What's the Big Deal about New Domains?

The Value Proposition Behind Tracking New Domain Names

If most newly created domain names are "dreck or worse," why track them? Well, if you could quickly and reliably tell that a domain name you're seeing is new, you might simply decide to wait a bit before accepting traffic from a server using that new name.

Waiting a few hours (or even a whole day) before talking to a new domain is of little consequence if that domain is legitimate, but waiting a day (or even just a few hours) can make a huge difference when it comes to dealing with a domain that's malicious. To understand why, remember that the bad guys count on being able to quickly create a new domain, immediately begin to misuse/abuse it, and then repeat the process as needed. This approach lets at least some bad guys stay one step ahead of the good guys, routinely hopping from one new malicious domain to another one. If you temporarily block access to their new domains, you can automatically avoid a lot of risk with very little in the way of collateral damage.

Why are the Bad Guys in Such a Continual Hurry? Why Do They Constantly Need New Domain Names?

Cyber security is often framed as a "race" between the attackers and the defenders, with the bad guys trying to do their deviltry before the good guys can react. This tends to be particularly true for domain names. This is because:

1. The domain name may have been purchased using a stolen credit card. Because investigators routinely "follow the money" to learn the identity of a cybercriminal, bad guys normally won't buy domain names using their own credit cards (bad guys understand that it would be easy to go from a bad domain name, to the credit card used to purchase it, to the card holder's real world identity), preferring to use someone else's (stolen) credit card, instead. Of course, once that stolen credit card gets detected, any domain name purchased with that card will quickly get suspended by their registrar.
2. The domain name may have bogus whois data, including an invalid email address. Investigators will also routinely investigate the point of contact information provided when registering a domain. Cybercriminals know that. Knowing that, they're normally not dumb enough to register malicious domains with their own name and address information. On the other hand, if a cybercriminal proceeds to register a domain with fictitious contact information, and that's discovered, the registrar must suspend the domain name. This means that using bogus domain name point of contact information is yet another factor driving constantly changing cybercriminal domain name usage.
3. Anti-spam/anti-phishing companies may also be hot on the abuser's trail. If blocklisting organizations can identify a domain that's being abused, they'll quickly block list it. The most heavily abused domains are often the top priority for blocking. Using multiple domain names may help keep an single spamvertised domain name from looking too prominent (e.g., by spreading the traffic load across many domains and thereby helping the spammer to try to "fly under the radar"); when those domains end up blocked nonetheless, still more domains are required.
4. Law enforcement officers may have opened a case. Criminals may have the mistaken belief that by simply shuffling their misbehavior over to a new domain name, an ongoing investigation can be derailed, or at least substantially complicated.

All of these factors and more drive a typical miscreant to go through domain names the way most of us might eat bridge mix. Let's look at data publicly shared by Mr. Joe Wein, a leading anti-spammer, to see a concrete example of this phenomena.

Farsight Security^® Newly Observed Domain (NOD) Product

Let's now talk a little about Farsight Security's actual NOD product. NOD is generated from Security Information Exchange (SIE) Channel 212. Channel 212 contains newly active base domain names (these are domain names that have NEVER been seen by a Farsight sensor node (since DNSDB started in June 2010)). Channel 212 has a volume of roughly 50,000 domains/day.

The 50,000 domains/day on channel 212 is quite a tractable number of domains, and if anything, may actually seem like a surprisingly small number. However, consider that over the last five years, Farsight has already seen most domains that are in use. The remaining ~50,000 domains/day represent either genuinely brand new domains (not surprising, given the creation of many new gTLDs recently by ICANN), or domains that have been around for a while, but which have somehow managed to elude Farsight's 450+ Passive DNS sensors nodes till now.

NOD data products are derived from channel 212, and are normally distributed to subscribers either via rsync on a minute-by-minute basis (used for blocking email in conjunction with rbldnsd), or via incremental zone transfers (IXFR) for use in temporarily blocking all network access to the new domains via BIND.