T1568.001 Fast Flux DNS
Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.123
The simplest, “single-flux” method, involves registering and de-registering an addresses as part of the DNS A (address) record list for a single DNS name. These registrations have a five-minute average lifespan, resulting in a constant shuffle of IP address resolution.3
In contrast, the “double-flux” method registers and de-registers an address as part of the DNS Name Server record list for the DNS zone, providing additional resilience for the connection. With double-flux additional hosts can act as a proxy to the C2 host, further insulating the true source of the C2 channel.
| Item | Value |
|---|---|
| ID | T1568.001 |
| Sub-techniques | T1568.001, T1568.002, T1568.003 |
| Tactics | TA0011 |
| Platforms | Linux, Windows, macOS |
| Version | 1.0 |
| Created | 11 March 2020 |
| Last Modified | 27 March 2020 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1025 | Amadey | Amadey has used fast flux DNS for its C2.5 |
| S0032 | gh0st RAT | gh0st RAT operators have used dynamic DNS to mask the true location of their C2 behind rapidly changing IP addresses.6 |
| G0045 | menuPass | menuPass has used dynamic DNS service providers to host malicious domains.8 |
| S0385 | njRAT | njRAT has used a fast flux DNS for C2 IP resolution.4 |
| G0092 | TA505 | TA505 has used fast flux to mask botnets by distributing payloads across multiple IPs.7 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0029 | Network Traffic | Network Connection Creation |
References
-
Mehta, L. (2014, December 17). Fast Flux Networks Working and Detection, Part 1. Retrieved March 6, 2017. ↩
-
Mehta, L. (2014, December 23). Fast Flux Networks Working and Detection, Part 2. Retrieved March 6, 2017. ↩
-
Albors, Josep. (2017, January 12). Fast Flux networks: What are they and how do they work?. Retrieved March 11, 2020. ↩↩
-
Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019. ↩
-
Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. ↩
-
Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020. ↩
-
Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020. ↩
-
US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020. ↩