Category: NCTC Speeches, Testimonies and Interviews

Source: US Department of Homeland Security

WASHINGTON D.C. –  Today, the Department of Homeland Security (DHS) celebrated the one-year anniversary of its Know2Protect: Together We Can Stop Online Child Exploitation™ public awareness campaign.

Since its inception, the Know2Protect campaign, housed within the DHS Cyber Crimes Center (C3), has had a profound impact, reaching millions through traditional and digital media channels. The campaign has empowered young people, parents, educators, corporations, and community leaders with essential resources to prevent and report online child sexual exploitation and abuse (CSEA).

“At the Department of Homeland Security, our mission is to protect the American people, and that includes protecting our children. The internet has completely changed how we connect, but it has also opened new doors for predators who want to harm our kids,” said DHS Secretary Kristi Noem. “It’s a topic that should unite all of us, and I appreciate the opportunity to highlight the work of Homeland Security Investigations and all that they do to combat online child exploitation.”

The threat of online child exploitation has never been bigger or more sophisticated. DHS increased the footprint of law enforcement partners at C3, last year, to enhance coordination across all DHS agencies and offices to combat cyber-related crimes and further the Department’s mission to combat online CSEA. In 2024, U.S. Immigration and Customs Enforcement’s (ICE) Homeland Security Investigations (HSI) identified and arrested nearly 5,000 individuals involved in online CSEA, while also recovering over 1,700 child victims. In the same year, the National Center for Missing and Exploited Children (NCMEC) received more than 20 million reports of online child sexual abuse material.

By providing comprehensive tools on Know2Protect.gov, the campaign has become a powerful force in raising awareness about the severe risks children face online, while emphasizing prevention, safety measures, and offering critical support for survivors. Since its inception last year, the campaign has made a tangible impact through its outreach efforts—resulting in 128 victim disclosures and over 90 investigative leads in the fight against online child exploitation.

Know2Protect’s work to coordinate federal efforts to combat online child exploitation and abuse has made an astounding impact across the world. The campaign has achieved more than a half a billion (683M) impressions online, with 18% of the impressions coming from donated advertising dollars from campaign partners such as Google, Snapchat, X, Lamar, Meta and Roblox.

“We all have a responsibility to protect children from online exploitation,” said Head of Global Government Affairs at X, Romina Khananisho. “As the global town square, X is proud to partner with DHS’ Cyber Crimes Center to support the Know2Protect campaign. We commit to raising awareness about all the tools available to combat child exploitation and encourage all our users to join us in this critical mission by sharing the information with your communities.”

Expanded Partnership Efforts

The K2P campaign’s success is fueled by partnerships with leading technology companies, major sports leagues, youth-serving organizations, law enforcement associations and other private sector partners. These collaborations have expanded Know2Protect’s reach, delivering its vital message to young people across social media platforms, sporting events, and community organizations, ensuring it resonates wherever they live, learn, and play.

Past and current partners like Snap, Meta, X, and Roblox have played a crucial role in disseminating safety messages to their vast user bases, while NASCAR and the NFL have supported the campaign by integrating Know2Protect PSAs and other materials into their events.

“Snap congratulates the Department of Homeland Security on the first anniversary of its impactful Know2Protect public awareness campaign,” said Jacqueline Beauchere, Global Head of Platform Safety at Snap Inc., the parent company of Snapchat. “Snap was the first entity to support the campaign in 2024, commissioning bespoke research, offering free ad space on Snapchat for educational campaign materials, and creating a fun Snapchat Lens to promote learning and engagement. We applaud and join in the Department’s efforts to educate youth, parents, policymakers, and others about the risks of child sexual exploitation and abuse both online and off.”  

“At Meta, we’ve spent over a decade building tools to fight criminals who try to exploit young people online,” said Meta’s Global Head of Safety, Antigone Davis. “To complement our in-app protections and make them even more effective, it’s important that young people also feel confident to spot the signs of online harm and know where to go for help. That’s why we’ve also been focused on educational campaigns for teens and parents, and why we’re proud to continue supporting the Department of Homeland Security’s vital Know2Protect campaign as it moves into its second year.”

Education and Support

Know2Protect’s educational initiative, Project iGuardian, provides direct training to schools, community groups, and organizations to help identify and address online safety risks. As the official in-person training program of the Know2Protect campaign, Project iGuardian is led by Homeland Security Investigations and offers presentations to children, teens, parents, and trusted adults. Since its re-launch in October 2023, Project iGuardian has conducted nearly 2,000 presentations, reaching over 200,000 people both domestically and internationally.

