《美國網絡安全和基礎設施安全局：2025 Fast Flux網絡安全警告報告（英文版）（10頁）.pdf》由會員分享，可在線閱讀，更多相關《美國網絡安全和基礎設施安全局：2025 Fast Flux網絡安全警告報告（英文版）（10頁）.pdf（10頁珍藏版）》請在三個皮匠報告上搜索。

1、 TLP:CLEAR This information is marked TLP:CLEAR.Recipients may share this information without restriction.U/OO/136180-25|PP-25-1337|April 2025 Ver.1.0 TLP:CLEAR Cybersecurity Advisory Fast Flux:A National Security Threat Executive summary Many networks have a gap in their defenses for detecting and

2、blocking a malicious technique known as“fast flux.”This technique poses a significant threat to national security,enabling malicious cyber actors to consistently evade detection.Malicious cyber actors,including cybercriminals and nation-state actors,use fast flux to obfuscate the locations of malici

3、ous servers by rapidly changing Domain Name System(DNS)records.Additionally,they can create resilient,highly available command and control(C2)infrastructure,concealing their subsequent malicious operations.This resilient and fast changing infrastructure makes tracking and blocking malicious activiti

4、es that use fast flux more difficult.The National Security Agency(NSA),Cybersecurity and Infrastructure Security Agency(CISA),Federal Bureau of Investigation(FBI),Australian Signals Directorates Australian Cyber Security Centre(ASDs ACSC),Canadian Centre for Cyber Security(CCCS),and New Zealand Nati

5、onal Cyber Security Centre(NCSC-NZ)are releasing this joint cybersecurity advisory(CSA)to warn organizations,Internet service providers(ISPs),and cybersecurity service providers of the ongoing threat of fast flux enabled malicious activities as a defensive gap in many networks.This advisory is meant

6、 to encourage service providers,especially Protective DNS(PDNS)providers,to help mitigate this threat by taking proactive steps to develop accurate,reliable,and timely fast flux detection analytics and blocking capabilities for their customers.This CSA also provides guidance on detecting and mitigat

7、ing elements of malicious fast flux by adopting a multi-layered approach that combines DNS analysis,network monitoring,and threat intelligence.The authoring agencies recommend all stakeholdersgovernment and providerscollaborate to develop and implement scalable solutions to close this ongoing gap in

8、 network defenses against malicious fast flux activity.TLP:CLEAR U/OO/136180-25|PP-25-1337|April 2025 Ver.1.0 TLP:CLEAR Fast Flux:A National Security Threat 2 Technical details When malicious cyber actors compromise devices and networks,the malware they use needs to“call home”to send status updates

9、and receive further instructions.To decrease the risk of detection by network defenders,malicious cyber actors use dynamic resolution techniques,such as fast flux,so their communications are less likely to be detected as malicious and blocked.Fast flux refers to a domain-based technique that is char

10、acterized by rapidly changing the DNS records(e.g.,IP addresses)associated with a single domain T1568.001.Single and double flux Malicious cyber actors use two common variants of fast flux to perform operations:1.Single flux:A single domain name is linked to numerous IP addresses,which are frequentl

11、y rotated in DNS responses.This setup ensures that if one IP address is blocked or taken down,the domain remains accessible through the other IP addresses.See Figure 1 as an example to illustrate this technique.Figure 1:Single flux technique TLP:CLEAR U/OO/136180-25|PP-25-1337|April 2025 Ver.1.0 TLP

12、:CLEAR Fast Flux:A National Security Threat 3 Note:This behavior can also be used for legitimate purposes for performance reasons in dynamic hosting environments,such as in content delivery networks and load balancers.2.Double flux:In addition to rapidly changing the IP addresses as in single flux,t

13、he DNS name servers responsible for resolving the domain also change frequently.This provides an additional layer of redundancy and anonymity for malicious domains.Double flux techniques have been observed using both Name Server(NS)and Canonical Name(CNAME)DNS records.See Figure 2 as an example to i

14、llustrate this technique.Figure 2:Double flux technique Both techniques leverage a large number of compromised hosts,usually as a botnet from across the Internet that acts as proxies or relay points,making it difficult for network defenders to identify the malicious traffic and block or perform lega

15、l enforcement takedowns of the malicious infrastructure.Numerous malicious cyber actors have been reported using the fast flux technique to hide C2 channels and remain operational.Examples include:TLP:CLEAR U/OO/136180-25|PP-25-1337|April 2025 Ver.1.0 TLP:CLEAR Fast Flux:A National Security Threat 4

