File size: 3,759 Bytes

5fe70fd

{
    "type": "bundle",
    "id": "bundle--c2fe1ae2-164f-45bb-975b-524994ea93e1",
    "spec_version": "2.0",
    "objects": [
        {
            "id": "attack-pattern--248cbfdd-fec4-451b-b2a9-e46d4b268e30",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "name": "Fast Flux DNS",
            "description": "**This technique has been deprecated. Please use [Fast Flux DNS](https://attack.mitre.org/techniques/T1568/001).**\n\nA technique in which a fully qualified domain name has multiple IP addresses assigned to it which are swapped with extreme frequency, using a combination of round robin IP address and short Time-To-Live (TTL) for a DNS resource record. (Citation: HoneynetFastFlux) (Citation: MisnomerFastFlux) (Citation: MehtaFastFluxPt1) (Citation: MehtaFastFluxPt2)",
            "external_references": [
                {
                    "source_name": "mitre-pre-attack",
                    "external_id": "T1325",
                    "url": "https://attack.mitre.org/techniques/T1325"
                },
                {
                    "description": "Jamie Riden. (2008, August 16). HOW FAST-FLUX SERVICE NETWORKS WORK. Retrieved March 6, 2017.",
                    "source_name": "HoneynetFastFlux"
                },
                {
                    "description": "Misnomer. (2012, May 4). RESEARCH TO DETECTION \u2013 IDENTIFY FAST FLUX IN YOUR ENVIRONMENT. Retrieved March 6, 2017.",
                    "source_name": "MisnomerFastFlux"
                },
                {
                    "url": "https://resources.infosecinstitute.com/fast-flux-networks-working-detection-part-1/#gref",
                    "description": "Mehta, L. (2014, December 17). Fast Flux Networks Working and Detection, Part 1. Retrieved March 6, 2017.",
                    "source_name": "MehtaFastFluxPt1"
                },
                {
                    "source_name": "MehtaFastFluxPt2",
                    "description": "Mehta, L. (2014, December 23). Fast Flux Networks Working and Detection, Part 2. Retrieved March 6, 2017.",
                    "url": "https://resources.infosecinstitute.com/fast-flux-networks-working-detection-part-2/#gref"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "type": "attack-pattern",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-pre-attack",
                    "phase_name": "adversary-opsec"
                }
            ],
            "modified": "2020-03-30T14:06:03.611Z",
            "created": "2017-12-14T16:46:06.044Z",
            "x_mitre_deprecated": true,
            "x_mitre_is_subtechnique": false,
            "x_mitre_old_attack_id": "PRE-T1102",
            "x_mitre_version": "1.0",
            "x_mitre_difficulty_for_adversary_explanation": "Fast flux is generally simple for an adversary to set up and offers several advantages.  Such advantages include limited audit trails for defenders to find, ease of operation for an adversary to maintain, and support for main nodes.",
            "x_mitre_difficulty_for_adversary": "Yes",
            "x_mitre_detectable_by_common_defenses_explanation": "In general, detecting usage of fast flux DNS is difficult due to web traffic load balancing that services client requests quickly.  In single flux cases only IP addresses change for static domain names.  In double flux cases, nothing is static.  Defenders such as IPS, domain registrars, and service providers are likely in the best position for detection.",
            "x_mitre_detectable_by_common_defenses": "Partial"
        }
    ]
}