Used by nation-states and crime groups, fast flux bypasses many common defenses.
See full article...
See full article...
NSA warns that overlooked botnet technique threatens national security
- Thread starter JournalBot
- Start date
It's absolutely impossible to be worried about national security issues like this when the people running the entire national security apparatus are incompetent buffoons who don't even know how classified information works. The NSA should issue some warnings about that.
Until they get serious about the appalling national security threat that is the Trump administration I can't have any confidence in anything they say. You want me to be worried about ransomware? Fine. Put some people in charge who are actually qualified to protect us from all this scary shit.
The bad people are lining up to do us harm because they know the people in charge are asleep at the wheel, or worse, ready to join them in their bad deeds.
Until they get serious about the appalling national security threat that is the Trump administration I can't have any confidence in anything they say. You want me to be worried about ransomware? Fine. Put some people in charge who are actually qualified to protect us from all this scary shit.
The bad people are lining up to do us harm because they know the people in charge are asleep at the wheel, or worse, ready to join them in their bad deeds.
Upvote
315
(345
/
-30)
One thing to realize is this only affects where the malicious code loads from or where code already running on your system gets additional malicious code and orders from the command servers.
It indirectly increases threats because some security software can blacklist known malicious IPs and domains, but these techniques don't directly make infection code stronger or create new vulnerabilities.
The "common defenses" are blocking you from being able to click that social engineering link to a fake password entry form or fake download or fake whatever.
Upvote
85
(85
/
0)
Linux-Is-Best
Wise, Aged Ars Veteran
^ This.
I work for Meta (Facebook), and we're now helping the government track anyone who uses the word "protest". Our government seems more worried about their own citizens getting upset, than they seem to be worried about outside threats. I am glad someone within the NSA is doing their job and put out this notice, but I doubt most of the people running things care, or would know what the true threat is.
Upvote
210
(219
/
-9)
Upvote
88
(90
/
-2)
The true threat is companies like yours that played a big part into making the current administration happen.
Upvote
233
(239
/
-6)
The fast flux technique has been in use since 2007 or so. Distributing blocking information is the best way to protect against it.
Upvote
46
(46
/
0)
The diagrams are not readable in dark mode... looks like the images have a transparent background, and the text is black - so it's black on a dark background.
Upvote
88
(88
/
0)
captain numerica
Ars Scholae Palatinae
Now I'm curious. If you know this to be true and disagree with it, why are you still working there?
Not trying to be a jerk. Not trying to be sanctimonious. What practical reasons have kept you in place?
Upvote
95
(99
/
-4)
Can you provide any more details? That's quite the thing to drop causally in a comment
Upvote
169
(169
/
0)
Just in time: Dir NSA (and head of US Cyber Command) was just fired on the recommendation of Laura Loomer.
https://www.theguardian.com/us-news...-reported-dismissal-of-nsa-director-tim-haugh
https://www.theguardian.com/us-news...-reported-dismissal-of-nsa-director-tim-haugh
Upvote
101
(101
/
0)
Hmm, across the world they’re listening for Winnie references. Will it be Dumbo in our hemisphere?
Upvote
45
(45
/
0)
Linux-Is-Best
Wise, Aged Ars Veteran
Oh, you're not wrong. But if you check your inbox lately, everything from Facebook, Google, Amazon, Uber, Lyft, GrubHub, InstaCart, Twitch, Twitter, Reddit, and more, have been updating their privacy policies and terms of services the past month or so. We are far from alone, and you're right it is dangerous.
Upvote
87
(87
/
0)
From the article (bolded for emphasis):
If the secret sauce of this technique is related to how wildcard records in DNS redirect to non-existent subdomains, then that should be explained a bit better.
It's not clear from either of the diagrams how bad actors can rapidly change the domain name 'malwaredomain.com' to avoid detection.
If the secret sauce of this technique is related to how wildcard records in DNS redirect to non-existent subdomains, then that should be explained a bit better.