16、 Bulletproof hosting(BPH)services offer Internet hosting that disregards or evades law enforcement requests and abuse notices.These providers host malicious content and activities while providing anonymity for malicious cyber actors.Some BPH companies also provide fast flux services,which help malic

17、ious cyber actors maintain connectivity and improve the reliability of their malicious infrastructure.1 Refer to ASDs ACSCs“Bulletproof”hosting providers:Cracks in the armour of cybercriminal infrastructure for more information on BPH providers.2 Fast flux has been used in Hive and Nefilim ransomwar

18、e attacks.3,4 Gamaredon uses fast flux to limit the effectiveness of IP blocking.5,6,7 The key advantages of fast flux networks for malicious cyber actors include:Increased resilience.As a fast flux network rapidly rotates through botnet devices,it is difficult for law enforcement or abuse notificat

19、ions to process the changes quickly and disrupt their services.Render IP blocking ineffective.The rapid turnover of IP addresses renders IP blocking irrelevant since each IP address is no longer in use by the time it is blocked.This allows criminals to maintain resilient operations.Anonymity.Investi

20、gators face challenges in tracing malicious content back to the source through fast flux networks.This is because malicious cyber actors C2 botnets are constantly changing the associated IP addresses throughout the investigation.Additional malicious uses Fast flux is not only used for maintaining C2

21、 communications,it also can play a significant role in phishing campaigns to make social engineering websites harder to block or take down.Phishing is often the first step in a larger and more complex cyber compromise.Phishing is typically used to trick victims into revealing sensitive information(s

22、uch as login passwords,credit card numbers,and personal data),but can also be used to distribute malware or exploit system vulnerabilities.Similarly,fast flux is TLP:CLEAR U/OO/136180-25|PP-25-1337|April 2025 Ver.1.0 TLP:CLEAR Fast Flux:A National Security Threat 5 used for maintaining high availabi

23、lity for cybercriminal forums and marketplaces,making them resilient against law enforcement takedown efforts.Some BPH providers promote fast flux as a service differentiator that increases the effectiveness of their clients malicious activities.For example,one BPH provider posted on a dark web foru

24、m that it protects clients from being added to Spamhaus blocklists by easily enabling the fast flux capability through the service management panel(see Figure 3).A customer just needs to add a dummy server interface,which redirects incoming queries to the host server automatically.By doing so,only t

25、he dummy server interfaces are reported for abuse and added to the Spamhaus blocklist,while the servers of the BPH customers remain clean and unblocked.Figure 3:Example dark web fast flux advertisement The BPH provider further explained that numerous malicious activities beyond C2,including botnet m

26、anagers,fake shops,credential stealers,viruses,spam mailers,and others,could use fast flux to avoid identification and blocking.As another example,a BPH provider that offers fast flux as a service advertised that it automatically updates name servers to prevent the blocking of customer domains.Addit

27、ionally,this provider further promoted its use of separate pools of IP addresses for each customer,offering globally dispersed domain registrations for increased reliability.Detection techniques The authoring agencies recommend that ISPs and cybersecurity service providers,especially PDNS providers,

28、implement a multi-layered approach,in coordination with customers,using the following techniques to aid in detecting fast flux activity CISA CPG 3.A.However,quickly detecting malicious fast flux activity and differentiating it from legitimate activity remains an ongoing challenge to developing accur

29、ate,reliable,and timely fast flux detection analytics.1.Leverage threat intelligence feeds and reputation services to identify known fast flux domains and associated IP addresses,such as in boundary firewalls,DNS resolvers,and/or SIEM solutions.TLP:CLEAR U/OO/136180-25|PP-25-1337|April 2025 Ver.1.0

30、TLP:CLEAR Fast Flux:A National Security Threat 6 2.Implement anomaly detection systems for DNS query logs to identify domains exhibiting high entropy or IP diversity in DNS responses and frequent IP address rotations.Fast flux domains will frequently cycle though tens or hundreds of IP addresses per

31、 day.3.Analyze the time-to-live(TTL)values in DNS records.Fast flux domains often have unusually low TTL values.A typical fast flux domain may change its IP address every 3 to 5 minutes.4.Review DNS resolution for inconsistent geolocation.Malicious domains associated with fast flux typically generat

32、e high volumes of traffic with inconsistent IP-geolocation information.5.Use flow data to identify large-scale communications with numerous different IP addresses over short periods.6.Develop fast flux detection algorithms to identify anomalous traffic patterns that deviate from usual network DNS be

