Category Added in a WPeMatico Campaign
Source: US Department of Homeland Security
The CVE Program is invaluable to the cyber community and a priority of CISA. On April 15th, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.
Source: US Department of Homeland Security
Every day, the Department of Homeland Security (DHS) leads the fight against online child sexual exploitation and abuse (CSEA). As part of the Department’s critical mission to combat crimes of exploitation and protect victims, we investigate these abhorrent crimes, spread awareness, collaborate with interagency and international partners, and expand our reach to ensure children are safe and protected.
“At the Department of Homeland Security, our mission is to protect the American people, and that includes protecting our children. The internet has completely changed how we connect, but it has also opened new doors for predators who want to harm our kids,” said DHS Secretary Kristi Noem. “It’s a topic that should unite all of us, and I appreciate the opportunity to highlight the work of Homeland Security Investigations and all that they do to combat online child exploitation.”
DHS battles online CSEA using all available tools and resources department-wide, emphasizing its commitment to the Department’s homeland security mission to “Combat Crimes of Exploitation and Protect Victims.” In recognition of President Trump’s proclamation designating April as Child Abuse Prevention Month, DHS is committed to raising awareness of these heinous crimes, preventing child exploitation and abuse, and bringing perpetrators to justice.
As part of the Department’s ongoing work in this area, today DHS is celebrating the one-year anniversary of Know2Protect, the U.S. government’s first prevention and awareness campaign to combat online CSEA.
Between April 2024 and February 2025:
To accomplish this work, DHS coordinates with law enforcement at home and abroad to enforce and uphold our laws, protects victims with a victim-centered approach that prioritizes dignity and respect, and works to stop this heinous crime through public education and outreach.
DHS works with domestic and international partners to enforce and uphold the laws that protect children from abuse. The Department works collaboratively with Department of Justice prosecutors, the Federal Bureau of Investigation (FBI), U.S Marshals, INTERPOL, Europol, and other international law enforcement partners to arrest and prosecute perpetrators.
###
Source: US Department of Homeland Security
WASHINGTON D.C. – Today, the Department of Homeland Security (DHS) celebrated the one-year anniversary of its Know2Protect: Together We Can Stop Online Child Exploitation™ public awareness campaign.
Since its inception, the Know2Protect campaign, housed within the DHS Cyber Crimes Center (C3), has had a profound impact, reaching millions through traditional and digital media channels. The campaign has empowered young people, parents, educators, corporations, and community leaders with essential resources to prevent and report online child sexual exploitation and abuse (CSEA).
“At the Department of Homeland Security, our mission is to protect the American people, and that includes protecting our children. The internet has completely changed how we connect, but it has also opened new doors for predators who want to harm our kids,” said DHS Secretary Kristi Noem. “It’s a topic that should unite all of us, and I appreciate the opportunity to highlight the work of Homeland Security Investigations and all that they do to combat online child exploitation.”
The threat of online child exploitation has never been bigger or more sophisticated. DHS increased the footprint of law enforcement partners at C3, last year, to enhance coordination across all DHS agencies and offices to combat cyber-related crimes and further the Department’s mission to combat online CSEA. In 2024, U.S. Immigration and Customs Enforcement’s (ICE) Homeland Security Investigations (HSI) identified and arrested nearly 5,000 individuals involved in online CSEA, while also recovering over 1,700 child victims. In the same year, the National Center for Missing and Exploited Children (NCMEC) received more than 20 million reports of online child sexual abuse material.
By providing comprehensive tools on Know2Protect.gov, the campaign has become a powerful force in raising awareness about the severe risks children face online, while emphasizing prevention, safety measures, and offering critical support for survivors. Since its inception last year, the campaign has made a tangible impact through its outreach efforts—resulting in 128 victim disclosures and over 90 investigative leads in the fight against online child exploitation.
Know2Protect’s work to coordinate federal efforts to combat online child exploitation and abuse has made an astounding impact across the world. The campaign has achieved more than a half a billion (683M) impressions online, with 18% of the impressions coming from donated advertising dollars from campaign partners such as Google, Snapchat, X, Lamar, Meta and Roblox.
