Introduction
One of the areas that Farsight Security, Inc., (FSI) has chosen to focus on isnewly observed domain names. You might wonder, “Sheesh, why anyone wouldbother paying attention to new domain names? People create new domain names allthe time, right?” It’s true. Anyone can create new domain names — you may evenhave purchased some of your own. However, as we’ll see, most new domains aren’tcreated by well-meaning people. As FSI’s own CEO, Dr. Paul Vixie observed inhis 2013 CircleID article, “Taking Back the DNS:”
Most new domain names are malicious.
I am stunned by the simplicity and truth of that observation. Every day lotsof new names are added to the global DNS, and most of them belong to scammers,spammers, e-criminals, and speculators. The DNS industry has a lot of highlycapable and competitive registrars and registries who have made it possible toreserve or create a new name in just seconds, and to create millions of themper day. Domains are cheap, domains are plentiful, and as a result most of themare dreck or worse.
The Value Proposition Behind Tracking New Domain Names
If most newly created domain names are “dreck or worse,” why track them? Well,if you could quickly and reliably tell that a domain name you’re seeing is new,you might simply decide to wait a bit before accepting traffic from a serverusing that new name.
Waiting a few hours (or even a whole day) before talking to a new domain is oflittle consequence if that domain is legitimate, but waiting a day (or evenjust a few hours) can make a huge difference when it comes to dealing with adomain that’s malicious. To understand why, remember that the bad guys counton being able to quickly create a new domain, immediately begin to misuse/abuseit, and then repeat the process as needed. This approach lets at least some badguys stay one step ahead of the good guys, routinely hopping from one newmalicious domain to another one. If you temporarily block access to their newdomains, you can automatically avoid a lot of risk with very little in the wayof collateral damage.
Why Are The Bad Guys In Such A Continual Hurry? Why Do They Constantly Need New Domain Names?
Cyber security is often framed as a “race” between the attackers and thedefenders, with the bad guys trying to do their deviltry before the good guyscan react. This tends to be particularly true for domain names. This isbecause:
- The domain name may have been purchased using a stolen credit card.Because investigators routinely “follow the money” to learn the identity ofa cyber criminal, bad guys normally won’t buy domain names using their owncredit cards (bad guys understand that it would be easy to go from a baddomain name, to the credit card used to purchase it, to the card holder’sreal world identity), preferring to use someone else’s (stolen) creditcard, instead. Of course, once that stolen credit card gets detected, anydomain name purchased with that card will quickly get suspended by theirregistrar.
- The domain name may have bogus whois data, including an invalid emailaddress. Investigators will also routinely investigate the point of contactinformation provided when registering a domain. Cyber criminals know that.Knowing that, they’re normally not dumb enough to register malicious domainswith their own name and address information. On the other hand, if a cybercriminal proceeds toregister a domain with fictitious contact information, and that’s discovered,the registrar must suspend the domain name. This means that using bogusdomain name point of contact information is yet another factor drivingconstantly changing cyber criminal domain name usage.
- Anti-spam/anti-phishing companies may also be hot on the abuser’s trail.If blocklisting organizations can identify a domain that’s being abused,they’ll quickly block list it. The most heavily abused domains are often thetop priority for blocking. Using multiple domain names may help keep ansingle spamvertised domain name from looking too prominent (e.g., byspreading the traffic load across many domains and thereby helping thespammer to try to “fly under the radar”); when those domains end up blockednonetheless, still more domains are required.
- Law enforcement officers may have opened a case. Criminals may have themistaken belief that by simply shuffling their misbehavior over to a newdomain name, an ongoing investigation can be derailed, or at leastsubstantially complicated.
All of these factors and more drive a typical miscreant to go through domainnames the way most of us might eat bridge mix. Let’s look at data publiclyshared by Mr. Joe Wein, a leading anti-spammer, to see a concrete example ofthis phenomena.
