Introduction
One of the areas that Farsight Security, Inc., (FSI) has chosen to focus on is newly observed domain names. You might wonder, “Sheesh, why anyone would bother paying attention to new domain names? People create new domain names all the time, right?” It’s true. Anyone can create new domain names — you may even have purchased some of your own. However, as we’ll see, most new domains aren’t created by well-meaning people. As FSI’s own CEO, Dr. Paul Vixie observed in his 2013 CircleID article, “Taking Back the DNS:”
Most new domain names are malicious.
I am stunned by the simplicity and truth of that observation. Every day lots of new names are added to the global DNS, and most of them belong to scammers, spammers, e-criminals, and speculators. The DNS industry has a lot of highly capable and competitive registrars and registries who have made it possible to reserve or create a new name in just seconds, and to create millions of them per day. Domains are cheap, domains are plentiful, and as a result most of them are dreck or worse.
The Value Proposition Behind Tracking New Domain Names
If most newly created domain names are “dreck or worse,” why track them? Well, if you could quickly and reliably tell that a domain name you’re seeing is new, you might simply decide to wait a bit before accepting traffic from a server using that new name.
Waiting a few hours (or even a whole day) before talking to a new domain is of little consequence if that domain is legitimate, but waiting a day (or even just a few hours) can make a huge difference when it comes to dealing with a domain that’s malicious. To understand why, remember that the bad guys count on being able to quickly create a new domain, immediately begin to misuse/abuse it, and then repeat the process as needed. This approach lets at least some bad guys stay one step ahead of the good guys, routinely hopping from one new malicious domain to another one. If you temporarily block access to their new domains, you can automatically avoid a lot of risk with very little in the way of collateral damage.
Why Are The Bad Guys In Such A Continual Hurry? Why Do They Constantly Need New Domain Names?
Cyber security is often framed as a “race” between the attackers and the defenders, with the bad guys trying to do their deviltry before the good guys can react. This tends to be particularly true for domain names. This is because:
The domain name may have been purchased using a stolen credit card. Because investigators routinely “follow the money” to learn the identity of a cyber criminal, bad guys normally won’t buy domain names using their own credit cards (bad guys understand that it would be easy to go from a bad domain name, to the credit card used to purchase it, to the card holder’s real world identity), preferring to use someone else’s (stolen) credit card, instead. Of course, once that stolen credit card gets detected, any domain name purchased with that card will quickly get suspended by their registrar.
The domain name may have bogus whois data, including an invalid email address. Investigators will also routinely investigate the point of contact information provided when registering a domain. Cyber criminals know that. Knowing that, they’re normally not dumb enough to register malicious domains with their own name and address information. On the other hand, if a cyber criminal proceeds to register a domain with fictitious contact information, and that’s discovered, the registrar must suspend the domain name. This means that using bogus domain name point of contact information is yet another factor driving constantly changing cyber criminal domain name usage.
Anti-spam/anti-phishing companies may also be hot on the abuser’s trail. If blocklisting organizations can identify a domain that’s being abused, they’ll quickly block list it. The most heavily abused domains are often the top priority for blocking. Using multiple domain names may help keep an single spamvertised domain name from looking too prominent (e.g., by spreading the traffic load across many domains and thereby helping the spammer to try to “fly under the radar”); when those domains end up blocked nonetheless, still more domains are required.
Law enforcement officers may have opened a case. Criminals may have the mistaken belief that by simply shuffling their misbehavior over to a new domain name, an ongoing investigation can be derailed, or at least substantially complicated.
All of these factors and more drive a typical miscreant to go through domain names the way most of us might eat bridge mix. Let’s look at data publicly shared by Mr. Joe Wein, a leading anti-spammer, to see a concrete example of this phenomena.