“We know it is critical to provide children, parents, and caregivers with access to resources and information on how to report crimes targeting children online,” said Director of Global Programs at Google.org, Amanda Timberg. “We are proud to once again donate Google Search and YouTube ad credits to promote the Department of Homeland Security’s Know2Protect campaign to raise awareness on the issue and to help children stay safe online.”

More Accomplishments

The campaign has achieved several notable milestones over the last year, including:

• 2024 Cannes Corporate Media & TV Awards Finalist for its 90-second PSA.
• 2024 Homeland Security Today Holiday Hero Award where the campaign was honored with the Most Innovative Campaign to Combat Child Exploitation.
• 2024-2025 school year #Back2School sub-campaign, featuring engaging and educational resources for teens and family members in the form of crossword puzzles, word searches, Project iGuardian coloring pages, a first day of school picture sign, Family Online Safety Agreement, Internet Safety Checklist, and printable safety posters and tipsheets for schools to display in classrooms and hallways.
• The release of nine new videos, including the widely popular 90-second PSA on the dangers of online CSEA, which has accumulated 6.8 million views on YouTube and 14.8 million impressions through TV advertising. Other key releases include the Sexting and Sextortion PSA, as well as 15- and 30-second PSAs highlighting how quickly online interactions can take dangerous turns. These have also aired on the NFL Network and at NASCAR events, significantly extending the reach of the Know2Protect message. The campaign also recently released a 60-second PSA focusing on how online exploitation happens and why we need the public’s help.
• The launch of the K2P Kids and Teens Portal, a dedicated space for children and teens aged 10 and up, offering age-appropriate tips and resources to help them protect themselves online.
• The impactful activation of partnerships across the technology, sports, social media, and gaming industries, including:
  • Snapchat Lens activation.
  • K2P activations at high-profile events like the Daytona 500, NASCAR Talladega 24, NFL Flag Championship 2024, MLB and MLS All-Star Games 2024, having a presence at the NFL Super Bowl Experience and a NASCAR Kids newsletter feature.
  • Scouting America and Know2Protect unveiled a special Project iGuardian scouting patch that honors the commitment of scouts who attend the DHS-led online safety training and who pledge to keep themselves and others safe online.

Upcoming Initiatives

Know2Protect is taking bold steps to further amplify its impact and continue the fight against online CSEA. Upcoming initiatives and events will provide even more opportunities for individuals and organizations to get involved and take action, including:

• A Project iGuardian presentation livestream on X for parents, trusted adults and teens, hosted by country music star John Rich — tune in April 23 at 8 p.m. EST and learn how you can help keep children safe online. Be sure to follow @Know2Protect on X so you don’t miss it!
• June marks Internet Safety Month and there’s no better time to reinforce the importance of setting healthy online boundaries. Know2Protect’s #DigitalBoundaries sub-campaign continues DHS’s momentum to educate and empower children, teens, parents and trusted adults to prevent and combat online CSEA by setting healthy online boundaries during the summer months when kids will have time to spend online.
• In August 2025, the campaign will launch Pledge2Protect, the official, nationwide call-to-action of the Know2Protect campaign. The goal of Pledge2Protect will be to galvanize communities to take action by taking the pledge to prevent crimes of exploitation targeting kids online. Parents, teens and kids will have the opportunity to take the pledge, receive age-appropriate resources, and share that knowledge with others by passing the pledge. It’s time to move from awareness to action—help us prevent online exploitation and implement life-saving strategies.
• A variety of previously signed partners are expected to continue their official partnership with Know2Protect.
• Know2Protect welcomes its new partnerships with X, American Camp Association, Panini America, Kodex and Simple Learning Systems.

“As we mark the one-year anniversary of the Know2Protect campaign, it’s clear that protecting children from online exploitation demands a united, collective effort,” said Noem. “I urge more organizations to join us in this urgent mission—because every partnership brings us one step closer to eradicating this devastating crime.”

Know2Protect is working hand-in-hand with private sector leaders, government agencies, and nonprofit organizations to execute this nationwide campaign. Learn more about becoming an official Know2Protect partner.

“Know2Protect is not just about raising awareness—it’s about sparking real, impactful change,” Noem said. “Backed by our powerful partnerships, this campaign is equipping communities with critical tools to protect children from online predators while also safeguarding against exploitation before it happens. Together, we are making a tangible difference in the fight to prevent further victimization.”

