WASHINGTON, DC – Today, the Cybersecurity and Infrastructure Security Agency (CISA) joined the National Security Agency (NSA) and other government and international partners to release a joint Cybersecurity Advisory (CSA) that warns organizations, internet service providers (ISPs), and cybersecurity service providers about fast flux enabled malicious activities that consistently evade detection. The CSA also provides recommended actions to defend against fast flux.
An ongoing threat, fast flux networks create resilient adversary infrastructure used to evade tracking and blocking. Such infrastructure can be used for cyberattacks such as phishing, command and control of botnets, and data exfiltration. This advisory provides several techniques that should be implemented for a multi-layered security approach including DNS and internet protocol (IP) blocking and sinkholing; enhanced monitoring and logging; phishing awareness and training for users; and reputational filtering.
”Threat actors leveraging fast flux techniques remain a threat to government and critical infrastructure organizations. Fast flux makes individual computers in a botnet harder to find and block. A useful solution is to find and block the behavior of fast flux itself,” said CISA Deputy Executive Assistant Director for Cybersecurity Matt Hartman. “CISA is pleased to join with our government and international partners to provide this important guidance on mitigating and blocking malicious fast flux activity. We encourage organizations to implement the advisory recommendations to reduce risk and strengthen resilience.”
The authoring agencies encourage ISPs, cybersecurity service providers and Protective Domain Name System (PDNS) providers to help mitigate this threat by taking proactive steps to develop accurate and reliable fast flux detection analytics and block fast flux activities for their customers.
Additional co-sealers for this joint CSA are Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), and New Zealand National Cyber Security Centre (NCSC-NZ).
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
Many networks have a gap in their defenses for detecting and blocking a malicious technique known as “fast flux.” This technique poses a significant threat to national security, enabling malicious cyber actors to consistently evade detection. Malicious cyber actors, including cybercriminals and nation-state actors, use fast flux to obfuscate the locations of malicious servers by rapidly changing Domain Name System (DNS) records. Additionally, they can create resilient, highly available command and control (C2) infrastructure, concealing their subsequent malicious operations. This resilient and fast changing infrastructure makes tracking and blocking malicious activities that use fast flux more difficult.
The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), and New Zealand National Cyber Security Centre (NCSC-NZ) are releasing this joint cybersecurity advisory (CSA) to warn organizations, Internet service providers (ISPs), and cybersecurity service providers of the ongoing threat of fast flux enabled malicious activities as a defensive gap in many networks. This advisory is meant to encourage service providers, especially Protective DNS (PDNS) providers, to help mitigate this threat by taking proactive steps to develop accurate, reliable, and timely fast flux detection analytics and blocking capabilities for their customers. This CSA also provides guidance on detecting and mitigating elements of malicious fast flux by adopting a multi-layered approach that combines DNS analysis, network monitoring, and threat intelligence.
The authoring agencies recommend all stakeholders—government and providers—collaborate to develop and implement scalable solutions to close this ongoing gap in network defenses against malicious fast flux activity.
When malicious cyber actors compromise devices and networks, the malware they use needs to “call home” to send status updates and receive further instructions. To decrease the risk of detection by network defenders, malicious cyber actors use dynamic resolution techniques, such as fast flux, so their communications are less likely to be detected as malicious and blocked.
Fast flux refers to a domain-based technique that is characterized by rapidly changing the DNS records (e.g., IP addresses) associated with a single domain [T1568.001].
Single and double flux
Malicious cyber actors use two common variants of fast flux to perform operations:
1. Single flux: A single domain name is linked to numerous IP addresses, which are frequently rotated in DNS responses. This setup ensures that if one IP address is blocked or taken down, the domain remains accessible through the other IP addresses. See Figure 1 as an example to illustrate this technique.
Figure 1: Single flux technique.
Note: This behavior can also be used for legitimate purposes for performance reasons in dynamic hosting environments, such as in content delivery networks and load balancers.
2. Double flux: In addition to rapidly changing the IP addresses as in single flux, the DNS name servers responsible for resolving the domain also change frequently. This provides an additional layer of redundancy and anonymity for malicious domains. Double flux techniques have been observed using both Name Server (NS) and Canonical Name (CNAME) DNS records. See Figure 2 as an example to illustrate this technique.
Figure 2: Double flux technique.
