Learn to use AI like a Pro. Learn More

Understanding the Old but Evolving Threat

NSA Says Fast Flux Is A National Security Threat, But What Is It?

Estimated read time: 1:20

    Learn to use AI like a Pro

    Get the latest AI workflows to boost your productivity and business performance, delivered weekly by expert consultants. Enjoy step-by-step guides, weekly Q&A sessions, and full access to our AI workflow archive.

    Canva Logo
    Claude AI Logo
    Google Gemini Logo
    HeyGen Logo
    Hugging Face Logo
    Microsoft Logo
    OpenAI Logo
    Zapier Logo
    Canva Logo
    Claude AI Logo
    Google Gemini Logo
    HeyGen Logo
    Hugging Face Logo
    Microsoft Logo
    OpenAI Logo
    Zapier Logo

    Summary

    In this video, Marcus Hutchins dives deep into the topic of fast flux and its emergence as a national security threat, as identified by the NSA. Fast flux is a technique dating back to 2005, involving the dynamic changing of server IP addresses behind a domain to evade detection and takedown. Hutchins explains the intricacies of the technology, its historical context in cybersecurity, and how it is being leveraged by nation-state actors for more aggressive campaigns. This technique poses significant challenges due to its resistance to traditional blocking methods and its ability to flux DNS and proxy servers via botnets, complicating efforts to track and eliminate threats.

      Highlights

      • Fast flux is considered a national security threat by the NSA. 🚨
      • The technique dates back to 2005, popularized in 2007. 📜
      • Fast flux involves changing server IPs to avoid detection. 🔄
      • Proxy servers and botnets are used to hide real servers. 🖥️
      • The NSA warns due to increased use by organized threat actors. ⚠️

      Key Takeaways

      • Fast flux is an old technique from 2005, now a national security concern. 🚨
      • It's used to hide the real server IPs via dynamic DNS changes. 🤯
      • Originally a cybercriminal tactic, now used by nation-state actors. 👨‍💻
      • Fast flux networks are hard to block due to ever-changing IPs. 🔄
      • It requires modern security solutions beyond traditional IP blocking. 🔒

      Overview

      Marcus Hutchins takes us on a journey through the complex and evolving landscape of cybersecurity with his exposé on fast flux, a technique once buried in the annals of cyber history now resurrected as a significant threat. Fast flux, a technique developed back in 2005, is now being flagged by the NSA as a national security risk due to its new resurgence among state-sponsored hackers. Hutchins passionately demystifies this intricate method where domains switch over various IP addresses to obscure their digital tracks, presenting a daunting challenge to cybersecurity efforts.

        With his engaging storytelling, Hutchins lays bare the historical context of fast flux and how it has evolved from merely a tool for cybercriminals to a sophisticated weapon in the arsenal of nation-state actors. By weaving in anecdotes from the early days of IT, he illustrates how once secure technologies are being retooled for more aggressive and widespread digital operations, posing a formidable risk to organizations worldwide.

          Fast flux's ability to dynamically change DNS and proxy servers using botnets makes it a hydra-headed beast in the world of cyber threats. Hutchins emphasizes the need for modern security measures that go beyond traditional IP blocking, highlighting the urgency with which the current cybersecurity landscape must adapt. As he ties off his enlightening session, we're left with not just a deeper understanding of this digital menace but a call to action for more robust defenses against an ever-evolving threat.

            Chapters

            • 00:00 - 00:30: Introduction to Fast Flux The chapter introduces the topic of 'Fast Flux' and discusses its significance as a national security threat, as recognized by the NSA. Despite its current relevance, fast flux is described as a very old technique, originating around 2005 and gaining popularity in 2007. The chapter sets the stage for a detailed exploration of fast flux's impact and why it has recently become a concern despite being known for over a decade.
            • 00:30 - 05:00: Understanding DNS and Its Role The chapter 'Understanding DNS and Its Role' explains the fundamental workings of the Domain Name System (DNS). It highlights how DNS is a crucial aspect of internet functionality, enabling the conversion of human-friendly domain names into IP addresses that computers can understand. The chapter provides an example of how when a user types 'google.com' into a web browser, the DNS system helps the user's computer resolve this to the appropriate IP address, thus allowing connection to Google's server.
            • 05:00 - 07:00: Historical Context and Origins of Fast Flux This chapter delves into the historical context and origins of Fast Flux, a technique commonly used in cybersecurity to mask malicious activities by rapidly changing the DNS records associated with a domain. The discussion begins with an explanation of the DNS (Domain Name System) process, involving four main types of servers: the recursive DNS resolver, the root name server, the TLD name server, and the authoritative name server. It describes the initial step in which a user's request, for example, to find 'Google.com', is processed starting with the ISP's DNS server. Although the ISP's DNS server does not have the answer, it contains a list of hard-coded root name servers that aid in resolving the query. This explanation lays the groundwork for understanding how Fast Flux exploits these DNS mechanics to achieve its objectives.
            • 07:00 - 10:00: How Fast Flux Operates The chapter 'How Fast Flux Operates' provides an explanation of how domain name resolution works, specifically focusing on the hierarchy of domain name servers. It describes how a root name server knows the location of top-level domain (TLD) servers, such as .com or .org, and how an Internet Service Provider's (ISP) DNS server interacts with these servers to find the IP address associated with a domain name like google.com. The process involves the ISP's DNS server first contacting the root name server to get the address of the appropriate TLD server.
            • 10:00 - 12:00: Single vs. Double Fast Flux The chapter discusses the concept of DNS servers and their role in resolving domain names. It explains that when an ISP's DNS server does not know the location of a domain (e.g., google.com), it queries another server for this information. This server, in turn, directs the DNS server to the authoritative server for the domain, which can be either a hosted DNS provider or the domain owner's server. The authoritative server is described as having the authority to provide the correct information on the domain's location.
            • 12:00 - 16:00: Countermeasures: DNS Reputation and Challenges The chapter titled 'Countermeasures: DNS Reputation and Challenges' discusses the process of DNS resolution, using google.com as an example. It describes the four-step process by which an ISP's DNS server communicates with authoritative DNS servers to retrieve the IP address for a domain name, ultimately enabling a user's computer to connect to the website.
            • 16:00 - 19:00: Current Relevance and NSA Warning This chapter delves into the concept of recursive resolution in the domain name system (DNS), explaining how queries are made starting from root name servers to authoritative name servers. It introduces the idea of 'fast flux', a method used to enhance the resilience and accessibility of domains problematic to block or revoke. The discussion touches upon historical difficulties in domain management, drawing a parallel to contemporary challenges and the complexities of achieving effective domain enforcement.
            • 19:00 - 29:00: Nation-State Threats and Evolving Strategies This chapter discusses the concept of bulletproof registrars in cybersecurity, entities that allowed domains to be registered and would refuse to comply with legal requests to take down those domains. It highlights how cybersecurity strategies once heavily relied on blocking IP addresses, especially if a server was hosting malicious activities like phishing. Typically, server owners would either remove the malicious content upon being notified, as no one wants to host illegal activities, or refuse, emphasizing the legal and ethical challenges in cybersecurity.
            • 29:00 - 30:00: Conclusion and Call to Action The chapter discusses the concept of bulletproof hosting, a type of hosting service that ignores legal demands to take down illegal content. These services are uncooperative and allow their clients to host unlawful material. As a countermeasure, security vendors began blocking IP addresses associated with these services, as engaging with such sites could be risky due to their business model of hosting illegal content.

