resilience for the connection. With double-flux additional hosts can act as a proxy to the C2 host, further insulating the true source of the C2 channel.

LinuxmacOSWindowsESXi

Actors Using This

3
russiaGamaredon Group
us_israel_joint_offensive_cyber_speculationGauss
financially_motivated_cybercrime_cloud_native_cryptojacking_specialist_german_speaking_indicatorsTeamTNT (Cloud Cryptojacking Operator)

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
execution earlier
T1559 · Inter-Process Communication ×2.14T1574.001 · DLL ×1.84T1129 · Shared Modules ×1.55T1203 · Exploitation for Client Execution ×1.43T1106 · Native API ×1.42T1574 · Hijack Execution Flow ×1.29
persistence earlier
T1133 · External Remote Services ×1.36
privilege-escalation earlier
T1068 · Exploitation for Privilege Escalation ×1.49
credential-access earlier
T1003.001 · LSASS Memory ×1.28
discovery earlier
T1010 · Application Window Discovery ×1.98
lateral-movement earlier
T1021 · Remote Services ×1.56
collection earlier
T1056 · Input Capture ×1.34
command-and-control same
T1090.001 · Internal Proxy ×1.71T1102 · Web Service ×1.66T1568 · Dynamic Resolution ×1.30

Detection Coverage

0/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) none
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin