Fast flux

[7] The frontend bots, which act as an ephemeral host affixed to a control master, are called flux-agents whose network availability is indeterminate due to the dynamic nature of fast-fluxing.

[1] The backend motherships do not establish direct communication with the user agents, rather every actions are reverse proxied through compromised frontend nodes,[8] effectively making the attack long-lasting and resilient against take down attempts.

[15] Double-fluxing networks involve high-frequency permutation of the fluxing domain's authoritative name servers, along with DNS resource records such as A, AAAA, or CNAME pointing to frontend proxies.

[19][20] The NS records in a double-fluxing network usually point to a referrer host that listens on port 53, which forwards the query to a backend DNS resolver that is authoritative for the fluxing domain.

[21][22]: 6  Advanced level of resilience and redundancy is achieved through blind proxy redirection techniques of the frontend nodes;[22]: 7  Fast-fluxing domains also abuse domain wildcarding RFC 1034 specification for spam delivery and phishing, and use DNS covert channels for transferring application layer payloads of protocols such as HTTP, SFTP, and FTP encapsulated within a DNS datagram query.

An infected host repeatedly tries to initiate a flux-agent handshake by spontaneous generating, resolving and connecting to an IP address until an acknowledgment, to register itself to the flux-herder mothership node.

Robtex DNS Analysis of a fast fluxing domain.
An illustration of single and double DNS fast-fluxing networks.