Upvote
35
(36
/
-1)
Linux-Is-Best
Wise, Aged Ars Veteran
They pay me.
I am 44 years, and most of my work history no longer exist because many of the places I worked for went out of business years ago. I am not a young guy fresh out of college that most places are going to take a chance on or be eager to higher as a trainee.
Additionally, because I work for an overseas division of Meta, I still am working remotely from home, and do not need to deal with the usual workplace drama or politics. My manager is on the other side of the planet, and we've not spoken in months.
My company is awful. My hours are long, and the pay is not the greatest, but I do have the best benefits than I ever have had in my life (no co-pays, for example). So for now, this will do. I may not like it, but as messed up as it is, most people don't always like their job.
Upvote
184
(194
/
-10)
Generally, it's not malwaredomain.com, it's dynamically generated asdfrq3tewrt3tfsrd.info domains where the malware that's initially dropped has a domain generation algorithm. Then the attackers register one of the domains, and when the malware cycles through the options, it eventually hits the valid domain, at which point the IP resolution kicks in, and the query is resolved to one of the many possible IPs. This IP then sends new data back to the victim, which can even involve an IP lookup table that's only valid for a few hours and bypasses further DNS lookups altogether. The next time the malware calls home to the IP, it's assigned a new IP for the next callhome. As a result, it's really difficult to pin down a specific C2 server, even though it's often the same actual server (or botnet) on the other end sending the information.
This technique is effective against protections that depend on (sometimes temporarily) blocklisting IP addresses based on activity, reputation or known malware sources. So as usual, defense in depth is important.
Upvote
122
(122
/
0)
Good thing we shut down all that pesky investigation stuff looking at Russian cyberthreats. Thanks Trump!
Upvote
56
(59
/
-3)
Upvote
74
(74
/
0)
This is not true, it is more difficult but not impossible.. In the incident response field we've seen a drop in notifications about Russian actors but there are still many within DISA and other organizations trying their hardest to do the right thing. And it is important. Just because the head of the US government is rotten does not mean that the rest of government is rotten and certainly all of us that interface with those resources are still in the fight for the right reasons.
Saying this as someone that works hard to protect the healthcare vertical, something I'm sure you care about very much.
Upvote
83
(84
/
-1)
At a wild guess, how about earning money like 99.99% of the population?
Its great to fantasize about quitting in moral outrage. But there is no real gain in leaving a replaceable job, at best he'll end up freeing a seat for someone who is more supportive of government monitoring.
Not that there is much moral cause in this case either. Company located within a country is cooperating with the country's leadership - what else did you expect them to do? Govt always has the upper hand, at most you can drag out the compliance or do a shoddy job implementing it.
Upvote
55
(65
/
-10)
This is a great boil down. Not that anyone is ceasing blocking by domains and IP space as not all threat actors are so dynamic, but the days of relying on it are well gone.
Upvote
21
(21
/
0)
Upvote
72
(72
/
0)
Sounds like we need to develop some AI bots that make random posts with keywords that will attract attention and fill up the buffers of the automation and selected posts for escalation.
Upvote
38
(38
/
0)
How do these spread fast enough for the infected clients to resolve them, shouldn't DNS propagation take several hours? Or is that not long enough to detect the malware nature of the site.
If a DNS relay server can recognize such generated domain names (vs just longer but valid domains), then maybe it can track any connection attempts to it and identify some of the client IPs. Not that this would help with subsequent DNS-free lookups, but might be easier to follow up with government or company domains where bad clients can then be kicked off the network.
Upvote
5
(9
/
-4)
Not sure I follow. The threat actor just needs to spin a couple of the domains up, deploy the malware, and then start the process of registering new domains and dropping the old ones.
