Skip to content

T1568.001 Fast Flux DNS

Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.123

The simplest, “single-flux” method, involves registering and de-registering an addresses as part of the DNS A (address) record list for a single DNS name. These registrations have a five-minute average lifespan, resulting in a constant shuffle of IP address resolution.3

In contrast, the “double-flux” method registers and de-registers an address as part of the DNS Name Server record list for the DNS zone, providing additional resilience for the connection. With double-flux additional hosts can act as a proxy to the C2 host, further insulating the true source of the C2 channel.

Item Value
ID T1568.001
Sub-techniques T1568.001, T1568.002, T1568.003
Tactics TA0011
Platforms Linux, Windows, macOS
Version 1.0
Created 11 March 2020
Last Modified 27 March 2020

Procedure Examples

ID Name Description
S1025 Amadey Amadey has used fast flux DNS for its C2.5
S0032 gh0st RAT gh0st RAT operators have used dynamic DNS to mask the true location of their C2 behind rapidly changing IP addresses.6
G0045 menuPass menuPass has used dynamic DNS service providers to host malicious domains.8
S0385 njRAT njRAT has used a fast flux DNS for C2 IP resolution.4
G0092 TA505 TA505 has used fast flux to mask botnets by distributing payloads across multiple IPs.7


ID Data Source Data Component
DS0029 Network Traffic Network Connection Creation