“We all have a responsibility to protect children from online exploitation,” said Head of Global Government Affairs at X, Romina Khananisho. “As the global town square, X is proud to partner with DHS’ Cyber Crimes Center to support the Know2Protect campaign. We commit to raising awareness about all the tools available to combat child exploitation and encourage all our users to join us in this critical mission by sharing the information with your communities.”
The K2P campaign’s success is fueled by partnerships with leading technology companies, major sports leagues, youth-serving organizations, law enforcement associations and other private sector partners. These collaborations have expanded Know2Protect’s reach, delivering its vital message to young people across social media platforms, sporting events, and community organizations, ensuring it resonates wherever they live, learn, and play.
Past and current partners like Snap, Meta, X, and Roblox have played a crucial role in disseminating safety messages to their vast user bases, while NASCAR and the NFL have supported the campaign by integrating Know2Protect PSAs and other materials into their events.
“Snap congratulates the Department of Homeland Security on the first anniversary of its impactful Know2Protect public awareness campaign,” said Jacqueline Beauchere, Global Head of Platform Safety at Snap Inc., the parent company of Snapchat. “Snap was the first entity to support the campaign in 2024, commissioning bespoke research, offering free ad space on Snapchat for educational campaign materials, and creating a fun Snapchat Lens to promote learning and engagement. We applaud and join in the Department’s efforts to educate youth, parents, policymakers, and others about the risks of child sexual exploitation and abuse both online and off.”
“At Meta, we’ve spent over a decade building tools to fight criminals who try to exploit young people online,” said Meta’s Global Head of Safety, Antigone Davis. “To complement our in-app protections and make them even more effective, it’s important that young people also feel confident to spot the signs of online harm and know where to go for help. That’s why we’ve also been focused on educational campaigns for teens and parents, and why we’re proud to continue supporting the Department of Homeland Security’s vital Know2Protect campaign as it moves into its second year.”
Know2Protect’s educational initiative, Project iGuardian, provides direct training to schools, community groups, and organizations to help identify and address online safety risks. As the official in-person training program of the Know2Protect campaign, Project iGuardian is led by Homeland Security Investigations and offers presentations to children, teens, parents, and trusted adults. Since its re-launch in October 2023, Project iGuardian has conducted nearly 2,000 presentations, reaching over 200,000 people both domestically and internationally.
“We know it is critical to provide children, parents, and caregivers with access to resources and information on how to report crimes targeting children online,” said Director of Global Programs at Google.org, Amanda Timberg. “We are proud to once again donate Google Search and YouTube ad credits to promote the Department of Homeland Security’s Know2Protect campaign to raise awareness on the issue and to help children stay safe online.”
The campaign has achieved several notable milestones over the last year, including:
Know2Protect is taking bold steps to further amplify its impact and continue the fight against online CSEA. Upcoming initiatives and events will provide even more opportunities for individuals and organizations to get involved and take action, including:
“As we mark the one-year anniversary of the Know2Protect campaign, it’s clear that protecting children from online exploitation demands a united, collective effort,” said Noem. “I urge more organizations to join us in this urgent mission—because every partnership brings us one step closer to eradicating this devastating crime.”
Know2Protect is working hand-in-hand with private sector leaders, government agencies, and nonprofit organizations to execute this nationwide campaign. Learn more about becoming an official Know2Protect partner.
“Know2Protect is not just about raising awareness—it’s about sparking real, impactful change,” Noem said. “Backed by our powerful partnerships, this campaign is equipping communities with critical tools to protect children from online predators while also safeguarding against exploitation before it happens. Together, we are making a tangible difference in the fight to prevent further victimization.”
Early intervention is critical. If you suspect a child may be a victim of online CSEA, call the Know2Protect Tipline at 1-833-591-KNOW (5669) or visit the NCMEC CyberTipline™. If you believe a child has been abducted or is in immediate danger, contact local law enforcement and the NCMEC Tipline at 1-800-THE-LOST (1-800-843-5678).
