TIARAS - T1568.001: Fast Flux DNS

MITRE ATT&CK Technique

Command and Control T1568.001

Description

Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity) The simplest, "single-flux" method, involves registering and de-registering an addresses as part of the DNS A (address) record list for a single DNS name. These registrations have a five-minute average lifespan, resulting in a constant shuffle of IP address resolution.(Citation: Fast Flux - Welivesecurity) In contrast, the "double-flux" method registers and de-registers an address as part of the DNS Name Server record list for the DNS zone, providing additional resilience for the connection. With double-flux additional hosts can act as a proxy to the C2 host, further insulating the true source of the C2 channel.

Supported Platforms

Linux macOS Windows ESXi

Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data

{'created': '2020-03-11T14:11:16.560Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may use Fast Flux DNS to hide a command and '
                'control channel behind an array of rapidly changing IP '
                'addresses linked to a single domain resolution. This '
                'technique uses a fully qualified domain name, with multiple '
                'IP addresses assigned to it which are swapped with high '
                'frequency, using a combination of round robin IP addressing '
                'and short Time-To-Live (TTL) for a DNS resource '
                'record.(Citation: MehtaFastFluxPt1)(Citation: '
                'MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity)\n'
                '\n'
                'The simplest, "single-flux" method, involves registering and '
                'de-registering an addresses as part of the DNS A (address) '
                'record list for a single DNS name. These registrations have a '
                'five-minute average lifespan, resulting in a constant shuffle '
                'of IP address resolution.(Citation: Fast Flux - '
                'Welivesecurity)\n'
                '\n'
                'In contrast, the "double-flux" method registers and '
                'de-registers an address as part of the DNS Name Server record '
                'list for the DNS zone, providing additional resilience for '
                'the connection. With double-flux additional hosts can act as '
                'a proxy to the C2 host, further insulating the true source of '
                'the C2 channel.',
 'external_references': [{'external_id': 'T1568.001',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1568/001'},
                         {'description': 'Mehta, L. (2014, December 17). Fast '
                                         'Flux Networks Working and Detection, '
                                         'Part 1. Retrieved March 6, 2017.',
                          'source_name': 'MehtaFastFluxPt1',
                          'url': 'https://resources.infosecinstitute.com/fast-flux-networks-working-detection-part-1/#gref'},
                         {'description': 'Mehta, L. (2014, December 23). Fast '
                                         'Flux Networks Working and Detection, '
                                         'Part 2. Retrieved March 6, 2017.',
                          'source_name': 'MehtaFastFluxPt2',
                          'url': 'https://resources.infosecinstitute.com/fast-flux-networks-working-detection-part-2/#gref'},
                         {'description': 'Albors, Josep. (2017, January 12). '
                                         'Fast Flux networks: What are they '
                                         'and how do they work?. Retrieved '
                                         'March 11, 2020.',
                          'source_name': 'Fast Flux - Welivesecurity',
                          'url': 'https://www.welivesecurity.com/2017/01/12/fast-flux-networks-work/'}],
 'id': 'attack-pattern--29ba5a15-3b7b-4732-b817-65ea8f6468e6',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'command-and-control'}],
 'modified': '2025-10-24T17:48:33.501Z',
 'name': 'Fast Flux DNS',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux', 'macOS', 'Windows', 'ESXi'],
 'x_mitre_version': '1.1'}

Quick Actions

Edit TTP Update from Web

Related Threat Actors (3)

TA505
High

menuPass
High

Gamaredon Group
High

Back to TTPs

Dashboard About