Fast-flux describes infrastructure that rapidly rotates DNS answers or IP targets so a malicious site, proxy, or command-and-control service is harder to block. Instead of pointing a domain to one stable server, the attacker moves traffic across many hosts, often using short DNS time-to-live values and frequent address changes.
This matters because simple blocklists and takedowns age quickly: by the time one IP is banned, the domain may already resolve somewhere else. Fast-flux is common in phishing, malware delivery, and botnet hosting, where resilience is more valuable than speed. Defenders look for high DNS churn, unusually large sets of IPs behind one domain, and rapid changes in resolution patterns. Correlating DNS, proxy, email, and endpoint telemetry helps distinguish normal content distribution from malicious rotation and supports sinkholing, reputation blocking, and incident response.