Early intervention is critical. If you suspect a child may be a victim of online CSEA, call the Know2Protect Tipline at 1-833-591-KNOW (5669) or visit the NCMEC CyberTipline™. If you believe a child has been abducted or is in immediate danger, contact local law enforcement and the NCMEC Tipline at 1-800-THE-LOST (1-800-843-5678).

###

Source: US Department of Homeland Security

WASHINGTON – Today, Department of Homeland Security Secretary Kristi Noem announced the cancelation of two DHS grants totaling over $2.7 million to Harvard University, declaring it unfit to be entrusted with taxpayer dollars. The Secretary also wrote a scathing letter demanding detailed records on Harvard’s foreign student visa holders’ illegal and violent activities by April 30, 2025, or face immediate loss of Student and Exchange Visitor Program (SEVP) certification.

“Harvard bending the knee to antisemitism — driven by its spineless leadership — fuels a cesspool of extremist riots and threatens our national security,” said Secretary Noem. “With anti-American, pro-Hamas ideology poisoning its campus and classrooms, Harvard’s position as a top institution of higher learning is a distant memory. America demands more from universities entrusted with taxpayer dollars.”

The $800,303 Implementation Science for Targeted Violence Prevention grant branded conservatives as far-right dissidents in a shockingly skewed study. The $1,934,902 Blue Campaign Program Evaluation and Violence Advisement grant funded Harvard’s public health propaganda. Both undermine America’s values and security.

This action follows President Donald J. Trump’s decision to freeze $2.2 billion in federal funding to Harvard University, proposing the revocation of its tax-exempt status over its radical ideology.

Since Hamas’s October 7, 2023, attack on Israel, Harvard’s foreign visa-holding rioters and faculty have spewed antisemitic hate, targeting Jewish students. With a $53.2 billion endowment, Harvard can fund its own chaos—DHS won’t. And if Harvard cannot verify it is in full compliance with its reporting requirements, the university will lose the privilege of enrolling foreign students.

###

Source: US Department of Homeland Security

Source: US Department of Homeland Security

WASHINGTON – Today, DHS Secretary Kristi Noem reminded all foreign nationals present in the United Stated longer than 30 days that the deadline to register under the Alien Registration Act is coming up on April 11.  

This law requires all aliens in the United States for more than 30 days to register with the federal government. Failure to comply is a crime, punishable by fines, imprisonment, or both. 

“President Trump and I have a clear message for those in our country illegally: leave now. If you leave now, you may have the opportunity to return and enjoy our freedom and live the American dream,” said Secretary Noem. “The Trump administration will enforce all our immigration laws—we will not pick and choose which laws we will enforce. We must know who is in our country for the safety and security of our homeland and all Americans.”

BACKGROUND: 

On January 20, 2025, President Donald J. Trump signed Executive Order 14159, Protecting the American People Against Invasion, directing the Department of Homeland Security (DHS) to restore order and accountability to our immigration system. This includes enforcing the long-ignored Alien Registration Act. 

COMPLIANCE REQUIREMENTS: 

On or by April 11, 2025, the following will apply to all noncitizens, regardless of status: 

• Present in the U.S. for 30 days or more as of April 11, 2025, without registration evidence: Register immediately via USCIS.
• Entering on or after April 11, 2025, without registration evidence: Register within 30 days of arrival.
• Turning 14 in the U.S.: Re-register and submit fingerprints within 30 days of your 14th birthday, even if previously registered.
• Parents or guardians of minors under 14: Register minors if they remain in the U.S. for 30 days or longer.

Upon registration and fingerprinting, DHS will issue proof of registration. All noncitizens 18 and older must carry this documentation at all times. This administration has directed DHS to prioritize enforcement, there will be no sanctuary for noncompliance. 

Source: US Department of Homeland Security

The Trump Administration is standing up for Americans who were victims of illegal alien crimes.  

WASHINGTON – Today, Secretary Noem announced that the Department of Homeland Security (DHS) is relaunching the Victims of Immigration Crime Engagement (VOICE) office. The VOICE office was shuttered by the previous administration, which left victims of alien crime without access to many key support services and resources. 

Image

The Trump administration is once again putting Americans first and standing up for law and order by reinstating the VOICE office within Immigration Customs Enforcement (ICE). 

A statement from Secretary Noem is below:  

“I met with Angel Families who lost a loved one because of an illegal alien who should never have been in our country. The previous administration ignored these families and the other victims of illegal alien crime. With the re-launching of the VOICE Office, we are giving victims and their families access to resources and support services. President Trump and I will continue to remove criminal illegal aliens from our streets and make America safe again.” 

