Fast Flux

From DNSSeal Wiki
Jump to: navigation, search
Recommendation: Caution
Summary: Changing DNS resource records frequently
Outcome: Enables illegal activity but also used in normal transactions
Addressed by ICANN Policy: N
Addressed by Legislation: N
Related to: Botnet Attacks, Malware, Phishing, Spam, DNS

Fast Flux, or Fast Flux Hosting, is a "technical practice"[1] that involves changing DNS resource records by setting short time to live parameters and then frequently updating these records. Using round-robin techniques, the user is also able use multiple IP addresses for the same site.[2] If used for unsavory purposes, the IP addresses are usually associated with a bot network or botnet of compromised computers that are used as web hosts or to redirect unsuspecting people to other corrupted sites or servers.[3] This technique can allow criminals to stay one step ahead of law enforcement, but variations on fast flux behavior can also be used for legal purposes by high traffic sites to manage the higher server load or for mobile servers.[4]

There are multiple types of fast flux hosting, including single-flux and double-flux hosting.[5] Double-flux hosting occurs when "both the NS records (authoritative name server for the domain) and A records (web serving host or hosts for the target) are regularly changed."[5]

Public Perception

While the public perception of fast flux hosting often boarders on the negative, due to its association with such practices as phishing, spamming, spreading malware, or pirating illegal content,[4][6] the technical elements involved in fast flux, such as short time to live (TTL) for DNS records or changing IP addresses can have legitimate purposes.[4]


The outcome of fast flux hosting remains ambiguous for many users. However, because it makes many illegal practices more difficult to shut down, it can contribute to users' feelings of insecurity on the web.

Historical Use

  • Fast flux or double flux networks have been associated with malware and illegal practices such as spamming, phishing, and creating botnets.[4] They can be incredibly hard to shut down, especially double-flux networks.[5]
  • .hk and .info domain registrations are more commonly involved in fast-flux networks though other TLDs have also been used.[2]
  • According to an SSAC report on fast flux behavior, "A considerable number of compromised hosts used in such attacks are PCs connected to residential broadband services," possibly due to the relative lack of sophisticated security.[7]

ICANN Policy

  • The GNSO's Fast Flux Working Group (FFWG) was assigned to look into fast flux behaviors in addition to the Registration Abuse Policies Working Group (RAPWG). The FFWG concluded that fast flux is a "technical practice with both benign and malicious applications, and that most criminal fast-flux hosting did not involve any changes of registration records."[1][4]
  • Additionally, there was disagreement as to whether fast flux falls under ICANN's authority or should be addressed by different agencies or means.[1]
  • According to the FFWG draft report, they found "that key components to better understanding of fast flux include data collection, DNS monitoring, and data sharing among various parties (e.g., registries, registrars, ISPs, and security service providers)."[4] Other recommendations included creating best policy practices, creating a fast flux data reporting system, and giving registrars the authority to suspend suspected fast-flux hosts.[4]
  • ICANN has not developed any subsequent policies regarding fast flux hosting.


At this time, there is no U.S. legislation addressing fast flux hosing. However, fast flux hosting is often associated with activities which are addressed by legislation, like phishing, spamming, illegitimate pharmacies, or illegal adult content.[6]

DNS Award

Awardees do not use fast flux to perpetrate or conceal illegal or abusive activity.

Additional Resources

Related Articles


  1. 1.0 1.1 1.2 Working Group Final Report; Submitted on: 29 May 2010 (PDF), Generic Names Supporting Organization
  2. 2.0 2.1 HOW FAST-FLUX SERVICE NETWORKS WORK (August 16, 2008), The Honeynet Project
  3. Thinking fast-flux: New bait for advanced phishing tactics by Ed Skoudis, SearchSecurity (TechTarget)
  4. 4.0 4.1 4.2 4.3 4.4 4.5 4.6 Final Report of the GNSO Fast Flux Hosting Working Group (PDF), August 6, 2009, ICANN
  5. 5.0 5.1 5.2 REAL WORLD FAST-FLUX EXAMPLES (August 16, 2008), The Honeynet Project
  6. 6.0 6.1 Definition: Fast Flux DNS by Margaret Rouse (November 2008),
  7. SAC 025: SSAC Advisory on Fast Flux Hosting and DNS (PDF), ICANN Security and Stability Advisory Committee