4 April 2025
The National Cyber Security Centre (NCSC) and international partners are warning against a malicious cyber technique known as fast flux, which presents an ongoing and serious threat to network security. Many organisations have gaps in their defences when it comes to detecting and blocking this activity.
Fast flux enables cyber actors to consistently evade detection and is used by nation-state actors and cyber criminals to hide the locations of malicious servers by rapidly changing Domain Name System (DNS) records.
This technique also allows malicious actors to create resilient, highly available command and control (C2) infrastructure, which conceals their subsequent malicious operations. This resilient and fast-changing infrastructure makes tracking and blocking malicious activities that use fast flux more difficult.
This advisory warns organisations, internet service providers (ISPs), and cyber security service providers (CSPs) of the ongoing threat posed by fast flux-enabled malicious activity, and highlights a common gap in network defences against it.
We encourage ISPs and CSPs — especially Protective DNS (PDNS) providers — to help mitigate this threat by developing accurate and reliable fast flux detection analytics and blocking these activities for their customers.
This advisory also provides guidance on detecting and mitigating fast flux by using a multi-layered approach that combines DNS analysis, network monitoring, and threat intelligence to protect networks from fast flux operations.
The authoring agencies recommend that government and critical infrastructure organisations address this ongoing gap by using cyber security and PDNS services that block malicious fast flux activity.
By implementing robust detection and mitigation strategies, organisations can significantly reduce their risk of compromise from fast flux-enabled threats.