33、havior.7.Monitor for signs of phishing activities,such as suspicious emails,websites,or links,and correlate these with fast flux activity.Fast flux may be used to rapidly spread phishing campaigns and to keep phishing websites online despite blocking attempts.8.Implement customer transparency and sh

34、are information about detected fast flux activity,ensuring to alert customers promptly after confirmed presence of malicious activity.Mitigations All organizations To defend against fast flux,government and critical infrastructure organizations should coordinate with their Internet service providers

35、,cybersecurity service providers,and/or their Protective DNS services to implement the following mitigations utilizing accurate,reliable,and timely fast flux detection analytics.Note:Some legitimate activity,such as common content delivery network(CDN)behaviors,may look like malicious fast flux acti

36、vity.Protective DNS services,service TLP:CLEAR U/OO/136180-25|PP-25-1337|April 2025 Ver.1.0 TLP:CLEAR Fast Flux:A National Security Threat 7 providers,and network defenders should make reasonable efforts,such as allowlisting expected CDN services,to avoid blocking or impeding legitimate content.1.DN

37、S and IP blocking and sinkholing of malicious fast flux domains and IP addresses Block access to domains identified as using fast flux through non-routable DNS responses or firewall rules.Consider sinkholing the malicious domains,redirecting traffic from those domains to a controlled server to captu

38、re and analyze the traffic,helping to identify compromised hosts within the network.Block IP addresses known to be associated with malicious fast flux networks.2.Reputational filtering of fast flux enabled malicious activity Block traffic to and from domains or IP addresses with poor reputations,esp

39、ecially ones identified as participating in malicious fast flux activity.3.Enhanced monitoring and logging Increase logging and monitoring of DNS traffic and network communications to identify new or ongoing fast flux activities.Implement automated alerting mechanisms to respond swiftly to detected

40、fast flux patterns.Refer to ASDs ACSC joint publication,Best practices for event logging and threat detection,for further logging recommendations.4.Collaborative defense and information sharing Share detected fast flux indicators(e.g.,domains,IP addresses)with trusted partners and threat intelligenc

41、e communities to enhance collective defense efforts.Examples of indicator sharing initiatives include CISAs Automated Indicator Sharing or sector-based Information Sharing and Analysis Centers(ISACs)and ASDs Cyber Threat Intelligence Sharing Platform(CTIS)in Australia.TLP:CLEAR U/OO/136180-25|PP-25-

42、1337|April 2025 Ver.1.0 TLP:CLEAR Fast Flux:A National Security Threat 8 Participate in public and private information-sharing programs to stay informed about emerging fast flux tactics,techniques,and procedures(TTPs).Regular collaboration is particularly important because most malicious activity by

43、 these domains occurs within just a few days of their initial use;therefore,early discovery and information sharing by the cybersecurity community is crucial to minimizing such malicious activity.8 5.Phishing awareness and training Implement employee awareness and training programs to help personnel

44、 identify and respond appropriately to phishing attempts.Develop policies and procedures to manage and contain phishing incidents,particularly those facilitated by fast flux networks.For more information on mitigating phishing,see joint Phishing Guidance:Stopping the Attack Cycle at Phase One.Networ

45、k defenders The authoring agencies encourage organizations to use cybersecurity and PDNS services that detect and block fast flux.By leveraging providers that detect fast flux and implement capabilities for DNS and IP blocking,sinkholing,reputational filtering,enhanced monitoring,logging,and collabo

46、rative defense of malicious fast flux domains and IP addresses,organizations can mitigate many risks associated with fast flux and maintain a more secure environment.However,some PDNS providers may not detect and block malicious fast flux activities.Organizations should not assume that their PDNS pr

47、oviders block malicious fast flux activity automatically,and should contact their PDNS providers to validate coverage of this specific cyber threat.For more information on PDNS services,see the 2021 joint cybersecurity information sheet from NSA and CISA about Selecting a Protective DNS Service.9 In

48、 addition,NSA offers no-cost cybersecurity services to Defense Industrial Base(DIB)companies,including a PDNS service.For more information,see NSAs DIB Cybersecurity Services and factsheet.CISA also offers a Protective DNS service for federal civilian executive TLP:CLEAR U/OO/136180-25|PP-25-1337|Ap

49、ril 2025 Ver.1.0 TLP:CLEAR Fast Flux:A National Security Threat 9 branch(FCEB)agencies.See CISAs Protective Domain Name System Resolver page and factsheet for more information.Conclusion Fast flux represents a persistent threat to network security,leveraging rapidly changing infrastructure to obfusc

