Skip to content

Fast-Flux domain: a very clear example

This is a very clear example of what is Fast-Flux Domains.


1)  low TTL value (10 seconds)

2) different networks /16

3) different ASN for every IP address

4) CNAME for several IP address


; <<>> DiG 9.9.5-9+deb8u7-Debian <<>>

;; ANSWER SECTION: 600    IN    CNAME    10    IN    A    10    IN    A    10    IN    A    10    IN    A    10    IN    A

Looking for more NS-type information

A NS pointing to CNAME ( RFC1034 says, “Domain names in RRs which point at another name should always point at the primary name and not the alias”)

dig -t ns

; <<>> DiG 9.9.5-9+deb8u7-Debian <<>> -t ns


;; AUTHORITY SECTION:        600    IN    SOA 1476625792 3600 180 1209600 180

So, by looking again to we can see that was pointing to the same IP address found first time.

; <<>> DiG 9.9.5-9+deb8u7-Debian <<>>
 ;; global options: +cmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52226
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; ANSWER SECTION:    9    IN    A    9    IN    A    9    IN    A    9    IN    A    9    IN    A

When a domain changes only the  A-type at ANSWER SECTION we call such domains as Fast-Flux Single-Flux, but when a domain changes its IP address on both  ANSWER SECTION and AUTHORITY SECTION we call Double-Flux domains.

I have been reading a lot of papers since Holz et al. (Measuring and Detecting Fast-Flux Service Networks) , and there are more then 20 distinct features just for single- and double-flux domain using active probing (when we send queries to a domain), however for passive monitoring (using network sensors)  sky is the limit!


Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.