Both techniques leverage a large number of compromised hosts, usually as a botnet from across the Internet that acts as proxies or relay points, making it difficult for network defenders to identify the malicious traffic and block or perform legal enforcement takedowns of the malicious infrastructure. Numerous malicious cyber actors have been reported using the fast flux technique to hide C2 channels and remain operational. Examples include:
Bulletproof hosting (BPH) services offer Internet hosting that disregards or evades law enforcement requests and abuse notices. These providers host malicious content and activities while providing anonymity for malicious cyber actors. Some BPH companies also provide fast flux services, which help malicious cyber actors maintain connectivity and improve the reliability of their malicious infrastructure. [1]
Fast flux has been used in Hive and Nefilim ransomware attacks. [3], [4]
Gamaredon uses fast flux to limit the effectiveness of IP blocking. [5], [6], [7]
The key advantages of fast flux networks for malicious cyber actors include:
Increased resilience. As a fast flux network rapidly rotates through botnet devices, it is difficult for law enforcement or abuse notifications to process the changes quickly and disrupt their services.
Render IP blocking ineffective. The rapid turnover of IP addresses renders IP blocking irrelevant since each IP address is no longer in use by the time it is blocked. This allows criminals to maintain resilient operations.
Anonymity. Investigators face challenges in tracing malicious content back to the source through fast flux networks. This is because malicious cyber actors’ C2 botnets are constantly changing the associated IP addresses throughout the investigation.
Additional malicious uses
Fast flux is not only used for maintaining C2 communications, it also can play a significant role in phishing campaigns to make social engineering websites harder to block or take down. Phishing is often the first step in a larger and more complex cyber compromise. Phishing is typically used to trick victims into revealing sensitive information (such as login passwords, credit card numbers, and personal data), but can also be used to distribute malware or exploit system vulnerabilities. Similarly, fast flux is used for maintaining high availability for cybercriminal forums and marketplaces, making them resilient against law enforcement takedown efforts.
Some BPH providers promote fast flux as a service differentiator that increases the effectiveness of their clients’ malicious activities. For example, one BPH provider posted on a dark web forum that it protects clients from being added to Spamhaus blocklists by easily enabling the fast flux capability through the service management panel (See Figure 3). A customer just needs to add a “dummy server interface,” which redirects incoming queries to the host server automatically. By doing so, only the dummy server interfaces are reported for abuse and added to the Spamhaus blocklist, while the servers of the BPH customers remain “clean” and unblocked.
Figure 3: Example dark web fast flux advertisement.
The BPH provider further explained that numerous malicious activities beyond C2, including botnet managers, fake shops, credential stealers, viruses, spam mailers, and others, could use fast flux to avoid identification and blocking.
As another example, a BPH provider that offers fast flux as a service advertised that it automatically updates name servers to prevent the blocking of customer domains. Additionally, this provider further promoted its use of separate pools of IP addresses for each customer, offering globally dispersed domain registrations for increased reliability.
Detection techniques
The authoring agencies recommend that ISPs and cybersecurity service providers, especially PDNS providers, implement a multi-layered approach, in coordination with customers, using the following techniques to aid in detecting fast flux activity [CISA CPG 3.A]. However, quickly detecting malicious fast flux activity and differentiating it from legitimate activity remains an ongoing challenge to developing accurate, reliable, and timely fast flux detection analytics.
1. Leverage threat intelligence feeds and reputation services to identify known fast flux domains and associated IP addresses, such as in boundary firewalls, DNS resolvers, and/or SIEM solutions.
2. Implement anomaly detection systems for DNS query logs to identify domains exhibiting high entropy or IP diversity in DNS responses and frequent IP address rotations. Fast flux domains will frequently cycle though tens or hundreds of IP addresses per day.
3. Analyze the time-to-live (TTL) values in DNS records. Fast flux domains often have unusually low TTL values. A typical fast flux domain may change its IP address every 3 to 5 minutes.
4. Review DNS resolution for inconsistent geolocation. Malicious domains associated with fast flux typically generate high volumes of traffic with inconsistent IP-geolocation information.
5. Use flow data to identify large-scale communications with numerous different IP addresses over short periods.
6. Develop fast flux detection algorithms to identify anomalous traffic patterns that deviate from usual network DNS behavior.
7. Monitor for signs of phishing activities, such as suspicious emails, websites, or links, and correlate these with fast flux activity. Fast flux may be used to rapidly spread phishing campaigns and to keep phishing websites online despite blocking attempts.