###
Source: US Department of Homeland Security
WASHINGTON – Today, Department of Homeland Security Secretary Kristi Noem announced the cancelation of two DHS grants totaling over $2.7 million to Harvard University, declaring it unfit to be entrusted with taxpayer dollars. The Secretary also wrote a scathing letter demanding detailed records on Harvard’s foreign student visa holders’ illegal and violent activities by April 30, 2025, or face immediate loss of Student and Exchange Visitor Program (SEVP) certification.
“Harvard bending the knee to antisemitism — driven by its spineless leadership — fuels a cesspool of extremist riots and threatens our national security,” said Secretary Noem. “With anti-American, pro-Hamas ideology poisoning its campus and classrooms, Harvard’s position as a top institution of higher learning is a distant memory. America demands more from universities entrusted with taxpayer dollars.”
The $800,303 Implementation Science for Targeted Violence Prevention grant branded conservatives as far-right dissidents in a shockingly skewed study. The $1,934,902 Blue Campaign Program Evaluation and Violence Advisement grant funded Harvard’s public health propaganda. Both undermine America’s values and security.
This action follows President Donald J. Trump’s decision to freeze $2.2 billion in federal funding to Harvard University, proposing the revocation of its tax-exempt status over its radical ideology.
Since Hamas’s October 7, 2023, attack on Israel, Harvard’s foreign visa-holding rioters and faculty have spewed antisemitic hate, targeting Jewish students. With a $53.2 billion endowment, Harvard can fund its own chaos—DHS won’t. And if Harvard cannot verify it is in full compliance with its reporting requirements, the university will lose the privilege of enrolling foreign students.
###
Source: US Department of Homeland Security
WASHINGTON – Today, Secretary Kristi Noem announced a new ad campaign to encourage the recruitment of United States Secret Service agents.
The commercial features 13-year-old Secret Service Agent DJ Daniel, who was recently presented his badge and credentials by U.S. Secret Service Director Sean Curran during President Donald Trump’s Address to the Joint Session of Congress.
“When others step back, the United States Secret Service steps forward. Shielding America from unseen threats, with sharp eyes, and steadfast courage. When you serve with us, even when no one sees you someone is always looking up to you,” Secretary Noem says in the ad. The United States Secret Service is calling for a few more heroes. Will you step forward?”
This release follows another recent recruitment ad which aired during Super Bowl LIX.
Source: US Department of Homeland Security
WASHINGTON – Today, DHS Secretary Kristi Noem reminded all foreign nationals present in the United Stated longer than 30 days that the deadline to register under the Alien Registration Act is coming up on April 11.
This law requires all aliens in the United States for more than 30 days to register with the federal government. Failure to comply is a crime, punishable by fines, imprisonment, or both.
“President Trump and I have a clear message for those in our country illegally: leave now. If you leave now, you may have the opportunity to return and enjoy our freedom and live the American dream,” said Secretary Noem. “The Trump administration will enforce all our immigration laws—we will not pick and choose which laws we will enforce. We must know who is in our country for the safety and security of our homeland and all Americans.”
BACKGROUND:
On January 20, 2025, President Donald J. Trump signed Executive Order 14159, Protecting the American People Against Invasion, directing the Department of Homeland Security (DHS) to restore order and accountability to our immigration system. This includes enforcing the long-ignored Alien Registration Act.
COMPLIANCE REQUIREMENTS:
On or by April 11, 2025, the following will apply to all noncitizens, regardless of status:
Upon registration and fingerprinting, DHS will issue proof of registration. All noncitizens 18 and older must carry this documentation at all times. This administration has directed DHS to prioritize enforcement, there will be no sanctuary for noncompliance.
Source: US Department of Homeland Security
The Trump Administration is standing up for Americans who were victims of illegal alien crimes.
WASHINGTON – Today, Secretary Noem announced that the Department of Homeland Security (DHS) is relaunching the Victims of Immigration Crime Engagement (VOICE) office. The VOICE office was shuttered by the previous administration, which left victims of alien crime without access to many key support services and resources.
