title: Fast Flux DNS (T1568.001)
id: df00tech-t1568-001
status: experimental
description: "Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name with multiple IP addresses assigned to it, swapped with high frequency using a combination of round-robin IP addressing and short Time-To-Live (TTL) DNS records. The simplest 'single-flux' method involves registering and de-registering addresses as part of the DNS A record list, with an average lifespan of five minutes per IP. The 'double-flux' method additionally rotates the DNS Name Server (NS) records for the zone, providing additional resilience by allowing additional hosts to act as proxies to the true C2 host. Real-world users of this technique include Amadey malware, TA505, gh0st RAT operators, njRAT, menuPass (APT10), and Gamaredon Group."
references:
  - https://attack.mitre.org/techniques/T1568/001/
  - https://df00tech.com/detections/T1568.001
author: df00tech
date: 2026/03/13
tags:
  - attack.t1568.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Content Delivery Networks (Cloudflare, Akamai, AWS CloudFront, Fastly, Azure CDN) legitimately return many different IPs via anycast geo-routing — filter by known CDN domain suffixes or IP ranges"
  - "Global load-balanced SaaS services (Microsoft 365, Google Workspace, Zoom, Salesforce) return different IPs per geographic region — allowlist by domain suffix"
  - Active/passive DNS failover configurations tested during disaster recovery drills — coordinate with network operations for change window exclusions
  - Internal DNS round-robin for on-premises load-balanced applications with multiple backend nodes — document and allowlist by internal domain name
  - "Security research sinkholes — multiple decommissioned botnet C2 domains may resolve to sinkhole IPs operated by different vendors, appearing as high IP diversity"
level: high