            NSA Says Fast Flux Is A National Security Threat, But What Is It? Transcription

            • 00:00 - 00:30 today we're going to be talking about fast flux and why does the NSA suddenly consider it to be a national security threat now I was a little bit surprised to hear the word fast flux being uttered because it's actually a really really old technique it was founded around 2005 and it became big in 2007 so this is the sort of thing that would have been on like a mau analysis quiz back when I was starting out in the industry so it is really really old now I am going to have to apologize in advance because in order
            • 00:30 - 01:00 to explain how fast flux works we have to explain a bit about how the internet works or more specifically DNS which uh is short for the domain name system now this is how your computer resolves web addresses because computers don't understand domain names if I type google.com into my browser my computer has no idea what that means because computers talk to each other via IP address so in order to connect to Google I need to know the IP address of Google's server and the way in which I
            • 01:00 - 01:30 get that is through the DNS system the domain name system so the DNS process typically involves four servers a recursive DNS resolver the root name server the TLD name server and then the authoritative name server now the first step in the chain is I send a query to my ISP's DNS server saying "Hey where is Google.com?" And my ISPDNS server doesn't know the answer but it has a list of hard-coded root name servers now the rootname servers are the servers
            • 01:30 - 02:00 that know where all of the tldd servers are or tople domain servers so if you got a domain like google.com that's a com domain so that's going to use the com tople domain server if you had a.org domain it would use the.org server and so on so the rootname server knows which tople domain server to refer us to so my ISP's DNS server is going to ask the rootname server hey where can I find google.com and the rootname server is going to respond with the address of the com tople domain server and then my
            • 02:00 - 02:30 ISP's DNS server is going to go and ask that server hey where can I find google.com and again that server doesn't know the answer but it does know where the authoritative name server for google.com is which is the server that they have configured to respond to DNS requests now this could be something like a hosted DNS provider or it could be their own DNS server but whatever it is that is the server that is the authoritative server which means it has the authority to tell someone where
            • 02:30 - 03:00 google.com actually is so the final step in the chain is my ISP's DNS server is going to go and say hey where is google.com to the authoritative DNS server and that server does know the answer so it's going to respond with an IP address and then that IP address is going to be relayed back to my computer and now that we have the IP at google.com we can just connect to the server and we can begin browsing the website so we have this sort of like four-step process where my ISP's recursive DNS resolver is going to do
            • 03:00 - 03:30 recursive resolution it's going to ask first the root name servers then the top level domain server and then finally it's going to get the authoritative name server where it can get the official response now in order to understand fast flux we actually have to understand why the need for it arose which means me putting on my grandpa hat and telling you stories of the days of old now it used to be very very hard to get a domain blocked or to get a domain revoked it is still quite hard today but
            • 03:30 - 04:00 it's a lot easier there were things known as bulletproof registars which would allow you to register domains and then if they received a legal request asking them to take down the domain they would just be like "No." Back then a lot of cyber security revolved around blocking IP addresses because if a server was hosting malicious software or fishing or some other badness one of two things was going to happen you were going to report it to the server owner and they were going to take down the server because no one wants to be hosting illegal stuff or you would
            • 04:00 - 04:30 report it to the server owner and they would tell you no and that was something known as bulletproof hosting it was hosting that would not respond to legal takeown requests they would actually allow their customers to host illegal things and then just refuse any requests to take it down so what security vendors started doing is well they would just block those IP addresses because if a service's whole business model is just hosting illegal stuff you probably don't want to be interacting with it so they
            • 04:30 - 05:00 would just block the bulletproof hosters's IP address or their IP address range it was pretty easy to do so the bulletproof hosters needed a solution and that solution was well we need more IP addresses but the problem is IP addresses are kind of hard to get it's kind of hard to just change your server IP address every day so that it doesn't end up in a block list so what they would start doing is actually hiding their servers now this relies on something known as a reverse proxy now reverse proxy servers work in much of
            • 05:00 - 05:30 the same way that proxy servers do you connect to the proxy server you send a request the proxy server forwards that request to the real server the real server replies to the proxy server and then the proxy server forwards that response back to you so it's a layer of abstraction now this also works with websites you can set up web proxy servers so with a web proxy server I would set up a server that's only job is to forward requests to my real server
            • 05:30 - 06:00 and then relay the responses back to whoever sent the request now in practice what would happen is the thread actor would set up their domain to point to the IP address of the proxy server rather than their real server so whenever a client connected to the proxy server it would send a request the proxy server would quietly forward that request to the real server the real server would respond to the proxy server and the proxy server would respond with the request back to the client so from the client's perspective all they see is