Image
The Trump administration is once again putting Americans first and standing up for law and order by reinstating the VOICE office within Immigration Customs Enforcement (ICE).
A statement from Secretary Noem is below:
“I met with Angel Families who lost a loved one because of an illegal alien who should never have been in our country. The previous administration ignored these families and the other victims of illegal alien crime. With the re-launching of the VOICE Office, we are giving victims and their families access to resources and support services. President Trump and I will continue to remove criminal illegal aliens from our streets and make America safe again.”
A statement from ICE Acting Director Todd Lyons is below:
“Illegal aliens harming American citizens is unconscionable. But now, thanks to President Trump, we’re able to help people victimized by criminal aliens through the VOICE Office. I’m extremely proud of ICE’s entire workforce — the officers and agents on the ground who are enforcing immigration law fairly, the support staff who pull these operations together and handle logistics, and those who help shine a light on those who have suffered harm at illegal aliens’ hands.”
The VOICE Office helps victims of crime and their families by:
The office was first launched in 2017 by the Trump administration as a dedicated resource for those who have been victimized by crime that has a nexus to immigration.
Source: US Department of Homeland Security
WASHINGTON – On March 27 – 28, the Assistant Secretary for the DHS Countering Weapons of Mass Destruction Office (CWMD), David Richardson, traveled to Chicago, Illinois, to meet with state and local representatives for the BioWatch and Securing the Cities (STC) programs.
During the March 27 BioWatch meeting, A/S Richardson met with the Chicago area BioWatch program representatives to discuss the future of the program, its value, and what actions CWMD could take to strengthen this valuable program further.
The BioWatch program operates 24/7/365 in over 30 major metropolitan areas to provide an early indication of any potential airborne biological attack. DHS CWMD manages the program, supported by other federal agencies. The program is operated by a network of scientists and laboratory technicians, along with emergency managers, law enforcement officers, and public health officials across federal, state, and local levels of government.
On March 28, A/S Richardson met with the Chicago STC program leadership. The purpose of the meeting was to discuss detection equipment needs, the program’s status, and to see if there are any areas CWMD can improve upon in supporting the state and local team.
The STC Program was established in 2007 and included in the Countering Weapons of Mass Destruction Act of 2018. STC’s mission is to prevent the illicit possession, movement, and use of radiological or nuclear materials and weapons in the United States by enhancing the nuclear detection capabilities of state, local, tribal, and territorial agencies.
Through STC’s coordinated planning and operations, federal, state, local, tribal, and territorial partners work together in the STC regions to defend against the threat of radiological or nuclear terrorism. CWMD provides radiological and nuclear detection equipment, training, exercise support, and operational and technical subject matter expertise to the STC regions through cooperative agreement grants.
CWMD supports STC implementations in broad areas centered on high-risk urban areas across the Nation. Urban areas include New York City/Newark, Los Angeles/Long Beach, National Capital Region, Houston, Chicago, Atlanta, Miami, Denver, Phoenix/Maricopa County, San Francisco, Seattle, Boston, and New Orleans.
CWMD serves as the Department of Homeland Security’s focal point for countering weapons of mass destruction efforts. By supporting operational partners across federal, state, local, tribal, and territorial levels, CWMD coordinates DHS efforts to safeguard the United States against chemical, biological, radiological, and nuclear threats.
Source: US Department of Homeland Security
WASHINGTON, DC – Today, the Cybersecurity and Infrastructure Security Agency (CISA) joined the National Security Agency (NSA) and other government and international partners to release a joint Cybersecurity Advisory (CSA) that warns organizations, internet service providers (ISPs), and cybersecurity service providers about fast flux enabled malicious activities that consistently evade detection. The CSA also provides recommended actions to defend against fast flux.
