{
	"id": "2eb18f6d-2530-4787-8fdb-56dfc9ce6dac",
	"created_at": "2026-04-06T00:06:50.818316Z",
	"updated_at": "2026-04-10T03:35:59.541512Z",
	"deleted_at": null,
	"sha1_hash": "02102d1ac7e0d67b5e8ffbc13e0605b363ea2cc5",
	"title": "Fast Flux networks: What are they and how do they work?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49330,
	"plain_text": "Fast Flux networks: What are they and how do they work?\r\nBy Josep Albors\r\nArchived: 2026-04-05 21:36:38 UTC\r\nThe term Fast Flux can refer to networks used by several botnets to hide the domains used to download malware\r\nor host phishing websites, says Josep Albors.\r\n12 Jan 2017  •  , 4 min. read\r\nAfter dismantling the Avalanche network, we found that it was using a Fast Flux network ... and this is not the first\r\ntime that we’ve seen this kind of scenario either. This type of network has been around for several years now and\r\nis a real headache when it comes to dismantling a botnet built using this structure.\r\nLet’s start at the beginning.\r\nWhat is a Fast Flux network and how does it work?\r\nThe term Fast Flux can refer to those networks used by several botnets to hide the domains used to download\r\nmalware or host phishing websites. It can also refer to a type of network similar to a P2P network used to host\r\nboth the command and control (C\u0026C) centers or proxies used by these botnets, making them difficult to find and\r\neven more difficult to dismantle.\r\n\"The basic concept of a Fast Flux network is having multiple IP addresses associated with a domain\r\nname, and then constantly changing them in quick succession.\"\r\nThe basic concept of a Fast Flux network is having multiple IP addresses associated with a domain name, and then\r\nconstantly changing them in quick succession. In the case of Avalanche, for example, more than 800,000\r\nmalicious domains used by criminals have been discovered since it appeared in 2009, with IP addresses being\r\nchanged within periods as short as five minutes, which would initiate connections to different machines despite\r\nrequesting to see the same website controlled by attackers.\r\nMost machines that make up this type of network are not actually responsible for hosting and downloading\r\nmalicious content for victims. This task is reserved for a few machines that act as servers of this malicious\r\ncontent; the rest just act as redirectors that help to mask the real addresses of these systems controlled by\r\ncriminals.\r\nAnd to complicate matters even further, criminals ensure that the critical systems in their network have the highest\r\npossible availability and bandwidth, and even deploy load-balancing systems to handle all of the requests to\r\ndownload malicious content generated by their victims’ systems. Another common practice is to review the\r\nnetwork status at regular intervals in order to discard any inaccessible nodes and to ensure that their malicious\r\ncontent is still active and downloading.\r\nhttps://www.welivesecurity.com/2017/01/12/fast-flux-networks-work/\r\nPage 1 of 3\n\nTypes of Fast Flux networks\r\nThere are two main types of Fast Flux networks:\r\n1. Single Flux networks\r\nA Single Flux network is characterized by multiple individual nodes registering and deregistering their IP\r\naddresses as part of a DNS A (address) for a single domain name. These registrations have a very short lifespan\r\n(five minutes on average) and create a constantly changing flow of IP addresses when attempting to access a\r\nspecific domain.\r\nThe large number of nodes ready to register their IP addresses ensures that when one or more of them drop, others\r\nquickly take their place. Moreover, the domains used are usually hosted on “bulletproof” servers that some\r\nproviders offer their clients, which ensures that any orders from law enforcement agencies to take down that\r\ndomain will be ignored.\r\n2. Double Flux networks\r\nThis type of network uses components and methods of establishing connections between the victim’s system and\r\nsystems controlled by criminals that are similar to the previous one, but it is more sophisticated in that it has an\r\nadditional layer that makes it difficult to locate the machine actually serving the malware.\r\nIn this case, zombie computers that are part of the botnet are used as proxies, which prevent the victim from\r\ninteracting directly with the servers hosting and serving the malware and make it difficult to locate. Essentially, it\r\nis an additional concealment measure that criminals use to keep their infrastructure running for longer.\r\nDetecting Fast Flux networks\r\n\"It is relatively easy for a criminal to set up infrastructure using Fast Flux networks, which are difficult\r\nto trace.\"\r\nWhen news of dismantling Avalanche first broke, it may have surprised some users to learn that this botnet had\r\nactually been active since 2009. And while six years is clearly a long time for a botnet of this nature to be active, it\r\nmust be understood that it was its design itself that made investigating it difficult.\r\nIt is relatively easy for a criminal to set up infrastructure using Fast Flux networks, which are difficult to trace and\r\nuse multiple nodes to mislead investigators. And different laws hinder these types of investigations even further,\r\nsince the legal regulations of several countries usually apply, so the law enforcement agencies of several countries\r\nhave to reach an agreement before action can be taken.\r\nThe constant change of the IP addresses used and the continuous generation of thousands of random domains\r\n(DGAs) doesn’t help investigators either. They have to spend a lot of time analyzing the lifespans of each\r\nconnection established with the botnet. They also have to obtain information from ISPs that are not always willing\r\nto collaborate, and analyze innumerable domain registrar logs to find and filter any malicious activity that could\r\ngive them a valid trail in their efforts to locate the botnet’s command and control centers.\r\nhttps://www.welivesecurity.com/2017/01/12/fast-flux-networks-work/\r\nPage 2 of 3\n\nThat is why these types of investigations tend to drag on for years. Even a simple bureaucratic oversight could\r\ncause a whole operation to fail and to give those responsible for these criminal activities a chance to escape.\r\nAs users, the main thing we must ensure is that our systems are not part of one of these services managed by\r\ncybercriminals. Therefore, it is crucial to follow instructions on updating our systems and applications, to always\r\nkeep antivirus systems up to date, and to check cyber security blogs regularly to be aware of threats like this\r\nand how to detect them.\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2017/01/12/fast-flux-networks-work/\r\nhttps://www.welivesecurity.com/2017/01/12/fast-flux-networks-work/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.welivesecurity.com/2017/01/12/fast-flux-networks-work/"
	],
	"report_names": [
		"fast-flux-networks-work"
	],
	"threat_actors": [
		{
			"id": "bc289ba8-bc61-474c-8462-a3f7179d97bb",
			"created_at": "2022-10-25T16:07:24.450609Z",
			"updated_at": "2026-04-10T02:00:04.996582Z",
			"deleted_at": null,
			"main_name": "Avalanche",
			"aliases": [],
			"source_name": "ETDA:Avalanche",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434010,
	"ts_updated_at": 1775792159,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/02102d1ac7e0d67b5e8ffbc13e0605b363ea2cc5.pdf",
		"text": "https://archive.orkl.eu/02102d1ac7e0d67b5e8ffbc13e0605b363ea2cc5.txt",
		"img": "https://archive.orkl.eu/02102d1ac7e0d67b5e8ffbc13e0605b363ea2cc5.jpg"
	}
}