How Attackers Are Using This Simple DNS Trick to Outsmart Security Detection and Take-downs!

Here's a simple DNS based technique that's increasingly being used by attackers to evade detection (aka "Fast Flux"):

Once a malware compromises a system, it has 3 imp duties:

--> To callback its master and tell them that it has made it!

--> To send valuable information to its master about the victim.

--> To receive instructions from its master and execute them.

But doing so brings one major problem: the risk of being detected & terminated. Hence, for an attacker the ability to evade is as important as the ability to enter.

Last week, CISA/FBI/NSA released a joint warning about one such evasion technique being used called “Fast Flux”. Lets understand how it works:

---

𝗔𝘁𝘁𝗮𝗰𝗸 𝗙𝗹𝗼𝘄:

1. Attacker compromises victim's machine > Drops Malware.
   

2. After a while malware attempts to reach out to attacker[.]com > Hits DNS server listed for attacker[.]com > Receives IP address of attacker[.]com > Malware now reaches out to this IP.
   

3. Traffic passes via Botnet and finally reaches attacker > Attacker receives details > Attacker sends instructions back to the device.
   

4. But here’s the key step: Attacker now changes the IP address of attacker[.]com to a new IP > Repeats the steps from 1 to 4 (keeps on changing IP for attacker[.]com every 5 mins).
   

5. Rotating IPs reduce the attacker foot print > Makes traffic analysis harder > Attacker infra stays alive longer communicating with the compromised device > > Even if IP is blocked, attack continues.
   

   

   
   (Pic Credits: CISA)

   ---

Key Insights:

1. Beneath every successful compromise lies the infrastructure that powers the operation. The more stealthy and resilient the infrastructure is, the higher the chances for an attacker to meet their mission.
   

2. At first sight, this may sound very trivial but when rotated at an extremely high frequency via automated DNS updates it works well (similar to a criminal changing their car license plate every day after committing a crime). This turns malicious domains into an ‘ever moving target’ for the security folks.
   

3. This brings up a very simple point: Domains are persistent. IPs are transient. Never rely on blocking only IPs.
   

4. The art of blending in: If you think about it, this is how CDNs and load balancers operate: using multiple IPs, geolocation distribution, and fast TTLs to optimize performance and availability. This technique is leveraged by attackers in fast flux to blend in with legitimate traffic. It makes it challenging for automated systems to differentiate malicious behavior from regular, high-traffic services, making auto-blocking difficult for providers.
   

5. Find the smoke when you can’t find the fire. 1) Implement detection to identify domains with extremely frequent IP address rotations (ex: same domain using hundreds of IPs per day). 2) Analyze the time-to-live (TTL) values in DNS records. Fast flux domains often have abnormally low TTLs. A typical fast flux domain changes its IP every 3 to 5 minutes.
   

6. There’s also a variation of this attack called “Double Flux”. Apart from rapidly changing the IP addresses, the attacker also changes the DNS name servers responsible for resolving the domains frequently. This provides an additional layer of redundancy and anonymity for malicious domains.