Joe Wein’s Domain Blocklist Entries
Joe Wein is the creator of the Microsoft Windows(tm) anti-spam package jwSpamSpy and a major contributor of domain data to the popular and widely-trusted SURBL domain blocklist. Unlike many other anti-spammers, Mr. Wein offers a public web page with a list of domains that he’s recently blocklisted, complete with details about the date when those domains were registered, and the dates when those domains were blocklisted by him. He had 41,071 domains on that page when we recently retrieved it, representing domains blocklisted by him over the last 30 days. With that data, we can see the time that passed between those domains getting registered, and those domains getting blocklisted by Mr. Wein. If a domain was registered by a spammer and then blocklisted by Mr. Wein on the same day, the delay would be zero days. If a spammer registered a domain one day, and that domain was blocklisted by Mr. Wein the next day, the delay would be one day, and so forth. We can see the distribution of delays for Joe Wein’s data in the following graph.
As noted in the boxed area of the graph, when we look at domains blocked by Mr. Wein during this period, half were listed by him on either the same day they were registered, or on the very next day. 83% of the domains that Mr. Wein listed were listed within ten days of registration, and more than 91% were listed within 30 days of their date of registration. We can thus see that the usable life of spam-related domain names is very brief.
The brevity of that interval (e.g., over half of all the domains listed by Mr. Wein were listed the day of registration, or by the day thereafter) is particularly amazing when you consider that that delay includes both any spammer-induced delays, AND the time it takes Mr. Wein (or more accurately, his spam domain identification programs) to notice that a domain is being abused and should be listed.
Given that over half of all the data points in this data set represent delays of one day or less, ideally we’d like to be able to calculate more fine-grained measurements, perhaps measuring the time from registration to blocking in hours, minutes and seconds rather than days. Unfortunately, Mr. Wein currently only lists dates.
Farsight Security’s Newly Observed Domain (NOD(tm)) Product
Let’s now talk a little about Farsight Security’s actual NOD(tm) product. NOD is generated from Security Information Exchange (SIE) Channel 212. Channel 212 contains newly active base domain names (these are domain names that have NEVER been seen by a Farsight sensor node (since DNSDB started in June 2010)). Channel 212 has a volume of roughly 50,000 domains/day.
The 50,000 domains/day on channel 212 is quite a tractable number of domains, and if anything, may actually seem like a surprisingly small number. However, consider that over the last five years, Farsight has already seen most domains that are in use. The remaining ~50,000 domains/day represent either genuinely brand new domains (not surprising, given the creation of many new gTLDs recently by ICANN), or domains that have been around for a while, but which have somehow managed to elude Farsight’s 450+ Passive DNS sensors nodes till now.
NOD data products are derived from channel 212, and are normally distributed to subscribers either via rsync on a minute-by-minute basis (used for blocking email in conjunction with rbldnsd), or via incremental zone transfers (IXFR) for use in temporarily blocking all network access to the new domains via BIND.
Farsight Security’s Newly Observed Domains Focuses on The First 24 Hours Of Actual Usage
One point that sometimes confuses people when they hear about NOD is the short duration of time it focuses on. Can blocking domains for just a day or less really make a difference? Yes! To understand why, remember:
- Obviously, there’s no particular need to worry about a domain name before it’s actually in use.
- After 24 hours (or even less), any aggressively-misused domain name will have become so widely and persistently blocklisted (based on its actually-observed misuse) as to be effectively unusable forever. It’s the brief day-long-or-less period “in-between” while people are figuring out what’s up when NOD delivers critical “bridge” protection for its subscribers.
Subscribers using NOD get to decide if they want to block/ignore new domains for periods ranging from five minutes to 24 hours, as represented by coded values incorporated in the rbldnsd-format and RPZ-format files:
- 127.0.0.2 0-5 minutes
- 127.0.0.3 5-10 minutes
- 127.0.0.4 10-30 minutes
- 127.0.0.5 30-60 minutes
- 127.0.0.6 1-3 hours
- 127.0.0.7 3-12 hours
- 127.0.0.8 12-24 hours
- NXDOMAIN domain name not in the NOD database
Exact domain observation time data is also available, for those who may want to use a custom time interval.
Getting More Information About NOD
For more information about subscribing to NOD, please contact the Farsight Security Sales department at [email protected], or see https://www.farsightsecurity.com/solutions/threat-intelligence-team/newly-observed-domains/
Joe St Sauver, Ph.D. is a Distributed System Scientist for Farsight Security, Inc.