An ongoing threat, fast flux networks create resilient adversary infrastructure used to evade tracking and blocking. Such infrastructure can be used for cyberattacks such as phishing, command and control of botnets, and data exfiltration. This advisory provides several techniques that should be implemented for a multi-layered security approach including DNS and internet protocol (IP) blocking and sinkholing; enhanced monitoring and logging; phishing awareness and training for users; and reputational filtering.
”Threat actors leveraging fast flux techniques remain a threat to government and critical infrastructure organizations. Fast flux makes individual computers in a botnet harder to find and block. A useful solution is to find and block the behavior of fast flux itself,” said CISA Deputy Executive Assistant Director for Cybersecurity Matt Hartman. “CISA is pleased to join with our government and international partners to provide this important guidance on mitigating and blocking malicious fast flux activity. We encourage organizations to implement the advisory recommendations to reduce risk and strengthen resilience.”
The authoring agencies encourage ISPs, cybersecurity service providers and Protective Domain Name System (PDNS) providers to help mitigate this threat by taking proactive steps to develop accurate and reliable fast flux detection analytics and block fast flux activities for their customers.
Additional co-sealers for this joint CSA are Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), and New Zealand National Cyber Security Centre (NCSC-NZ).
For more information about ongoing security threats, visit CISA Cybersecurity Alerts & Advisories.
###
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
Visit CISA.gov for more information and follow us onX, Facebook, LinkedIn, Instagram.
Source: US Department of Homeland Security
Many networks have a gap in their defenses for detecting and blocking a malicious technique known as “fast flux.” This technique poses a significant threat to national security, enabling malicious cyber actors to consistently evade detection. Malicious cyber actors, including cybercriminals and nation-state actors, use fast flux to obfuscate the locations of malicious servers by rapidly changing Domain Name System (DNS) records. Additionally, they can create resilient, highly available command and control (C2) infrastructure, concealing their subsequent malicious operations. This resilient and fast changing infrastructure makes tracking and blocking malicious activities that use fast flux more difficult.
The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), and New Zealand National Cyber Security Centre (NCSC-NZ) are releasing this joint cybersecurity advisory (CSA) to warn organizations, Internet service providers (ISPs), and cybersecurity service providers of the ongoing threat of fast flux enabled malicious activities as a defensive gap in many networks. This advisory is meant to encourage service providers, especially Protective DNS (PDNS) providers, to help mitigate this threat by taking proactive steps to develop accurate, reliable, and timely fast flux detection analytics and blocking capabilities for their customers. This CSA also provides guidance on detecting and mitigating elements of malicious fast flux by adopting a multi-layered approach that combines DNS analysis, network monitoring, and threat intelligence.
The authoring agencies recommend all stakeholders—government and providers—collaborate to develop and implement scalable solutions to close this ongoing gap in network defenses against malicious fast flux activity.
Download the PDF version of this report: Fast Flux: A National Security Threat (841 KB).
When malicious cyber actors compromise devices and networks, the malware they use needs to “call home” to send status updates and receive further instructions. To decrease the risk of detection by network defenders, malicious cyber actors use dynamic resolution techniques, such as fast flux, so their communications are less likely to be detected as malicious and blocked.
Fast flux refers to a domain-based technique that is characterized by rapidly changing the DNS records (e.g., IP addresses) associated with a single domain [T1568.001].
Malicious cyber actors use two common variants of fast flux to perform operations:
1. Single flux: A single domain name is linked to numerous IP addresses, which are frequently rotated in DNS responses. This setup ensures that if one IP address is blocked or taken down, the domain remains accessible through the other IP addresses. See Figure 1 as an example to illustrate this technique.
Note: This behavior can also be used for legitimate purposes for performance reasons in dynamic hosting environments, such as in content delivery networks and load balancers.
2. Double flux: In addition to rapidly changing the IP addresses as in single flux, the DNS name servers responsible for resolving the domain also change frequently. This provides an additional layer of redundancy and anonymity for malicious domains. Double flux techniques have been observed using both Name Server (NS) and Canonical Name (CNAME) DNS records. See Figure 2 as an example to illustrate this technique.