A statement from ICE Acting Director Todd Lyons is below:  

“Illegal aliens harming American citizens is unconscionable. But now, thanks to President Trump, we’re able to help people victimized by criminal aliens through the VOICE Office. I’m extremely proud of ICE’s entire workforce — the officers and agents on the ground who are enforcing immigration law fairly, the support staff who pull these operations together and handle logistics, and those who help shine a light on those who have suffered harm at illegal aliens’ hands.”

The VOICE Office helps victims of crime and their families by: 

• Helping victims follow and understand the immigration enforcement and removal process. 

• Signing up victims to receive automated custody status information on criminal aliens in ICE custody. 

• Providing additional criminal or immigration history about illegal aliens to victims or their families. 

• Explaining where a victim may have the opportunity to provide a victim impact statement in applicable cases. 

• Giving access to social service professionals and local contacts who can help connect victims to resources and service providers. 

 The office was first launched in 2017 by the Trump administration as a dedicated resource for those who have been victimized by crime that has a nexus to immigration.  

Source: US Department of Homeland Security

WASHINGTON – On March 27 – 28, the Assistant Secretary for the DHS Countering Weapons of Mass Destruction Office (CWMD), David Richardson, traveled to Chicago, Illinois, to meet with state and local representatives for the BioWatch and Securing the Cities (STC) programs. 

During the March 27 BioWatch meeting, A/S Richardson met with the Chicago area BioWatch program representatives to discuss the future of the program, its value, and what actions CWMD could take to strengthen this valuable program further.  

The BioWatch program operates 24/7/365 in over 30 major metropolitan areas to provide an early indication of any potential airborne biological attack. DHS CWMD manages the program, supported by other federal agencies. The program is operated by a network of scientists and laboratory technicians, along with emergency managers, law enforcement officers, and public health officials across federal, state, and local levels of government.

On March 28, A/S Richardson met with the Chicago STC program leadership. The purpose of the meeting was to discuss detection equipment needs, the program’s status, and to see if there are any areas CWMD can improve upon in supporting the state and local team.

The STC Program was established in 2007 and included in the Countering Weapons of Mass Destruction Act of 2018. STC’s mission is to prevent the illicit possession, movement, and use of radiological or nuclear materials and weapons in the United States by enhancing the nuclear detection capabilities of state, local, tribal, and territorial agencies. 

Through STC’s coordinated planning and operations, federal, state, local, tribal, and territorial partners work together in the STC regions to defend against the threat of radiological or nuclear terrorism. CWMD provides radiological and nuclear detection equipment, training, exercise support, and operational and technical subject matter expertise to the STC regions through cooperative agreement grants.

CWMD supports STC implementations in broad areas centered on high-risk urban areas across the Nation. Urban areas include New York City/Newark, Los Angeles/Long Beach, National Capital Region, Houston, Chicago, Atlanta, Miami, Denver, Phoenix/Maricopa County, San Francisco, Seattle, Boston, and New Orleans.

CWMD serves as the Department of Homeland Security’s focal point for countering weapons of mass destruction efforts. By supporting operational partners across federal, state, local, tribal, and territorial levels, CWMD coordinates DHS efforts to safeguard the United States against chemical, biological, radiological, and nuclear threats.

Source: US Department of Homeland Security

WASHINGTON, DC – Today, the Cybersecurity and Infrastructure Security Agency (CISA) joined the National Security Agency (NSA) and other government and international partners to release a joint Cybersecurity Advisory (CSA) that warns organizations, internet service providers (ISPs), and cybersecurity service providers about fast flux enabled malicious activities that consistently evade detection. The CSA also provides recommended actions to defend against fast flux. 

An ongoing threat, fast flux networks create resilient adversary infrastructure used to evade tracking and blocking. Such infrastructure can be used for cyberattacks such as phishing, command and control of botnets, and data exfiltration. This advisory provides several techniques that should be implemented for a multi-layered security approach including DNS and internet protocol (IP) blocking and sinkholing; enhanced monitoring and logging; phishing awareness and training for users; and reputational filtering. 

 ”Threat actors leveraging fast flux techniques remain a threat to government and critical infrastructure organizations. Fast flux makes individual computers in a botnet harder to find and block. A useful solution is to find and block the behavior of fast flux itself,” said CISA Deputy Executive Assistant Director for Cybersecurity Matt Hartman. “CISA is pleased to join with our government and international partners to provide this important guidance on mitigating and blocking malicious fast flux activity. We encourage organizations to implement the advisory recommendations to reduce risk and strengthen resilience.” 

