domain fluxing

Domain fluxing is a technique for keeping a malicious botnet in operation by constantly changing the domain name of the botnet owner's Command and Control (C&C) server.

If something is "in flux," it means it is constantly changing. In this case, the bots are using a domain-generation algorithm (DGA) to produce tens of thousands of random domain names, one of which will actually be registered by the botnet operator. Each bot then sends out DNS queries to the random domains until one of them actually resolves to the address of the C&C server.  

Domain fluxing can make it difficult for security researchers and administrators to block instructions from a C&C server and shut a botnet down. Domain fluxing was popularized by Conficker and is also used by Kraken and a rootkit called Torpig.

See also: fast-flux DNS

This was last updated in November 2013

Continue Reading About domain fluxing

Dig Deeper on Threats and vulnerabilities