- Cisa, FBI and Partners warn of ‘quick flux’ attack
- The technique involves attackers who quickly change the IP addresses on their malicious domains
- In order to tackle the threat, organizations need to go to a multi -layer approach
The US Cyber Security and Infrastructure Bureau (CISA) has warned government agencies, ISPs (ISP) and other organizations on so-called “fast flux attacks”, as it says, becomes a growing problem in cyberspace.
Quick flux attacks are a technique where attackers quickly change the IP addresses associated with a malicious domain using a botnet, making it difficult to track and take down.
This method helps to hide phishing sites, malware distribution networks and command and control servers by utilizing a constantly changing pool of compromised hosts.
Mitigate the threat
CISA published a new security advice to warn of the threat along with FBI, NSA, Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC), Canadian Center for Cyber Security (CCCS) and New Zealand National Cyber Security Center (NCSC-NZ).
“Many networks have a gap in their defense to discover and block a malicious technique called” quick flux, “says the counseling.
“This advice is intended to encourage service providers, especially protective DNS (PDNS) providers, to help mitigate this threat by taking proactive steps to developing accurate, reliable and timely fast flux detection analysis and blocking capabilities for their customers.”
CISA also provided guidance on how to detect and reduce rapid flux attacks, which include the adoption of a multi-layer approach through DNS analysis, network surveillance and threat info.
It also said that agencies should work together on the building and implementation of scalable solutions that will “close the ongoing hole” in network defense.
Finally, the agencies emphasized that some legitimate activities, such as Common Content Delivery Network (CDN) behavior, “may look like” malicious quick flux activity.
“Protective DNS services, service providers and network defenders should make a reasonable effort, such as allowlisting of expected CDN services, to avoid blocking or preventing legitimate content,” the advisory concludes.
Via Registered