Both techniques leverage a large number of compromised hosts, usually as a botnet from across the Internet that acts as proxies or relay points, making it difficult for network defenders to identify the malicious traffic and block or perform legal enforcement takedowns of the malicious infrastructure. Numerous malicious cyber actors have been reported using the fast flux technique to hide C2 channels and remain operational. Examples include:
The key advantages of fast flux networks for malicious cyber actors include:
Fast flux is not only used for maintaining C2 communications, it also can play a significant role in phishing campaigns to make social engineering websites harder to block or take down. Phishing is often the first step in a larger and more complex cyber compromise. Phishing is typically used to trick victims into revealing sensitive information (such as login passwords, credit card numbers, and personal data), but can also be used to distribute malware or exploit system vulnerabilities. Similarly, fast flux is used for maintaining high availability for cybercriminal forums and marketplaces, making them resilient against law enforcement takedown efforts.
Some BPH providers promote fast flux as a service differentiator that increases the effectiveness of their clients’ malicious activities. For example, one BPH provider posted on a dark web forum that it protects clients from being added to Spamhaus blocklists by easily enabling the fast flux capability through the service management panel (See Figure 3). A customer just needs to add a “dummy server interface,” which redirects incoming queries to the host server automatically. By doing so, only the dummy server interfaces are reported for abuse and added to the Spamhaus blocklist, while the servers of the BPH customers remain “clean” and unblocked.
The BPH provider further explained that numerous malicious activities beyond C2, including botnet managers, fake shops, credential stealers, viruses, spam mailers, and others, could use fast flux to avoid identification and blocking.
As another example, a BPH provider that offers fast flux as a service advertised that it automatically updates name servers to prevent the blocking of customer domains. Additionally, this provider further promoted its use of separate pools of IP addresses for each customer, offering globally dispersed domain registrations for increased reliability.
The authoring agencies recommend that ISPs and cybersecurity service providers, especially PDNS providers, implement a multi-layered approach, in coordination with customers, using the following techniques to aid in detecting fast flux activity [CISA CPG 3.A]. However, quickly detecting malicious fast flux activity and differentiating it from legitimate activity remains an ongoing challenge to developing accurate, reliable, and timely fast flux detection analytics.
1. Leverage threat intelligence feeds and reputation services to identify known fast flux domains and associated IP addresses, such as in boundary firewalls, DNS resolvers, and/or SIEM solutions.
2. Implement anomaly detection systems for DNS query logs to identify domains exhibiting high entropy or IP diversity in DNS responses and frequent IP address rotations. Fast flux domains will frequently cycle though tens or hundreds of IP addresses per day.
3. Analyze the time-to-live (TTL) values in DNS records. Fast flux domains often have unusually low TTL values. A typical fast flux domain may change its IP address every 3 to 5 minutes.
4. Review DNS resolution for inconsistent geolocation. Malicious domains associated with fast flux typically generate high volumes of traffic with inconsistent IP-geolocation information.
5. Use flow data to identify large-scale communications with numerous different IP addresses over short periods.
6. Develop fast flux detection algorithms to identify anomalous traffic patterns that deviate from usual network DNS behavior.
7. Monitor for signs of phishing activities, such as suspicious emails, websites, or links, and correlate these with fast flux activity. Fast flux may be used to rapidly spread phishing campaigns and to keep phishing websites online despite blocking attempts.
8. Implement customer transparency and share information about detected fast flux activity, ensuring to alert customers promptly after confirmed presence of malicious activity.
To defend against fast flux, government and critical infrastructure organizations should coordinate with their Internet service providers, cybersecurity service providers, and/or their Protective DNS services to implement the following mitigations utilizing accurate, reliable, and timely fast flux detection analytics.
Note: Some legitimate activity, such as common content delivery network (CDN) behaviors, may look like malicious fast flux activity. Protective DNS services, service providers, and network defenders should make reasonable efforts, such as allowlisting expected CDN services, to avoid blocking or impeding legitimate content.
