Bonnet creates harmful network attacks nowadays. Lawbreaker may implant malware into victim machines using botnets and, furthermore, he employs fast-flux domain technology to improve the lifetime of botnets. To circumvent the detection of command and control server, a set of bots are selected to redirect malicious communication and hides botnet communication within normal user traffic. As the dynamics of fast-flux domains, blacklist mechanism is not efficient to prevent fast-flux botnet attacks. It would be time consuming to examine the legitimacy of the domain of all the network connections. Therefore, a lightweight detection of malicious fast-flux domains is desired. Based on the time-space behavior of malicious fast-flux domains, the network behavior of domains are formulistic in this study to reduce the time complexity of feature modeling. According to the experimental results, the malicious fast-flux domains collected from real networks are identified efficiently and the proposed solution outperforms the blacklists.