8. Implement customer transparency and share information about detected fast flux activity, ensuring to alert customers promptly after confirmed presence of malicious activity.
Mitigations
All organizations
To defend against fast flux, government and critical infrastructure organizations should coordinate with their Internet service providers, cybersecurity service providers, and/or their Protective DNS services to implement the following mitigations utilizing accurate, reliable, and timely fast flux detection analytics.
Note: Some legitimate activity, such as common content delivery network (CDN) behaviors, may look like malicious fast flux activity. Protective DNS services, service providers, and network defenders should make reasonable efforts, such as allowlisting expected CDN services, to avoid blocking or impeding legitimate content.
1. DNS and IP blocking and sinkholing of malicious fast flux domains and IP addresses
Block access to domains identified as using fast flux through non-routable DNS responses or firewall rules.
Consider sinkholing the malicious domains, redirecting traffic from those domains to a controlled server to capture and analyze the traffic, helping to identify compromised hosts within the network.
Block IP addresses known to be associated with malicious fast flux networks.
2. Reputational filtering of fast flux enabled malicious activity
Block traffic to and from domains or IP addresses with poor reputations, especially ones identified as participating in malicious fast flux activity.
3. Enhanced monitoring and logging
Increase logging and monitoring of DNS traffic and network communications to identify new or ongoing fast flux activities.
Implement automated alerting mechanisms to respond swiftly to detected fast flux patterns.
Share detected fast flux indicators (e.g., domains, IP addresses) with trusted partners and threat intelligence communities to enhance collective defense efforts. Examples of indicator sharing initiatives include CISA’s Automated Indicator Sharing or sector-based Information Sharing and Analysis Centers (ISACs) and ASD’s Cyber Threat Intelligence Sharing Platform (CTIS) in Australia.
Participate in public and private information-sharing programs to stay informed about emerging fast flux tactics, techniques, and procedures (TTPs). Regular collaboration is particularly important because most malicious activity by these domains occurs within just a few days of their initial use; therefore, early discovery and information sharing by the cybersecurity community is crucial to minimizing such malicious activity. [8]
5. Phishing awareness and training
Implement employee awareness and training programs to help personnel identify and respond appropriately to phishing attempts.
Develop policies and procedures to manage and contain phishing incidents, particularly those facilitated by fast flux networks.
The authoring agencies encourage organizations to use cybersecurity and PDNS services that detect and block fast flux. By leveraging providers that detect fast flux and implement capabilities for DNS and IP blocking, sinkholing, reputational filtering, enhanced monitoring, logging, and collaborative defense of malicious fast flux domains and IP addresses, organizations can mitigate many risks associated with fast flux and maintain a more secure environment.
However, some PDNS providers may not detect and block malicious fast flux activities. Organizations should not assume that their PDNS providers block malicious fast flux activity automatically and should contact their PDNS providers to validate coverage of this specific cyber threat.
For more information on PDNS services, see the 2021 joint cybersecurity information sheet from NSA and CISA about Selecting a Protective DNS Service. [9] In addition, NSA offers no-cost cybersecurity services to Defense Industrial Base (DIB) companies, including a PDNS service. For more information, see NSA’s DIB Cybersecurity Services and factsheet. CISA also offers a Protective DNS service for federal civilian executive branch (FCEB) agencies. See CISA’s Protective Domain Name System Resolver page and factsheet for more information.
Conclusion
Fast flux represents a persistent threat to network security, leveraging rapidly changing infrastructure to obfuscate malicious activity. By implementing robust detection and mitigation strategies, organizations can significantly reduce their risk of compromise by fast flux-enabled threats.
The authoring agencies strongly recommend organizations engage their cybersecurity providers on developing a multi-layered approach to detect and mitigate malicious fast flux operations. Utilizing services that detect and block fast flux enabled malicious cyber activity can significantly bolster an organization’s cyber defenses.
The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
Purpose
This document was developed in furtherance of the authoring cybersecurity agencies’ missions, including their responsibilities to identify and disseminate threats, and develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
Contact
National Security Agency (NSA):
Cybersecurity and Infrastructure Security Agency (CISA):
All organizations should report incidents and anomalous activity to CISA via the agency’s Incident Reporting System, its 24/7 Operations Center at report@cisa.gov, or by calling 1-844-Say-CISA (1-844-729-2472). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment user for the activity; the name of the submitting company or organization; and a designated point of contact.
