A technique called “fast flux” is making it easier for hackers to hide online and harder for defenders to stop them. US and international cybersecurity agencies have put out a warning to let organizations know this trick is a real and growing threat.

Fast flux is when cybercriminals quickly change the IP addresses connected to a website or server. They use it to hide the real location of their command centers, which control malware or launch attacks. If one IP gets blocked, another one takes its place in seconds. This makes it hard to track or shut anything down.

There are two main types. Single flux changes the IP addresses tied to one domain. Double flux takes it even further by also changing the DNS servers that translate web addresses into IPs. Both methods use large networks of hacked devices, or botnets, to stay hidden and online.

Because of fast flux, blocking bad traffic with simple IP filters no longer works well. It also helps hackers run phishing sites, ransomware attacks, and online crime marketplaces without getting caught.

“The BPH provider further explained that numerous malicious activities beyond C2, including botnet managers, fake shops, credential stealers, viruses, spam mailers, and others, could use fast flux to avoid identification and blocking,” the report stated.
To fight back, agencies like the NSA, FBI, and others suggest using better tools to spot and block fast flux activity. They’re urging internet providers, cybersecurity teams, and DNS services to work together. This includes using DNS monitoring, threat intelligence, and sharing information when fast flux is detected.

They also remind organizations not to assume their DNS providers are catching this stuff. It’s important to ask and make sure.

“[We] encourage organizations to use cybersecurity and PDNS services that detect and block fast flux,” CISA said in its advisory report.

“By leveraging providers that detect fast flux and implement capabilities for DNS and IP blocking, sinkholing, reputational filtering, enhanced monitoring, logging, and collaborative defense of malicious fast flux domains and IP addresses, organizations can mitigate many risks associated with fast flux and maintain a more secure environment.”

Fast flux isn’t new, but it’s becoming more common. If defenders don’t catch up, attackers will keep slipping through the cracks. By working together and using smarter tools, organizations can close this gap and keep their networks safer.