            • 06:00 - 06:30 the proxy server as far as they know the proxy server is the real server there is very little evidence that it is actually forwarding requests to another server and that does two things first it protects your real server from getting taken down because all the client sees is the IP address of the proxy server and also it prevents your real server from being blocked it can't be in any IP block list if no one knows its IP address but there's still a problem we still only have one IP address sure we
            • 06:30 - 07:00 could just keep setting up new proxy servers because setting up a proxy server is a lot easier than setting up a real server installing database software importing all the data setting up a website with a proxy server you can basically just set it up with a single command but you don't really want to go out and buy a hundred different proxy servers just to get a 100 different IP addresses so what a lot of thread actors would do is they would use hacked computers essentially botnet zombies
            • 07:00 - 07:30 they would build botn nets of thousands of hacked computers and they would install the proxy servers on the hacked computers and that gives them access to a lot of IP addresses because if you've hacked say a thousand computers and some of those computers have dynamic IP addresses that change daily you could potentially have tens of thousands of IP addresses at your disposal but the question is how do I get my domain to point to some random person's computer that's going to be a problem because
            • 07:30 - 08:00 they're probably going to turn off their computer at night and now my website doesn't work so that's where the idea of fast flux was born essentially when you make a normal DNS query it comes back with a TTL value or a time to live now the time to live value tells the DNS server how long to cache that request so if the response had a TTL of 30 minutes and we tried to query the same domain again it's not going to go through that
            • 08:00 - 08:30 whole query process and that's a bit of a problem so what people started doing is they started setting the TTL value to zero which means don't c this request at all every time someone looks up your domain it results in going through that full query process to the root name server and then to the TLD server and then to the authoritative name server and typically you don't want that because it generates a ton of DNS queries and most of the DNS providers don't want to deal with that so a lot of
            • 08:30 - 09:00 them actually don't allow that but we'll get to that later essentially what the thread actors would do is they would set their domains time to live to zero and then they would configure their DNS server to every time a computer went offline it would just respond with the IP address of a different computer so they basically would have this network where every time you queried their malicious domain it would respond with a different IP address a different hacked computer which would simply act as a proxy relaying requests to their real
            • 09:00 - 09:30 server so from the perspective of a security professional all you see is a domain that responds with thousands of different IP addresses that are constantly changing and that's very hard to take down and it's also very hard to block if the thread actor is using hacked computers you can't just show up at their house and seize their computer like you could with a malicious server there's a lot more of a legal process involved so it wasn't at all realistic to go and take down a thousand hacked computers so this became a bit of a
            • 09:30 - 10:00 problem it's like well how do we keep track of thousands and thousands of malicious IP addresses to block and how do we find the real server in order to take it down or can we even take it down because it's probably hosted on a bulletproof hoster so what security experts did is they started blocking the DNS server because as I mentioned earlier most DNS providers do not allow fast flux so you can give the DNS provider an ultimatum you can say kick this person off of your network or we're
            • 10:00 - 10:30 going to block your DNS server so that resulted in a lot of DNS servers kicking fast flux actors off of their network which meant that the fast flux actors had no choice but to host their own DNS servers on their bulletproof hosts where they couldn't be taken down but now we're back to the first problem because the DNS server has an IP address the security people can block the DNS server's IP address and then no one can look up the malicious domain so they're back to square one instead of blocking
            • 10:30 - 11:00 the server's IP address we just block their DNS server's IP address instead and it has exactly the same effect so that is where double fast flux came about and the old fast flux technique got renamed to single fast flux because it only fluxes the IP addresses of the web servers well technically the proxy servers but not the DNS server but thread actors figured well we can host proxy servers on hacked computers we can also host DNS servers on them as well so
            • 11:00 - 11:30 what they started doing is actually using the hacked computers as DNS servers as well they would tell the TLD server so let's say it's a com domain they would tell the TLD server my DNS server my authoritative DNS server is this IP address and the IP address would be a hacked computer so now whenever someone resolved the domain the final step instead of an authoritative DNS server that was hosted at an ISP it would just be some random person's hacked computer and that hacked computer
            • 11:30 - 12:00 would then respond with the IP address of another hacked computer which would proxy the real server so now they can not only flux the IP addresses of their servers but also their DNS servers anytime a security provider was able to take down one of those hacked computers or the hacked computer went offline or they blocked its IP address well they would just change their authoritative DNS server IP address to another one of the hacked computers so now your DNS