The authoring agencies encourage ISPs, cybersecurity service providers and Protective Domain Name System (PDNS) providers to help mitigate this threat by taking proactive steps to develop accurate and reliable fast flux detection analytics and block fast flux activities for their customers. 

Additional co-sealers for this joint CSA are Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), and New Zealand National Cyber Security Centre (NCSC-NZ). 

 For more information about ongoing security threats, visit CISA Cybersecurity Alerts & Advisories. 

###

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us onX, Facebook, LinkedIn, Instagram. 

Source: US Department of Homeland Security

Executive summary

Many networks have a gap in their defenses for detecting and blocking a malicious technique known as “fast flux.” This technique poses a significant threat to national security, enabling malicious cyber actors to consistently evade detection. Malicious cyber actors, including cybercriminals and nation-state actors, use fast flux to obfuscate the locations of malicious servers by rapidly changing Domain Name System (DNS) records. Additionally, they can create resilient, highly available command and control (C2) infrastructure, concealing their subsequent malicious operations. This resilient and fast changing infrastructure makes tracking and blocking malicious activities that use fast flux more difficult. 

The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), and New Zealand National Cyber Security Centre (NCSC-NZ) are releasing this joint cybersecurity advisory (CSA) to warn organizations, Internet service providers (ISPs), and cybersecurity service providers of the ongoing threat of fast flux enabled malicious activities as a defensive gap in many networks. This advisory is meant to encourage service providers, especially Protective DNS (PDNS) providers, to help mitigate this threat by taking proactive steps to develop accurate, reliable, and timely fast flux detection analytics and blocking capabilities for their customers. This CSA also provides guidance on detecting and mitigating elements of malicious fast flux by adopting a multi-layered approach that combines DNS analysis, network monitoring, and threat intelligence. 

The authoring agencies recommend all stakeholders—government and providers—collaborate to develop and implement scalable solutions to close this ongoing gap in network defenses against malicious fast flux activity.

Download the PDF version of this report: Fast Flux: A National Security Threat (841 KB).

Technical details

When malicious cyber actors compromise devices and networks, the malware they use needs to “call home” to send status updates and receive further instructions. To decrease the risk of detection by network defenders, malicious cyber actors use dynamic resolution techniques, such as fast flux, so their communications are less likely to be detected as malicious and blocked. 

Fast flux refers to a domain-based technique that is characterized by rapidly changing the DNS records (e.g., IP addresses) associated with a single domain [T1568.001]. 

Single and double flux

Malicious cyber actors use two common variants of fast flux to perform operations:

1. Single flux: A single domain name is linked to numerous IP addresses, which are frequently rotated in DNS responses. This setup ensures that if one IP address is blocked or taken down, the domain remains accessible through the other IP addresses. See Figure 1 as an example to illustrate this technique.

Note: This behavior can also be used for legitimate purposes for performance reasons in dynamic hosting environments, such as in content delivery networks and load balancers.

2. Double flux: In addition to rapidly changing the IP addresses as in single flux, the DNS name servers responsible for resolving the domain also change frequently. This provides an additional layer of redundancy and anonymity for malicious domains. Double flux techniques have been observed using both Name Server (NS) and Canonical Name (CNAME) DNS records. See Figure 2 as an example to illustrate this technique.

Both techniques leverage a large number of compromised hosts, usually as a botnet from across the Internet that acts as proxies or relay points, making it difficult for network defenders to identify the malicious traffic and block or perform legal enforcement takedowns of the malicious infrastructure. Numerous malicious cyber actors have been reported using the fast flux technique to hide C2 channels and remain operational. Examples include:

• Bulletproof hosting (BPH) services offer Internet hosting that disregards or evades law enforcement requests and abuse notices. These providers host malicious content and activities while providing anonymity for malicious cyber actors. Some BPH companies also provide fast flux services, which help malicious cyber actors maintain connectivity and improve the reliability of their malicious infrastructure. [1]
• Fast flux has been used in Hive and Nefilim ransomware attacks. [3], [4]
• Gamaredon uses fast flux to limit the effectiveness of IP blocking. [5], [6], [7]

The key advantages of fast flux networks for malicious cyber actors include:

• Increased resilience. As a fast flux network rapidly rotates through botnet devices, it is difficult for law enforcement or abuse notifications to process the changes quickly and disrupt their services.
• Render IP blocking ineffective. The rapid turnover of IP addresses renders IP blocking irrelevant since each IP address is no longer in use by the time it is blocked. This allows criminals to maintain resilient operations.
• Anonymity. Investigators face challenges in tracing malicious content back to the source through fast flux networks. This is because malicious cyber actors’ C2 botnets are constantly changing the associated IP addresses throughout the investigation.

