Abstract. Fast-Flux (FF) service networks are botnet-based hosting or redirec-tion/proxy services for hosting malicious and illegal content while affording bot-masters a high level of misdirection and protection. With their use as service net-works among criminals on the rise, researchers and security experts have designed fast and accurate detection systems based on their intrinsic behavior patterns. How-ever, botmasters have responded, adopting a plethora of countermeasures to evade detection. In this paper, we explore the escalating “arms race ” between FF bot-net detectors and the botmasters ’ effort to subvert them, presenting several novel mimicry attack techniques that allow botmaster to avoid detection. We first ana-lyze the state-of-art FF detectors and their effectiveness against the current botnet threat, demonstrating how botmasters can—with their current resources—thwart detection strategies. Based on the realistic assumptions inferred from empirically-observed trends, we create formal models for bot decay, online availability, DNS-advertisement strategies and performance, allowing us to compare how different mimicry attacks affect the overall online availability and capacity of botnets.