Threat actors like Raspberry Robin are known to conduct Fast Flux behaviors to hide their infrastructure. They quickly rotate a domain through numerous IPs across unique ASNs, which can make it harder for some defenders to find and block the infrastructure. By focusing on IP / ASN diversity features (the number of unique ASNs/IPs a domain has been seen on over a specific period) and creating a simple domain regex filter for the 2-letter domain format used by Raspberry Robin for their infrastructure while bearing in mind the unique Name Server that they are known to use, we can easily create a ruleset that makes it possible for defenders to get lists of their domains that are Indicators of Future Attacks (IOFAs). FastFlux behaviors create golden opportunities for defenders to hunt for IOFAs. In our research, we haven’t found any legitimate enterprises that deploy FastFlux behaviors on their domains. Only threat actors are doing this. Silent Push has one of the only open data sets available for researchers that easily allow searching the open internet by IP / ASN diversity so that more threat analysts can dig through hosts doing these suspicious FastFlux DNS rotations.