Additional malicious uses

Fast flux is not only used for maintaining C2 communications, it also can play a significant role in phishing campaigns to make social engineering websites harder to block or take down. Phishing is often the first step in a larger and more complex cyber compromise. Phishing is typically used to trick victims into revealing sensitive information (such as login passwords, credit card numbers, and personal data), but can also be used to distribute malware or exploit system vulnerabilities. Similarly, fast flux is used for maintaining high availability for cybercriminal forums and marketplaces, making them resilient against law enforcement takedown efforts. 

Some BPH providers promote fast flux as a service differentiator that increases the effectiveness of their clients’ malicious activities. For example, one BPH provider posted on a dark web forum that it protects clients from being added to Spamhaus blocklists by easily enabling the fast flux capability through the service management panel (See Figure 3). A customer just needs to add a “dummy server interface,” which redirects incoming queries to the host server automatically. By doing so, only the dummy server interfaces are reported for abuse and added to the Spamhaus blocklist, while the servers of the BPH customers remain “clean” and unblocked. 

The BPH provider further explained that numerous malicious activities beyond C2, including botnet managers, fake shops, credential stealers, viruses, spam mailers, and others, could use fast flux to avoid identification and blocking. 

As another example, a BPH provider that offers fast flux as a service advertised that it automatically updates name servers to prevent the blocking of customer domains. Additionally, this provider further promoted its use of separate pools of IP addresses for each customer, offering globally dispersed domain registrations for increased reliability.

Detection techniques

The authoring agencies recommend that ISPs and cybersecurity service providers, especially PDNS providers, implement a multi-layered approach, in coordination with customers, using the following techniques to aid in detecting fast flux activity [CISA CPG 3.A]. However, quickly detecting malicious fast flux activity and differentiating it from legitimate activity remains an ongoing challenge to developing accurate, reliable, and timely fast flux detection analytics. 

1. Leverage threat intelligence feeds and reputation services to identify known fast flux domains and associated IP addresses, such as in boundary firewalls, DNS resolvers, and/or SIEM solutions.

2. Implement anomaly detection systems for DNS query logs to identify domains exhibiting high entropy or IP diversity in DNS responses and frequent IP address rotations. Fast flux domains will frequently cycle though tens or hundreds of IP addresses per day.

3. Analyze the time-to-live (TTL) values in DNS records. Fast flux domains often have unusually low TTL values. A typical fast flux domain may change its IP address every 3 to 5 minutes.

4. Review DNS resolution for inconsistent geolocation. Malicious domains associated with fast flux typically generate high volumes of traffic with inconsistent IP-geolocation information.

5. Use flow data to identify large-scale communications with numerous different IP addresses over short periods.

6. Develop fast flux detection algorithms to identify anomalous traffic patterns that deviate from usual network DNS behavior.

7. Monitor for signs of phishing activities, such as suspicious emails, websites, or links, and correlate these with fast flux activity. Fast flux may be used to rapidly spread phishing campaigns and to keep phishing websites online despite blocking attempts.

8. Implement customer transparency and share information about detected fast flux activity, ensuring to alert customers promptly after confirmed presence of malicious activity.

Mitigations

All organizations

To defend against fast flux, government and critical infrastructure organizations should coordinate with their Internet service providers, cybersecurity service providers, and/or their Protective DNS services to implement the following mitigations utilizing accurate, reliable, and timely fast flux detection analytics. 

Note: Some legitimate activity, such as common content delivery network (CDN) behaviors, may look like malicious fast flux activity. Protective DNS services, service providers, and network defenders should make reasonable efforts, such as allowlisting expected CDN services, to avoid blocking or impeding legitimate content.

1. DNS and IP blocking and sinkholing of malicious fast flux domains and IP addresses

• Block access to domains identified as using fast flux through non-routable DNS responses or firewall rules.
• Consider sinkholing the malicious domains, redirecting traffic from those domains to a controlled server to capture and analyze the traffic, helping to identify compromised hosts within the network.
• Block IP addresses known to be associated with malicious fast flux networks.