But yes, one of the lines of defense is to reverse engineer the Domain Generation Algorithm and just scan for and block ANY of those domains that get registered. However, if you have a DGA that can search a few thousand domains, then that's a few thousand domains that you have to monitor -- and there's every chance that some of those domains will be legitimate, and blocking them will Cause Problems -- so you also have to validate each domain by attempting to connect to it like the malware would. And the server may be set up to only accept responses from specific blocks of IPs or with other conditions that may not be met; if it's a targeted attack, the target's IP netblock might be in a list of valid blocks to respond to on the C2 server. And many of the IPs that are resolved to are compromised but otherwise legitimate servers, IoT devices, etc.
Upvote
35
(35
/
0)
Extraordinary claims require at least some evidence. This would be of enormous interest to lots of people with significant legal resources and it doesn't seem to be on anybody's radar. If it is real and you're blabbing it, well then, goodluckwiththat.
Otherwise I will keep up a level of significant doubt.
Upvote
24
(34
/
-10)
This is really interesting. I work in software but I don't spend much time around the infrastructure security.
The approach makes sense to me. In another century I was an in-flight comms technician in the Air Force for AWACS. We had a number of anti-jam radio comm and data systems which functioned by swapping frequencies in the given spectrum thousands of times per second based on mutually synced crypto codes. Jamming takes a ton of power and generally targets a narrow range of frequencies - you defeat it by hopping around the interference.
It seems the bad actors in this situation are doing the same concept but to hide their origin.
The approach makes sense to me. In another century I was an in-flight comms technician in the Air Force for AWACS. We had a number of anti-jam radio comm and data systems which functioned by swapping frequencies in the given spectrum thousands of times per second based on mutually synced crypto codes. Jamming takes a ton of power and generally targets a narrow range of frequencies - you defeat it by hopping around the interference.
It seems the bad actors in this situation are doing the same concept but to hide their origin.
Upvote
36
(36
/
0)
We are in good hands...
What? NSA's chief & deputy were sacked because they were on Laura Loomer's list of disloyals?
Well...
What? NSA's chief & deputy were sacked because they were on Laura Loomer's list of disloyals?
Well...
Upvote
39
(39
/
0)
I've wondered why registrars don't do entropy checking, but I guess there's plenty of dodgy TLDs and registrars it isn't a concern.
If possible, we try to block DNS queries to recently-registered domains or ones that look algorithmically generated.
Upvote
26
(26
/
0)
johnlsenchak
Ars Praetorian
I dealt with fast flux spam years ago, it was a total nightmare to get "spamvertised" website terminated
The only way to get the domain name terminated is to send complaints to the register over and over again. That's the only option you have.
The only way to get the domain name terminated is to send complaints to the register over and over again. That's the only option you have.
Upvote
24
(24
/
0)
I'm with you but not for the same reasons.
1000% plausible Meta is fully cooperating with / aiding govt mass surveillance programs.
But keywords... that's AOL era tech
.I feel like even by Snowden leak era we well past that.
At this point, soc media, telecom, and ad companies have collected so much data (and handed it over to ML training) that we're probably closer to Minority Report style pre-crime shit except it's an Nvidia GPU farm sitting in the liquid cooled vat and not a clarovoient bald lady.
And in case you missed the memo, Snowden era pretty well proved that govt's are absolutely interested in this, corporations will comply, and the gen pop doesn't give a fuck.
Upvote
76
(78
/
-2)
Sounds like a good time to get rid of the head of the NSA, if you are controlled by a foreign adversary.
https://www.politico.com/news/2025/04/04/trump-fires-nsa-cyber-command-timothy-haugh-00273859
https://www.politico.com/news/2025/04/04/trump-fires-nsa-cyber-command-timothy-haugh-00273859
Upvote
21
(24
/
-3)
Seems like they stole a page from Hedy Lamarr's frequency hopping patent. #2,292,387, Aug. 11, 1942.
Upvote
20
(20
/
0)
Upvote
25
(25
/
0)
Yeah uh when most people say ''I don't like my job'' it's because it's boring. Not because they're part of destroying civilization.
Upvote
40
(48
/
-8)
Upvote
-4
(10
/
-14)