1. DNS and IP blocking and sinkholing of malicious fast flux domains and IP addresses
2. Reputational filtering of fast flux enabled malicious activity
3. Enhanced monitoring and logging
4. Collaborative defense and information sharing
5. Phishing awareness and training
The authoring agencies encourage organizations to use cybersecurity and PDNS services that detect and block fast flux. By leveraging providers that detect fast flux and implement capabilities for DNS and IP blocking, sinkholing, reputational filtering, enhanced monitoring, logging, and collaborative defense of malicious fast flux domains and IP addresses, organizations can mitigate many risks associated with fast flux and maintain a more secure environment.
However, some PDNS providers may not detect and block malicious fast flux activities. Organizations should not assume that their PDNS providers block malicious fast flux activity automatically and should contact their PDNS providers to validate coverage of this specific cyber threat.
For more information on PDNS services, see the 2021 joint cybersecurity information sheet from NSA and CISA about Selecting a Protective DNS Service. [9] In addition, NSA offers no-cost cybersecurity services to Defense Industrial Base (DIB) companies, including a PDNS service. For more information, see NSA’s DIB Cybersecurity Services and factsheet. CISA also offers a Protective DNS service for federal civilian executive branch (FCEB) agencies. See CISA’s Protective Domain Name System Resolver page and factsheet for more information.
Fast flux represents a persistent threat to network security, leveraging rapidly changing infrastructure to obfuscate malicious activity. By implementing robust detection and mitigation strategies, organizations can significantly reduce their risk of compromise by fast flux-enabled threats.
The authoring agencies strongly recommend organizations engage their cybersecurity providers on developing a multi-layered approach to detect and mitigate malicious fast flux operations. Utilizing services that detect and block fast flux enabled malicious cyber activity can significantly bolster an organization’s cyber defenses.
[1] Intel471. Bulletproof Hosting: A Critical Cybercriminal Service. 2024. https://intel471.com/blog/bulletproof-hosting-a-critical-cybercriminal-service
[2] Australian Signals Directorate’s Australian Cyber Security Centre. “Bulletproof” hosting providers: Cracks in the armour of cybercriminal infrastructure. 2025. https://www.cyber.gov.au/about-us/view-all-content/publications/bulletproof-hosting-providers
[3] Logpoint. A Comprehensive guide to Detect Ransomware. 2023. https://www.logpoint.com/wp-content/uploads/2023/04/logpoint-a-comprehensive-guide-to-detect-ransomware.pdf
[4] Trendmicro. Modern Ransomware’s Double Extortion Tactic’s and How to Protect Enterprises Against Them. 2021. https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/modern-ransomwares-double-extortion-tactics-and-how-to-protect-enterprises-against-them
[5] Unit 42. Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. 2022. https://unit42.paloaltonetworks.com/trident-ursa/
[6] Recorded Future. BlueAlpha Abuses Cloudflare Tunneling Service for GammaDrop Staging Infrastructure. 2024. https://www.recordedfuture.com/research/bluealpha-abuses-cloudflare-tunneling-service
[7] Silent Push. ‘From Russia with a 71’: Uncovering Gamaredon’s fast flux infrastructure. New apex domains and ASN/IP diversity patterns discovered. 2023. https://www.silentpush.com/blog/from-russia-with-a-71/
[8] DNS Filter. Security Categories You Should be Blocking (But Probably Aren’t). 2023. https://www.dnsfilter.com/blog/security-categories-you-should-be-blocking-but-probably-arent
[9] National Security Agency. Selecting a Protective DNS Service. 2021. https://media.defense.gov/2025/Mar/24/2003675043/-1/-1/0/CSI-SELECTING-A-PROTECTIVE-DNS-SERVICE-V1.3.PDF
The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
This document was developed in furtherance of the authoring cybersecurity agencies’ missions, including their responsibilities to identify and disseminate threats, and develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
National Security Agency (NSA):
Cybersecurity and Infrastructure Security Agency (CISA):
Federal Bureau of Investigation (FBI):
Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC):
Canadian Centre for Cyber Security (CCCS):
New Zealand National Cyber Security Centre (NCSC-NZ):