A recent Dark Reading article highlighted the continued growth of fast flux phishing, an old tactic that’s been on the radar of enforcement professionals for years. Maybe a forgotten scam for many, those of us working in the phishing takedowns and cyber enforcement space are well atuned to fast fluxing, and if you are new to it, this can be one of the most frustrating and evasive tactics to get used to.
TL/DR: On April 3, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning highlighting fast flux as a growing blind spot in organisational cybersecurity. According to the advisory, many organisations lack effective measures to detect and mitigate fast flux networks, which are being actively exploited by a range of threat groups—including phishing syndicates.
What is Fast Flux Phishing?
Fast flux phishing refers to a DNS evasion technique that allows a domain name to rapidly resolve to multiple IP addresses—often hundreds of compromised machines—over short intervals. Attackers use this technique to serve phishing content, malware, or command-and-control services from an ever-changing infrastructure. The DNS records are configured with extremely low TTL (Time to Live) values so the IP addresses rotate constantly, making the malicious content resilient to hosting-level takedowns.
Enforcement Teams Know the Pattern All Too Well
For old enforcement hands, this isn’t new —it’s a known problem that’s been complicating takedowns for years. The typical pattern goes like this:
- A malicious domain is reported.
- The phishing content is hosted on a compromised machine, often in a different jurisdiction.
- The hosting provider removes the content—only for the domain to resolve to a new IP minutes later.
By the time the next takedown is underway, the domain has moved again. The infrastructure is engineered to outpace manual response. Seasoned enforcement analysts have seen it play out thousands of times, particularly in cases where fast flux is combined with bulletproof hosting or international registrar arbitrage.
As a result, host-level takedowns are often seen as a temporary measure—important in specific cases (especially when the domain is compromised or legitimate infrastructure is being misused), but ultimately unable to deliver a permanent fix.o
Why the Domain Is the Real Point of Enforcement Leverage
The one constant in a fast flux network is the domain name. No matter how fast the IP addresses change or how broad the botnet, all traffic is routed through that domain. Enforcement experts understand that while the infrastructure is agile, the domain is the Achilles’ heel.
That’s why domain registrars play such a critical role in phishing mitigation. By suspending or deleting the domain name, registrars break the attacker’s ability to direct traffic to the rotating infrastructure. It is, in many cases, the only permanent solution to dismantling a fast flux phishing operation.
The Role of Hosting Takedowns—Still Necessary, But Limited
It’s important to acknowledge that host-level takedowns still matter—especially when the phishing infrastructure is piggybacking on compromised websites or hijacked servers. In those cases, removing the malicious content protects the legitimate domain owner and can slow the spread of attacks.
But in a pure fast flux setup—especially with purpose-registered phishing domains—hosting takedowns are short-lived victories. Enforcement professionals know that time and resources are often better spent coordinating with registrars and domain infrastructure providers to cut off access at the source.
(If a domain is compromised, the owner should remove malicious content via the host, then regain DNS control by securing their registrar account. If access is lost, escalate to the registrar with proof of ownership to reset access and lock the domain).
A Known Issue That Needs Broader Recognition
The persistence of fast flux phishing is not due to a lack of knowledge in the enforcement world. It’s a well-understood limitation of traditional takedown approaches. What’s needed is broader recognition across industry, registrar partnerships, and stronger DNS abuse enforcement frameworks.
For enforcement teams, the strategy is clear:
- We use hosting takedowns where appropriate, particularly for compromised domains.
- We prioritise domain registrar enforcement for permanent impact.
- We educate stakeholders that fast flux is about agility—and only domain-level actions can truly stop it.
Fast flux may thrive in obscurity, but enforcement professionals have seen it before—and know exactly how to stop it. The cooperation of the domain name industry is key to stopping fast flux attacks in their tracks.
About brandsec
brandsec is a team of highly experienced domain name management and online brand protection experts. We provide corporate domain name management and brand enforcement services, helping brands eliminate phishing platforms across the internet. Supporting some of the largest brands in the region, we offer innovative solutions to combat threats across multiple industries.
