The Internet is a worldwide publicly accessible computer network that consists of millions of smaller networks. Academic, business, government, etc. networks interconnect to transmit data between computers connected to the Internet. With the growth in popularity and usage of the Internet, crime has also grown with and adapted to the Internet environment. Criminal activity is also becoming more sophisticated to aid cyber criminals in evading detection.
One technique used in cyber crime is the creation and use of botnets, a network of infected computers that can be used as a platform for spreading infection to further systems. However, as detection systems became more sophisticated, simple botnets were replaced by fast flux networks. A fast flux network consists of a network of infected or compromised computer systems that constantly flux in and out of existence to create a resilient virtual network that is difficult to identify or take down. The fast fluxing computers that make up the network act as proxy systems to serve content from the flux-herder mothership.
The hosts comprising the fast flux network, or the mothership, if one exists, generally serves content for a valid domain name (i.e. http://www.fluxexample.com/), which is assigned multiple internet protocol (IP) addresses. Because domain name system (DNS) resource records can be changed every few minutes, the IP addresses of infected computer systems are swapped in and out of existence as often as every few minutes. Thus, each time a resource is requested from www.fluxexample.com, the domain name will resolve at the IP address of a different infected computer. This flux may be accomplished by providing a short time to live (TTL) and a round-robin IP address assignment scheme for the DNS resource records. Within the veil of a protective and ever changing fast flux network, the hosts serving content may then run online pharmacy websites, money mule recruitment websites, phishing websites, illegal adult content websites, malware delivery websites, etc.