Junk Domains: It’s What’s For Dinner Dr. Paul Vixie, CEO Farsight Security
Junk Domains: It’s What’s For Dinner Agenda Domain Name Churn Anatomy of a Junk Domain Reducing Junk Domain Risk Conclusion
Domain Name Churn
"IP packets, IP addresses and BGP routes, underlay everything "IP packets, IP addresses and BGP routes, underlay everything. The most important overlay layer is DNS" DNS IP Packets BGP Routes IP Addresses Web etc., etc. Email
The Domain Name Evolution
Domain Names Are Also Important to Criminals Cybercriminals aren't interested in long-lived domain names. For criminals, domains are free (or cheap) & short-lived assets "Honest" bad guys? ~$1/name is just a "cost of doing business," too inconsequential to mention Other bad guys use stolen cards to get domains. Use those names until the card is reported; lather/rinse/repeat. Many intentionally free domain/free subdomain/free domain name redirection services out there...
Free... And Liable to Being Abused As A Result Domains: .cf, .ga, .gq, .ml, .tk Subdomains: .eu.nu, .web.gg, us.nf, int.nf, tv.gg, co.gp, online.gp, asia.gp, biz.uz, pro.vg, name.vu, info.nu, edu.ms, mobi.ps, .co.nr, or tens of thousands of other domain names offering subdomains to those interested (see http://freedns.afraid.org/domain/registry/ ) URL Redirector Services: One list of hundreds of URL shorteners and redirectors http://longurl.org/services These free domains/services aren't meant to be abused and their operators try to police them, but criminals are relentless.
Why Criminals Need New Domain Names Domain intelligence services are very efficient, listing misused or abused domains very quickly (often within just minutes) Domains – once listed – are worthless or become liabilities: Any content using a listed domain is "dead on arrival“ due to domain-based block lists (SURBL, Spamhaus DBL, etc.) Domain names may even act as a connection back to the cyber criminal (WHOIS POC info, credit card info, etc.) Blocklists make life very unpleasant for cybercriminals
No One Needs to Immediately Use a New Domain (Except Cybercriminals) Cybercriminals get new domains, abuse and then abandon them – within minutes While the good guys are still figuring what they're seeing, the bad guys are making a "lightning strike:" in, out, gone. The trick is to "help" these cybercriminals slow down a little. What's the rush? No honest person, no legitimate domain, is in that big of a hurry...
Anatomy of a Junk Domain
Peeling Back The Junk Domain Onion
Sample Hostnames On IP 158.69.56.6 www.ab86st.eu. www.abouthlt.info. www.absinsecnds.date. www.aeew77.eu. www.aforpac.eu. www.afruck.eu. www.afstrfit.net. www.alzhmirgone.org. www.am32eated.eu. www.amzincure.download. www.anarkspider.com. www.angelica-luthi.com. www.aquadeal.faith. www.aquvafinna.date. www.arsted.eu. www.askmorteasy.download. www.asleepzsafly.eu. www.audge3nus.eu. www.autbestloan.faith www.autget.org. www.autodebt.faith. www.autofinance.date. www.autorepa.date. www.autowealthonline.com. www.awarhlths.net. www.ayti564ne.eu. www.baterycours.date. www.bathcare.download. www.bathremode.date. www.beactivecare.date. www.beal54iter.eu. www.bealthingdo.org. www.bec34tiar.eu. www.becarederm.info. www.becmfite.org. www.becmpefc.org. www.behealthhy.faith. www.beifitfast.org. www.bestbreakfast.download. www.bestcredonsup.date www.bestdealcare.date. www.bestdison.download. www.bestnailartidea.com. www.bestonger.info. www.bestontreat.faith. www.bestoptcars.date. www.bestprisec.org. www.bestprogane.faith. www.besturcar.date. www.beusealws.info. www.biocared.date. www.bioticadsfs.top. www.bioticaofr.xyz. www.bioticare.download. www.bioticare.top. www.bioticure.bid www.birthreat.download.