Federal Bureau of Investigation (FBI):
To report suspicious or criminal activity related to information found in this advisory, contact your local FBI field office or the FBI’s Internet Crime Complaint Center (IC3). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.
Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC):
For inquiries, visit ASD’s website at www.cyber.gov.au or call the Australian Cyber Security Hotline at 1300 CYBER1 (1300 292 371).
Canadian Centre for Cyber Security (CCCS):
New Zealand National Cyber Security Centre (NCSC-NZ):
WASHINGTON – Today, the Department of Homeland Security and Immigration and Customs Enforcement announced the arrest of 68 Tren De Aragua members in less than a week.
On day one of his Administration, President Trump designated Tren De Aragua a terrorist organization. This has allowed a whole of government approach to dismantle this criminal terrorist gang.
In less than 100 days, the Trump Administration has arrested 394 members of the Tren De Aragua—a vicious gang known for human trafficking, kidnapping, drug trafficking and other heinous acts terrorizing American communities. Members of this vicious terrorist gang are responsible for the brutal assault and murder of nursing student Laken Riley and 12-year-old Jocelyn Nungaray.
Statement from a DHS Spokesperson:
“The Trump Administration and the Department of Homeland Security are committed to arresting and removing criminals from our communities. Tren De Aragua is a terrorist organization whose members are rapists, drug traffickers, and murderers. We will continue to make sure these dirtbags are removed from America’s streets and face justice.”
Eswin Mejia Fled to Honduras to Evade Prosecution for Killing Iowan Sarah Root in a Drunk Driving Accident
WASHINGTON – Today, Secretary of Homeland Security Kristi Noem announced that Eswin Mejia, an illegal alien arrested for killing 21-year-old Sarah Root in a drunk driving crash, was successfully extradited from Honduras by Homeland Security Investigations (HSI).
Image
In January 2016, Mejia, an illegal alien, was arrested for vehicular homicide, killing Sarah Root in Douglas County, Nebraska. His blood alcohol content was three times over the legal limit. He was arrested and released on a bond in February 2016 and subsequently fled the country to evade prosecution.
Image
In the aftermath of this tragedy, Sarah’s Law was introduced in the United States Congress and was later added as an amendment to the Laken Riley Act. The law requires illegal aliens who have committed crimes against Americans to be detained. This was the first piece of legislation President Trump signed into law.
Statement from Secretary Noem:
“The extradition and arrest of this criminal alien is the culmination of a nearly decade-long battle for justice for Sarah Root and her family.
Thanks to the hard work of our Homeland Security Investigation and our interagency law enforcement partners, Eswin Mejia, who fled the US to evade prosecution, will finally face justice for the killing of Sarah Root. Sarah should still be here today, and this illegal alien should have never been in our country in the first place.
Senator Joni Ernst has been a champion for Sarah and her family, and her efforts and leadership were crucial in Mejia’s extradition.
President Trump is putting the safety of Americans first—no longer will murderers and criminal illegal aliens be released into American communities.”
Mejia was first encountered by immigration officials in May 2013 after entering the United States at an unknown date and location and without inspection or parole. U.S. Border Patrol issued the illegal alien a notice to appear, and released him on his own recognizance, pending immigration proceedings.
The Court issued a Temporary Restraining Order in Maryland, et al v. United States Dep’t of Agriculture, et al, No. 25-cv-00748, Docket No. 43 (D. Md.) (March 13, 2025). If you believe you are a CISA employee whose termination fell within the Court’s order and have questions regarding your reinstatement, please reach out to CISAHR@mail.cisa.dhs.gov.
“Under President Trump, America’s borders are closed to lawbreakers.” – Secretary Noem
WASHINGTON – Today, the Department of Homeland Security is launching its international, multimillion-dollar ad campaign warning illegal aliens to not to come to America and break its laws or they will be hunted down and deported.
This series of ads will run on radio, broadcast, and digital, in multiple countries and regions in various dialects. Ads will be hyper-targeted, including through social media, text message and digital to reach international audiences.
“Thank you, President Donald J. Trump, for securing our border and putting America first. President Trump has a clear message: if you are here illegally, we will find you and deport you. You will never return. But if you leave now, you may have an opportunity to return and enjoy our freedom and live the American Dream,” said Secretary Kristi Noem. “If you are a criminal alien considering entering America illegally: Don’t even think about it. If you come here and break our laws, we will hunt you down. Criminals are not welcome in the United States.”