2. Reputational filtering of fast flux enabled malicious activity

• Block traffic to and from domains or IP addresses with poor reputations, especially ones identified as participating in malicious fast flux activity.

3. Enhanced monitoring and logging

• Increase logging and monitoring of DNS traffic and network communications to identify new or ongoing fast flux activities.
• Implement automated alerting mechanisms to respond swiftly to detected fast flux patterns.
• Refer to ASD’s ACSC joint publication, Best practices for event logging and threat detection, for further logging recommendations.

4. Collaborative defense and information sharing

• Share detected fast flux indicators (e.g., domains, IP addresses) with trusted partners and threat intelligence communities to enhance collective defense efforts. Examples of indicator sharing initiatives include CISA’s Automated Indicator Sharing or sector-based Information Sharing and Analysis Centers (ISACs) and ASD’s Cyber Threat Intelligence Sharing Platform (CTIS) in Australia.
• Participate in public and private information-sharing programs to stay informed about emerging fast flux tactics, techniques, and procedures (TTPs). Regular collaboration is particularly important because most malicious activity by these domains occurs within just a few days of their initial use; therefore, early discovery and information sharing by the cybersecurity community is crucial to minimizing such malicious activity. [8]

5. Phishing awareness and training

• Implement employee awareness and training programs to help personnel identify and respond appropriately to phishing attempts.
• Develop policies and procedures to manage and contain phishing incidents, particularly those facilitated by fast flux networks.
• For more information on mitigating phishing, see joint Phishing Guidance: Stopping the Attack Cycle at Phase One.

Network defenders

The authoring agencies encourage organizations to use cybersecurity and PDNS services that detect and block fast flux. By leveraging providers that detect fast flux and implement capabilities for DNS and IP blocking, sinkholing, reputational filtering, enhanced monitoring, logging, and collaborative defense of malicious fast flux domains and IP addresses, organizations can mitigate many risks associated with fast flux and maintain a more secure environment. 

However, some PDNS providers may not detect and block malicious fast flux activities. Organizations should not assume that their PDNS providers block malicious fast flux activity automatically and should contact their PDNS providers to validate coverage of this specific cyber threat. 

For more information on PDNS services, see the 2021 joint cybersecurity information sheet from NSA and CISA about Selecting a Protective DNS Service. [9] In addition, NSA offers no-cost cybersecurity services to Defense Industrial Base (DIB) companies, including a PDNS service. For more information, see NSA’s DIB Cybersecurity Services and factsheet. CISA also offers a Protective DNS service for federal civilian executive branch (FCEB) agencies. See CISA’s Protective Domain Name System Resolver page and factsheet for more information. 

Conclusion

Fast flux represents a persistent threat to network security, leveraging rapidly changing infrastructure to obfuscate malicious activity. By implementing robust detection and mitigation strategies, organizations can significantly reduce their risk of compromise by fast flux-enabled threats. 

The authoring agencies strongly recommend organizations engage their cybersecurity providers on developing a multi-layered approach to detect and mitigate malicious fast flux operations. Utilizing services that detect and block fast flux enabled malicious cyber activity can significantly bolster an organization’s cyber defenses. 

Works cited

[1] Intel471. Bulletproof Hosting: A Critical Cybercriminal Service. 2024. https://intel471.com/blog/bulletproof-hosting-a-critical-cybercriminal-service 

[2] Australian Signals Directorate’s Australian Cyber Security Centre. “Bulletproof” hosting providers: Cracks in the armour of cybercriminal infrastructure. 2025. https://www.cyber.gov.au/about-us/view-all-content/publications/bulletproof-hosting-providers 

[3] Logpoint. A Comprehensive guide to Detect Ransomware. 2023. https://www.logpoint.com/wp-content/uploads/2023/04/logpoint-a-comprehensive-guide-to-detect-ransomware.pdf

[4] Trendmicro. Modern Ransomware’s Double Extortion Tactic’s and How to Protect Enterprises Against Them. 2021. https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/modern-ransomwares-double-extortion-tactics-and-how-to-protect-enterprises-against-them

[5] Unit 42. Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. 2022. https://unit42.paloaltonetworks.com/trident-ursa/

[6] Recorded Future. BlueAlpha Abuses Cloudflare Tunneling Service for GammaDrop Staging Infrastructure. 2024. https://www.recordedfuture.com/research/bluealpha-abuses-cloudflare-tunneling-service 

[7] Silent Push. ‘From Russia with a 71’: Uncovering Gamaredon’s fast flux infrastructure. New apex domains and ASN/IP diversity patterns discovered. 2023. https://www.silentpush.com/blog/from-russia-with-a-71/

[8] DNS Filter. Security Categories You Should be Blocking (But Probably Aren’t). 2023. https://www.dnsfilter.com/blog/security-categories-you-should-be-blocking-but-probably-arent

[9] National Security Agency. Selecting a Protective DNS Service. 2021. https://media.defense.gov/2025/Mar/24/2003675043/-1/-1/0/CSI-SELECTING-A-PROTECTIVE-DNS-SERVICE-V1.3.PDF

Disclaimer of endorsement

The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.