Sample Hostnames On IP 158.69.56.6 www.bissopo.eu. www.bizclass.bid. www.blaqwes.eu. www.blckcounter.eu. www.blombiz.download. www.bloodsecrt.date. www.bosstmemry.org. www.brainback.date. www.brainexact.faith. www.braingrwth.faith. www.breakspeed.date www.breatus.eu www.bulast.eu. www.bullefly.eu. www.buyfastewr.info. www.buygeneratr.org. www.cableoption.download. www.cableserve.bid www.cableserve.faith. www.cahealtevr.info. www.campromo.download. www.camurvan.faith. www.canalforfit.info. www.candoalls.win. www.canfurnisall.faith. www.canperfcts.net. www.carcam.xyz. www.careatmost.org. www.careetohurrt.org. www.carefolive.org. www.carmodelsfinder.com. www.carusers.faith. www.cellgrowth.org. www.cerrtosugr.info. www.certnutrin.xyz www.certosuggr.org. www.chekksnow.win. www.chojurhom.info. www.ciloss.org. www.cleansherp.date. www.cleanskin.date. www.clearilistn.info. www.clearinsl.download. www.clearligt.faith. www.clearliloo.info. www.clenfood.faith. www.clennvizn.org. www.clerteeth.download. www.clikkscerr.download. www.clipurway.date. www.cloudanker.com. www.cnbathfrnk.info. www.coldiet.info. www.colitis.download. www.complxonmker.download. www.compoption.date www.constirelief.faith. www.contentmp3.com www.correctorbeans.xyz. www.craftall.org. www.crazyinvent.date. www.creatanmak.net. www.createmst.net. www.creditlon.faith.
That’s A LOT of Domains Using passive DNS (to see what other domains are seen on the same IP) allows us to find other apparently-related domains. Before action is taken against ANY domain, it should be visited and documented as actually offering problematic products. (To avoid malware, visit from a disposable VM). Beware of collateral damage – don’t assume that a site with a domain name that appears to be infringing actually is – CONFIRM IT. Some may not be what they seem; others may already be down. Many, however, may be exactly what you expect.
Reducing Junk Domain Risk
Temporarily Defer The Resolution of ALL Newly Observed Domains Temporarily deferring resolution of ALL new observed domains is a simple strategy, but surprisingly effective.... By ignoring new domains for a specific period of time, you'll frustrate cybercriminals’ "no-huddle offense." With this approach, domain reputation companies have more time to review new domains and block those found to be bad.
What Is A "Newly Observed Domain?" Domains are "new" if they haven't been seen in use on network -- - it isn't a function of when a domain was just registered. Newly detected domain information is exceedingly time sensitive: need to publish in real-time (or near real-time) to block resolution. This implies a need for a low latency real-time (stream) computing approach rather than asynchronous (batch) computing paradigm.
Risk Mitigating Actions: Implementation Response Policy Zones (RPZ) Firewall ACL Domain white-listing for sensitive networks Require outbound proxy with filtering lists
Risk Mitigating Actions: Data Sources Data Sources: (Sources for what you might want to block) -NOD -Open source intelligence: Look at list of resources at https://inteltechniques.com/links.html under Domain Names -Geolocation (e.g. maxmind.com) Maybe you don't want to exchange ANY traffic with Belarus -Site reputation scoring is also available from a variety of vendors such as Senderbase, My Web of Trust, etc.
Final Words About Combating Junk Domains Block TLDs coarsely but keep in mind that it is not as easy it appears: Dot com domains are by far and away the #1 most-abused domains Block more finely (reputation services or tools like NOD or NOH)
Conclusion Domain Name System (DNS) is foundation for our online world Junk domain name industry is thriving – driven by cheap prices, skyrocketing cybercrime and other online fraud A cyber investigation beginning with a domain name and IP address can take you down a long, convoluted path With the appropriate risk mitigation tools and methods, you can reduce junk domain name risk to your organization