Another student who supported Hamas was arrested by ICE HSI for overstaying her student visa.
WASHINGTON – Today, Secretary of Homeland Security Kristi Noem announced that one of the Columbia students who had her student visa revoked for advocating for violence and terrorism self-deported using the CBP Home App and ICE arrested a Palestinian student for overstaying her expired F-1 visa.
Ranjani Srinivasan, a citizen and national of India, entered the United States on a F-1 student visa as doctoral student in Urban Planning at Columbia University. Srinivasan was involved in activities supporting Hammas, a terrorist organization. On March 5, 2025, the Department of State revoked her visa. The Department of Homeland Security has obtained video footage of her using the CBP Home App to self-deport on March 11.
Another student Leqaa Kordia, a Palestinian from West Bank, was arrested by ICE HSI Newark officers for overstaying her expired F-1 student visa. Her visa terminated on January 26, 2022, for lack of attendance. Previously, in April 2024 Kordia was arrested for her involvement in pro-Hamas protests at Columbia University in New York City.
The below statement is attributable to Secretary Noem:
“It is a privilege to be granted a visa to live and study in the United States of America. When you advocate for violence and terrorism that privilege should be revoked, and you should not be in this country. I am glad to see one of the Columbia University terrorist sympathizers use the CBP Home app to self-deport.”
Almost 75% of these arrests were of accused or convicted criminals.
WASHINGTON – In the first 50 days of the Trump Administration, Immigration Customs and Enforcement (ICE) has made 32,809 enforcement arrests. To put this figure into perspective, in the entire fiscal year 2024, ICE’s Enforcement and Removal Operations made 33,242 of these at-large arrests.
As of Tuesday, ICE has officially made more at-large arrests in the first few weeks of President Trump’s presidency than the entire last year under the previous administration.
Of the illegal aliens we’ve arrested in the past 50 days:
In total, ICE arrested 1,155 criminal gang members. That’s almost two and half times the 483 arrested during the same time period last year.
39 of these arrests were known or suspected terrorists. That’s nearly triple the 14 arrested during the same time period last year.
A statement from Secretary Noem is below:
“We have deported known terrorists, cartel members, and gang members from our country.
“We will see the number of deportations continue to rise. And illegal immigrants have the option to self-deport and come back LEGALLY in the future.
“And our team at ICE will help us continue moving forward to make America SAFE again.”
CISA’s Red Team is among the best in the world and remains laser focused on helping our federal and critical infrastructure partners identify and mitigate their most significant vulnerabilities and weaknesses. This has not changed.
Contrary to inaccurate reporting, CISA has not “laid off” our Red Team. CISA has taken action to terminate contracts where the agency has been able to find efficiencies and eliminate duplication of effort. As good stewards of the taxpayer dollar and in accordance with good fiscal governance practices, CISA regularly reviews contracts across the agency to ensure that we have the capabilities that we need and that we are allocating resources in ways that make the most impact. This was a contract action that did not impact the employment status of CISA personnel.
CISA’s Red Teams continue their work without interruption. The team works directly with network defenders, system administrators, and other technical staff to address strengths and weaknesses across critical infrastructure networks and systems. They continue to assist organizations in refining their detection, response, and hunt capabilities to protect the nation’s critical infrastructure from a range of threats.
I am honored to welcome Troy Edgar as the United States Deputy Secretary of the Department of Homeland Security. Troy served as DHS’s Chief Financial Officer in President Trump’s first Administration and is entrusted by President Trump once again.
A proud Navy veteran, Troy joins us with more than 35 years of business and executive experience providing leadership and advisory services to companies of various industries, including the government.
I look forward to working alongside Troy to keep the more than 330 million American citizens safe and secure in our great nation. We will work with the DHS workforce to advance our essential missions from enforcing immigration laws, securing our border, and safeguarding US cyber infrastructure to protecting America’s leaders and deterring terrorism.
We will deliver rapid relief to Americans in the face of natural disasters, empower our brave men and women in law enforcement to do their jobs and remove criminal aliens and illegal gangs from our country. We will fully equip our intelligence and law enforcement to detect and prevent terror threats of all facets.
I look forward to working alongside Troy to ensure that the United States, once again, is a beacon of freedom, safety, and security for generations to come.
Please join me in welcoming Troy Edgar back to the Department.
Kristi Noem Secretary of Homeland Security
~~~~~
With honor and integrity, we will safeguard the American people, our homeland, and our values.