Purpose

This document was developed in furtherance of the authoring cybersecurity agencies’ missions, including their responsibilities to identify and disseminate threats, and develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

Contact

National Security Agency (NSA):

Cybersecurity and Infrastructure Security Agency (CISA):

• All organizations should report incidents and anomalous activity to CISA via the agency’s Incident Reporting System, its 24/7 Operations Center at report@cisa.gov, or by calling 1-844-Say-CISA (1-844-729-2472). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment user for the activity; the name of the submitting company or organization; and a designated point of contact.

Federal Bureau of Investigation (FBI):

• To report suspicious or criminal activity related to information found in this advisory, contact your local FBI field office or the FBI’s Internet Crime Complaint Center (IC3). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.

Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC):

• For inquiries, visit ASD’s website at www.cyber.gov.au or call the Australian Cyber Security Hotline at 1300 CYBER1 (1300 292 371).

Canadian Centre for Cyber Security (CCCS):

New Zealand National Cyber Security Centre (NCSC-NZ):

Source: US Department of Homeland Security

WASHINGTON – Today, the Department of Homeland Security and Immigration and Customs Enforcement announced the arrest of 68 Tren De Aragua members in less than a week.

On day one of his Administration, President Trump designated Tren De Aragua a terrorist organization. This has allowed a whole of government approach to dismantle this criminal terrorist gang. 

In less than 100 days, the Trump Administration has arrested 394 members of the Tren De Aragua—a vicious gang known for human trafficking, kidnapping, drug trafficking and other heinous acts terrorizing American communities. Members of this vicious terrorist gang are responsible for the brutal assault and murder of nursing student Laken Riley and 12-year-old Jocelyn Nungaray.

 Statement from a DHS Spokesperson:

“The Trump Administration and the Department of Homeland Security are committed to arresting and removing criminals from our communities. Tren De Aragua is a terrorist organization whose members are rapists, drug traffickers, and murderers. We will continue to make sure these dirtbags are removed from America’s streets and face justice.” 

Source: US Department of Homeland Security

Eswin Mejia Fled to Honduras to Evade Prosecution for Killing Iowan Sarah Root in a Drunk Driving Accident

WASHINGTON – Today, Secretary of Homeland Security Kristi Noem announced that Eswin Mejia, an illegal alien arrested for killing 21-year-old Sarah Root in a drunk driving crash, was successfully extradited from Honduras by Homeland Security Investigations (HSI).

Image

In January 2016, Mejia, an illegal alien, was arrested for vehicular homicide, killing Sarah Root in Douglas County, Nebraska. His blood alcohol content was three times over the legal limit. He was arrested and released on a bond in February 2016 and subsequently fled the country to evade prosecution.

Image

In the aftermath of this tragedy, Sarah’s Law was introduced in the United States Congress and was later added as an amendment to the Laken Riley Act. The law requires illegal aliens who have committed crimes against Americans to be detained. This was the first piece of legislation President Trump signed into law.

Statement from Secretary Noem:

“The extradition and arrest of this criminal alien is the culmination of a nearly decade-long battle for justice for Sarah Root and her family.

Thanks to the hard work of our Homeland Security Investigation and our interagency law enforcement partners, Eswin Mejia, who fled the US to evade prosecution, will finally face justice for the killing of Sarah Root. Sarah should still be here today, and this illegal alien should have never been in our country in the first place. 

Senator Joni Ernst has been a champion for Sarah and her family, and her efforts and leadership were crucial in Mejia’s extradition. 

President Trump is putting the safety of Americans first—no longer will murderers and criminal illegal aliens be released into American communities.”

Mejia was first encountered by immigration officials in May 2013 after entering the United States at an unknown date and location and without inspection or parole. U.S. Border Patrol issued the illegal alien a notice to appear, and released him on his own recognizance, pending immigration proceedings.