            • 12:00 - 12:30 server can have thousands of IP addresses and your web server can have thousands of IP addresses and the security providers aren't going to block the top level domain name server because that would just cause collateral damage if you were to go and block the dot tople domain server now you've just blocked every com domain what thread actors started doing is bulk registering thousands of domains and pointing them to their fast flux network which meant if a security vendor blocked a domain they would just swap it out for a new
            • 12:30 - 13:00 one if they blocked an IP address they would swap that out for a new one if they blocked a DNS server and you get the picture there's basically nothing there that can be blocked that they can't simply change very quickly now because the thread actor's real server with their database and their website on it is hidden behind this network of everchanging DNS servers and everchanging proxy servers it makes it very very resistant to take down and also very very resistant to IP block lists so that's when security providers
            • 13:00 - 13:30 came up with something known as DNS reputation because the chances are if you go to a website pick any website it's probably been around for 5 years at minimum maybe 10 20 it's probably been around for a long time if you're going to read the news you might go to CNN New York Times BBC if you're going to search the internet you might go to Google Doug.go Bing if you're going to watch my YouTube videos you might go to youtube.com all of those domains have been wellestablished for a very long time they have a very long paper trail
            • 13:30 - 14:00 and a very long history so what security companies started doing is rather than just blocking known bad domains they started blocking unknown domains because the chances are if a web address was registered a week or a month ago not many people are going to be going to it yet that's a brand new website that someone has just set up and if it suddenly has a lot of users it's probably malicious it's probably a botnet command and control server or a fishing website so what they started doing is allow listing known good
            • 14:00 - 14:30 domains like if a domain isn't listed on Google that's a pretty big red flag if it was registered to recently that's a pretty pretty big red flag so all of these signals started going into this system known as DNS reputation but of course there are edge cases because if I go and set up a brand new website and I want to work on my website at work they should tell me to stop doing that and do my real job but let's say they don't well my domain is now blocked because it's very new it doesn't have a long
            • 14:30 - 15:00 paper trail it might not be listed on Google yet but I could just go and ask the IT administrator to allow that domain it's going to happen so infrequently that it isn't a huge effort to just allow the good new domains so fast flux today is mostly addressed if you have a security solution now the problem is a lot of organizations just don't they just don't do cyber security and that is why I think the NSA released this press release because fast flux is
            • 15:00 - 15:30 pretty forgotten about and a lot of people don't know the threats of it it bypasses a lot of traditional firewalls that are based on IP blocking rather than domains and even if you're doing domain blocking that's vulnerable to bulk registering brand new throwaway domains now as to why it would be the NSA that would release this warning we don't know that would be classified but we can hazard a guess now my guess is it has something to do with the way APS or advanced persistent threats have been
            • 15:30 - 16:00 evolving typically in the past nation state actors didn't have to do any of this because they were mostly doing targeted hacking they would set up a server hack a few companies get whatever data it is they need then burn down that server set up a new one and rinse and repeat they never needed to worry about hosting huge botn nets or very public fishing pages that all the security researchers are trying to take down or block they were keeping their hacking subtle and low-level enough that most
            • 16:00 - 16:30 security people weren't even aware of what servers were being used and because these targeted attacks went after so few companies at a time by the time the company notices they've been breached and they've gone "Oh look this web address or this IP address was responsible for breaching our network and they've told the security companies and the security companies have blocked those IPs or those domains." Well the threat actors already long moved on they've burned down those domains they've burned down those servers they've set up new ones and then hit
            • 16:30 - 17:00 another small batch of companies so it was basically just playing whack-a-ole but more recently certain nation state hackers have been getting a lot more aggressive rather than just doing smallcale targeted attacks they've been mass hacking systems building botn nets and doing all of the sort of stuff that you would have typically seen in cyber crime rather than in espionage so now a lot of the old techniques that were previously only used by cyber criminals to build botn nets or spam uh ads for
            • 17:00 - 17:30 little blue pills that make things hard for IT administrators as well as the people who have to stop them from buying them or the fishing pages it's now being used by nation states to hack organizations for espionage purposes which is a national security risk we now have to be way more concerned about these old cyber crime techniques such as like peer-to-peer botn nets IoT devices fast flux networks because they're now being used by highly sophisticated nation state actors to conduct espionage
            • 17:30 - 18:00 so that is my theory i don't know for sure because I don't know what classified information prompted this release but I would suspect it is very much to do with APS evolving into the cyber criminals of old now that is all I have for you today this is a pretty long-winded video so I appreciate it if you got this far now if you feel like you learned something from the video please send me a like or subscribe it super helps my channel and I will be back with some more videos shortly