Joe Wein’s Domain Blocklist Entries
Joe Wein is the creator of the Microsoft Windows(tm) anti-spam packagejwSpamSpy and a major contributor of domain datato the popular and widely-trustedSURBL domain blocklist. Unlike many otheranti-spammers, Mr. Wein offersa public web page with a list of domains that he’s recently blocklisted,complete with details about the date when those domains were registered, andthe dates when those domains were blocklisted by him. He had 41,071 domains onthat page when we recently retrieved it, representing domains blocklisted byhim over the last 30 days. With that data, we can see the time that passedbetween those domains getting registered, and those domains getting blocklistedby Mr. Wein. If a domain was registered by a spammer and then blocklisted byMr. Wein on the same day, the delay would be zero days. If a spammerregistered a domain one day, and that domain was blocklisted by Mr. Wein thenext day, the delay would be one day, and so forth. We can see the distributionof delays for Joe Wein’s data in the following graph.
As noted in the boxed area of the graph, when we look at domains blocked by Mr.Wein during this period, half were listed by him on either the same day theywere registered, or on the very next day. 83% of the domains that Mr. Weinlisted were listed within ten days of registration, and more than 91% werelisted within 30 days of their date of registration. We can thus see that theusable life of spam-related domain names is very brief.
The brevity of that interval (e.g., over half of all the domains listed by Mr.Wein were listed the day of registration, or by the day thereafter) isparticularly amazing when you consider that that delay includes both anyspammer-induced delays, AND the time it takes Mr. Wein (or more accurately,his spam domain identification programs) to notice that a domain is beingabused and should be listed.
Given that over half of all the data points in this data set represent delaysof one day or less, ideally we’d like to be able to calculate more fine-grainedmeasurements, perhaps measuring the time from registration to blocking inhours, minutes and seconds rather than days. Unfortunately, Mr. Wein currentlyonly lists dates.
Farsight Security’s Newly Observed Domain (NOD(tm)) Product
Let’s now talk a little about Farsight Security’s actual NOD(tm) product. NODis generated from Security Information Exchange (SIE) Channel 212. Channel 212contains newly active base domain names (these are domain names that haveNEVER been seen by a Farsight sensor node (since DNSDB started in June 2010)).Channel 212 has a volume of roughly 50,000 domains/day.
The 50,000 domains/day on channel 212 is quite a tractable number of domains,and if anything, may actually seem like a surprisingly small number. However,consider that over the last five years, Farsight has already seen most domainsthat are in use. The remaining ~50,000 domains/day represent either genuinelybrand new domains (not surprising, given the creation of many new gTLDsrecently by ICANN), or domains that have been around for a while, but whichhave somehow managed to elude Farsight’s 450+ Passive DNS sensors nodes tillnow.
NOD data products are derived from channel 212, and are normally distributed tosubscribers either via rsync on a minute-by-minute basis (used for blockingemail in conjunction with rbldnsd),or via incremental zone transfers (IXFR) for use in temporarilyblocking all network access to the new domains via BIND.
Farsight Security’s Newly Observed Domains Focuses on The First 24 Hours Of Actual Usage
One point that sometimes confuses people when they hear about NOD is the shortduration of time it focuses on. Can blocking domains for just a day or lessreally make a difference? Yes! To understand why, remember:
- Obviously, there’s no particular need to worry about a domain name beforeit’s actually in use.
- After 24 hours (or even less), any aggressively-misused domain name willhave become so widely and persistently blocklisted (based on itsactually-observed misuse) as to be effectively unusable forever. It’s thebrief day-long-or-less period “in-between” while people are figuring outwhat’s up when NOD delivers critical “bridge” protection for itssubscribers.
Subscribers using NOD get to decide if they want to block/ignore new domainsfor periods ranging from five minutes to 24 hours, as represented by codedvalues incorporated in the rbldnsd-format and RPZ-format files:
- 127.0.0.2 0-5 minutes
- 127.0.0.3 5-10 minutes
- 127.0.0.4 10-30 minutes
- 127.0.0.5 30-60 minutes
- 127.0.0.6 1-3 hours
- 127.0.0.7 3-12 hours
- 127.0.0.8 12-24 hours
- NXDOMAIN domain name not in the NOD database
Exact domain observation time data is also available, for those who may want touse a custom time interval.
Getting More Information About NOD
For more information about subscribing to NOD, please contact the FarsightSecurity Sales department at [email protected], orsee https://www.farsightsecurity.com/solutions/threat-intelligence-team/newly-observed-domains/
Joe St Sauver, Ph.D. is a Distributed System Scientist for FarsightSecurity, Inc.
Heading
