Fast Flux

Fast Flux, or Fast Flux Hosting, is a "technical practice" that involves changing DNS resource records by setting short time to live parameters and then frequently updating these records. Using round-robin techniques, the user is also able use multiple IP addresses for the same site. If used for unsavory purposes, the IP addresses are usually associated with a bot network or botnet of compromised computers that are used as web hosts or to redirect unsuspecting people to other corrupted sites or servers. This technique can allow criminals to stay one step ahead of law enforcement, but variations on fast flux behavior can also be used for legal purposes by high traffic sites to manage the higher server load or for mobile servers.

There are multiple types of fast flux hosting, including single-flux and double-flux hosting. Double-flux hosting occurs when "both the NS records (authoritative name server for the domain) and A records (web serving host or hosts for the target) are regularly changed."

Public Perception
While the public perception of fast flux hosting often boarders on the negative, due to its association with such practices as phishing, spamming, spreading malware, or pirating illegal content, the technical elements involved in fast flux, such as short time to live (TTL) for DNS records or changing IP addresses can have legitimate purposes.

Outcome
The outcome of fast flux hosting remains ambiguous for many users. However, because it makes many illegal practices more difficult to shut down, it can contribute to users' feelings of insecurity on the web.

Historical Use

 * Fast flux or double flux networks have been associated with malware and illegal practices such as spamming, phishing, and creating botnets. They can be incredibly hard to shut down, especially double-flux networks.
 * .hk and .info domain registrations are more commonly involved in fast-flux networks though other TLDs have also been used.
 * According to an SSAC report on fast flux behavior, "A considerable number of compromised hosts used in such attacks are PCs connected to residential broadband services," possibly due to the relative lack of sophisticated security.

ICANN Policy

 * The GNSO's Fast Flux Working Group (FFWG) was assigned to look into fast flux behaviors in addition to the Registration Abuse Policies Working Group (RAPWG). The FFWG concluded that fast flux is a "technical practice with both benign and malicious applications, and that most criminal fast-flux hosting did not involve any changes of registration records."
 * Additionally, there was disagreement as to whether fast flux falls under ICANN's authority or should be addressed by different agencies or means.
 * According to the FFWG draft report, they found "that key components to better understanding of fast flux include data collection, DNS monitoring, and data sharing among various parties (e.g., registries, registrars, ISPs, and security service providers)." Other recommendations included creating best policy practices, creating a fast flux data reporting system, and giving registrars the authority to suspend suspected fast-flux hosts.
 * ICANN has not developed any subsequent policies regarding fast flux hosting.

Legislation
At this time, there is no U.S. legislation addressing fast flux hosing. However, fast flux hosting is often associated with activities which are addressed by legislation, like phishing, spamming, illegitimate pharmacies, or illegal adult content.

DNS Award
Awardees do not use fast flux to perpetrate or conceal illegal or abusive activity.

Additional Resources

 * Read the SSAC Report on Fast Flux
 * View the FFWG's Final Draft Report on Fast Flux, including its recommendations regarding further steps
 * Read the 2010 RAPWG Report, which partially addresses fast flux
 * See Real World Examples of Fast Flux Changes to A Records and NS Records

Related Articles

 * Botnet Attacks
 * DNS
 * Malware
 * Phishing
 * Spam
 * SSAC