A decades-old cyber trick is back in the spotlight, and it’s raising fresh concerns among cybersecurity officials. Known as “fast flux,” this technique has long been used by threat actors—from phishing gangs to ransomware crews and even state-sponsored groups. To make their malicious domains harder to detect and take down. It’s not some cutting-edge innovation but a clever abuse of existing domain name system (DNS) functions that allows attackers to stay one step ahead of defenders.
On April 3, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory warning that organizations still struggle to identify and stop fast flux activity. According to CISA, threat groups like Russia’s Gamaredon APT, the Hive ransomware network. And various phishing operators are using it to their advantage. The agency described a critical gap in enterprise defenses, highlighting how threat actors continue to exploit the weaknesses in DNS infrastructure.
However, not everyone is convinced the threat is still relevant. Renée Burton, VP of threat intelligence at Infoblox, pushed back against the warning in a LinkedIn post, calling the advisory “a head scratcher.” She argued that fast flux is now so rare that it hardly factors into most cybersecurity strategies. If the advisory had appeared in a trade publication, she said, she would’ve assumed it was sponsored content.
Fast flux works by rotating the IP addresses associated with a single domain name. This helps cybercriminals avoid detection and blocking. Normally, cybersecurity teams block IP addresses linked to known threats—these are called indicators of compromise (IoCs). But fast flux undermines that approach. Instead of a domain pointing to a single IP address, it constantly shifts across many, thanks to a botnet of infected computers that act as proxies. These IPs can change every few seconds, making it nearly impossible for defenders to track and blacklist them all.
Some attackers even take it a step further by rotating the name servers too. This upgraded technique, known as double flux, adds another layer of confusion for anyone trying to dismantle the infrastructure. And when attackers combine fast flux with bulletproof hosting providers—companies that ignore takedown requests—they can make their operations even more resilient.
While this sounds like a formidable strategy, experts like Burton argue it’s losing its edge. Running a fast flux operation isn’t simple. It demands serious skills, coordination, and resources. More importantly, it may no longer be worth the effort. Burton points out that today’s protective DNS systems can flag suspicious activity based on the behavior of domains—not just IP addresses. Ironically, the constant IP shuffling used in fast flux might make a domain more visible, not less.
She explains that detection is no longer about chasing down every IP address. Instead, defenders focus on how domains behave and what kinds of patterns they produce. Protective DNS services can block domains outright, no matter how many IPs they’re linked to. That reduces the effectiveness of fast flux significantly.
Burton also notes that fast flux schemes are increasingly rare in the wild. Double flux attacks, in particular, are now an uncommon sight. She says that today’s attackers prefer newer, more subtle methods—like using shady advertising networks and traffic distribution systems to hide their infrastructure. These modern tactics are harder to trace and are often favored over fast flux due to their efficiency and stealth.
Still, CISA’s advisory suggests there may be a slight resurgence in fast flux activity—one not yet fully visible to researchers like Burton. While she doesn’t dismiss the technique entirely, she emphasizes that there are many ways attackers can obscure their infrastructure. Fast flux is just one tool in a much larger toolbox.
For cybersecurity teams, this means the core mission remains unchanged. Whether it’s fast flux or domain cloaking, defenders need to monitor behavior patterns, use advanced DNS protections, and stay agile. The methods may evolve, but the goal is the same: detect and block malicious infrastructure before it causes harm.
