By Joe St Sauver, Distinguished Scientist/Director of Research for Farsight Security, Inc.
One of the areas that Farsight Security, Inc., (FSI) has chosen to focus on is newly observed domain names. You might wonder, "Sheesh, why anyone would bother paying attention to new domain names? People create new domain names all the time, right?" It's true. Anyone can create new domain names – you may even have purchased some of your own. However, as we'll see, most new domains aren't created by well-meaning people. As FSI's own CEO, Dr. Paul Vixie observed in his CircleID article, "Taking Back the DNS:"
"Most new domain names are malicious.
I am stunned by the simplicity and truth of that observation. Every day lots of new names are added to the global DNS, and most of them belong to scammers, spammers, e-criminals, and speculators. The DNS industry has a lot of highly capable and competitive registrars and registries who have made it possible to reserve or create a new name in just seconds, and to create millions of them per day. Domains are cheap, domains are plentiful, and as a result most of them are dreck or worse."
If most newly created domain names are "dreck or worse," why track them? Well, if you could quickly and reliably tell that a domain name you're seeing is new, you might simply decide to wait a bit before accepting traffic from a server using that new name.
Waiting a few hours (or even a whole day) before talking to a new domain is of little consequence if that domain is legitimate, but waiting a day (or even just a few hours) can make a huge difference when it comes to dealing with a domain that's malicious. To understand why, remember that the bad guys count on being able to quickly create a new domain, immediately begin to misuse/abuse it, and then repeat the process as needed. This approach lets at least some bad guys stay one step ahead of the good guys, routinely hopping from one new malicious domain to another one. If you temporarily block access to their new domains, you can automatically avoid a lot of risk with very little in the way of collateral damage.
Cyber security is often framed as a "race" between the attackers and the defenders, with the bad guys trying to do their deviltry before the good guys can react. This tends to be particularly true for domain names. This is because:
All of these factors and more drive a typical miscreant to go through domain names the way most of us might eat bridge mix. Let's look at data publicly shared by Mr. Joe Wein, a leading anti-spammer, to see a concrete example of this phenomena.
Joe Wein is the creator of the Microsoft WindowsTM anti-spam package jwSpamSpy and a major contributor of domain data to the popular and widely-trusted SURBL domain blocklist. Unlike many other anti-spammers, Mr. Wein offers a public web page with a list of domains that he's recently blocklisted, complete with details about the date when those domains were registered, and the dates when those domains were blocklisted by him. He had 41,071 domains on that page when we recently retrieved it, representing domains blocklisted by him over the last 30 days. With that data, we can see the time that passed between those domains getting registered, and those domains getting blocklisted by Mr. Wein. If a domain was registered by a spammer and then blocklisted by Mr. Wein on the same day, the delay would be zero days. If a spammer registered a domain one day, and that domain was blocklisted by Mr. Wein the next day, the delay would be one day, and so forth. We can see the distribution of delays for Joe Wein's data in the following graph.
Let's now talk a little about Farsight Security's actual NOD product. NOD is generated from Security Information Exchange (SIE) Channel 212. Channel 212 contains newly active base domain names (these are domain names that have NEVER been seen by a Farsight sensor node (since DNSDB started in June 2010)). Channel 212 has a volume of roughly 50,000 domains/day.
The 50,000 domains/day on channel 212 is quite a tractable number of domains, and if anything, may actually seem like a surprisingly small number. However, consider that over the last five years, Farsight has already seen most domains that are in use. The remaining ~50,000 domains/day represent either genuinely brand new domains (not surprising, given the creation of many new gTLDs recently by ICANN), or domains that have been around for a while, but which have somehow managed to elude Farsight's 450+ Passive DNS sensors nodes till now.
NOD data products are derived from channel 212, and are normally distributed to subscribers either via rsync on a minute-by-minute basis (used for blocking email in conjunction with rbldnsd), or via incremental zone transfers (IXFR) for use in temporarily blocking all network access to the new domains via BIND.
One point that sometimes confuses people when they hear about NOD is the short duration of time it focuses on. Can blocking domains for just a day or less really make a difference? Yes! To understand why, remember:
Subscribers using NOD get to decide if they want to block/ignore new domains for periods ranging from five minutes to 24 hours, as represented by coded values incorporated in the rbldnsd-format and RPZ-format files:
Exact domain observation time data is also available, for those who may want to use a custom time interval.
For more information about subscribing to NOD, visit our NOD Solutions page.