50、ate malicious activity.By implementing robust detection and mitigation strategies,organizations can significantly reduce their risk of compromise by fast flux-enabled threats.The authoring agencies strongly recommend organizations engage their cybersecurity providers on developing a multi-layered ap

51、proach to detect and mitigate malicious fast flux operations.Utilizing services that detect and block fast flux enabled malicious cyber activity can significantly bolster an organizations cyber defenses.Works cited 1 Intel471.Bulletproof Hosting:A Critical Cybercriminal Service.2024.https:/ 2 Austra

52、lian Signals Directorates Australian Cyber Security Centre.Bulletproof hosting providers:Cracks in the armour of cybercriminal infrastructure.2025.https:/www.cyber.gov.au/about-us/view-all-content/publications/bulletproof-hosting-providers 3 Logpoint.A Comprehensive guide to Detect Ransomware.2023.h

53、ttps:/ 4 Trendmicro.Modern Ransomwares Double Extortion Tactics and How to Protect Enterprises Against Them.2021.https:/ 5 Unit 42.Russias Trident Ursa(aka Gamaredon APT)Cyber Conflict Operations Unwavering Since Invasion of Ukraine.2022.https:/ Recorded Future.BlueAlpha Abuses Cloudflare Tunneling

54、Service for GammaDrop Staging Infrastructure.2024.https:/ 7 Silent Push.From Russia with a 71:Uncovering Gamaredons fast flux infrastructure.New apex domains and ASN/IP diversity patterns discovered.2023.https:/ DNS Filter.Security Categories You Should be Blocking(But Probably Arent).2023.https:/ 9

55、 National Security Agency.Selecting a Protective DNS Service.2021.https:/media.defense.gov/2025/Mar/24/2003675043/-1/-1/0/CSI-SELECTING-A-PROTECTIVE-DNS-SERVICE-V1.3.PDF TLP:CLEAR U/OO/136180-25|PP-25-1337|April 2025 Ver.1.0 TLP:CLEAR Fast Flux:A National Security Threat 10 Disclaimer of endorsement

56、 The information and opinions contained in this document are provided as is and without any warranties or guarantees.Reference herein to any specific commercial product,process,or service by trade name,trademark,manufacturer,or otherwise,does not constitute or imply its endorsement,recommendation,or

57、 favoring by the United States Government,and this guidance shall not be used for advertising or product endorsement purposes.Purpose This document was developed in furtherance of the authoring cybersecurity agencies missions,including their responsibilities to identify and disseminate threats,and d

58、evelop and issue cybersecurity specifications and mitigations.This information may be shared broadly to reach all appropriate stakeholders.Contact National Security Agency(NSA):Cybersecurity Report Feedback:CybersecurityReportsnsa.gov Defense Industrial Base Inquiries and Cybersecurity Services:DIB_

59、Defensecyber.nsa.gov Media Inquiries/Press Desk:NSA Media Relations:443-634-0721,MediaRelationsnsa.gov Cybersecurity and Infrastructure Security Agency(CISA):All organizations should report incidents and anomalous activity to CISA via the agencys Incident Reporting System,its 24/7 Operations Center

60、at reportcisa.gov,or by calling 1-844-Say-CISA(1-844-729-2472).When available,please include the following information regarding the incident:date,time,and location of the incident;type of activity;number of people affected;type of equipment user for the activity;the name of the submitting company o

61、r organization;and a designated point of contact.Federal Bureau of Investigation(FBI):To report suspicious or criminal activity related to information found in this advisory,contact your local FBI field office or the FBIs Internet Crime Complaint Center(IC3).When available,please include the followi

62、ng information regarding the incident:date,time,and location of the incident;type of activity;number of people affected;type of equipment used for the activity;the name of the submitting company or organization;and a designated point of contact.Australian Signals Directorates Australian Cyber Securi

63、ty Centre(ASDs ACSC):For inquiries,visit ASDs website at www.cyber.gov.au or call the Australian Cyber Security Hotline at 1300 CYBER1(1300 292 371).Canadian Centre for Cyber Security(CCCS):CCCS supports Canadian organizations.Visit www.cyber.gc.ca for publications and guidance or contact CCCS via 1-833-CYBER-88 or email contactcyber.gc.ca.New Zealand National Cyber Security Centre(NCSC-NZ):The NCSC-NZ assists New Zealand organizations.Visit www.ncsc.govt.nz for guidance and resources,or email NCSC-NZ at infoncsc.govt.nz.