What is the average lifespan of malicious domains, and what are the typical causes of their deaths?
Those were some of the questions Paul Vixie was interested in answering. Vixie, CEO at Farsight Security and a Domain Name System (DNS) design pioneer, co-wrote a newly published research paper with Farsight colleague Pawel Foremski titled, “The Modality of Mortality in Domain Names” that explores the lifespans and causes of death for many new domains. Vixie presented the research last week during a session at Virus Bulletin 2018 in Montreal.
Farsight studied the first seven days of life of 23.8 million new domains issued under 936 top-level domains (TLDs) during a six month span. Vixie said the data revealed how quickly many of the new domains are suspended or killed and what the common causes of death are. But more importantly, he said, the study reveals the need for new policies that could potentially stop malicious domains before they ever go live. Here are excerpts from the conversation with Vixie.
Editor’s note: This interview has been edited for clarity and length.
What caused you to look into domain name death and lifespans?
Paul Vixie: We at Farsight have a fairly well-developed architecture for processing real-time data, and in particular we’re able to determine the novelty of something. In other words, is there any evidence it existed before now? We have this great feed where you see two to three new domains every second. And it’s hard to wrap your brain around whether that’s an appropriate ratio because we have 3 billion people using the internet now, and presumably a lot of them want domain names, so maybe that’s an accurate number. But maybe it’s not. Maybe this represents the allocation of domain names by questionable parties that don’t plan to behave cooperatively once they have the asset. Abuse is a big topic with DNS; you can’t get anything for good or evil without DNS. We were fascinated by that rate of domain creation, and we wanted to characterize it and figure out what conclusions we could draw.
Was the ratio a novelty then?
Vixie: If you go back a couple of years ago, about half of all new domain names came from a single country-code top-level domain (TLD). That was .tk for Tokelau, a small island off the coast of New Zealand. They did not really have a need for their own top-level domain — they didn’t even have much internet connectivity — so they rented it out to a commercial organization in the Netherlands. The owner of the organization did not have the public interest at heart; he was trying to maximize revenue at whatever cost. He had a way for people to buy domain names in bulk, which they did because they needed to buy cheap domain names for things like comment spam on forums and things like Amazon reviews; the places they wanted to spam were going to notice if the same domain name was trying to send comments again and again. They needed unique domain names for every comment.
And then he found an interesting way to drive business on the other side. He was getting a lot of complaints from businesses about the spam his customers were sending, so he said, ‘That’s fine. If you’re in the security industry, I’ll give you a free login to the takedown API and erase any .tk domain that you think has misbehaved. You don’t have to ask for my permission or even provide a reason.’ It was perfect for him because the more domains security professionals killed, the more demand he had from customers for new domains. It was really ugly. Eventually he faced more pressure from the security industry because a lot of security companies just started blocking all .tk domain names.
It became much easier to maintain a small list of domains in .tk that were good and blackhole the rest than it was to blacklist every single domain that was misused. But that’s gone now; the .tk domain no longer represents half of all newly created domain names. But domain names are still being created [at a high rate]; what I wanted to find out was, who are the big contributors to this problem now? And our theory going into the study was that the new generic TLDs — ICANN, which is supposed to be the regulator in this industry, is supposed to have some [rules] for the creation of these top-level domains.
But there are a lot of new generics out there, and my theory was that there were too many of them, they all thought they were going to make as much money as VeriSign does with .com, but they had business plans that were unrealistic and they increasingly chased the last dollar at the bottom of the barrel in terms of doing what the .tk owner did, which was sell the domains in bulk, so the companies could make payroll. And the research that we did bears that out.
What did the research show?
Paul VixieCEO, Farsight Security
Vixie: A lot of the new domain names that are created die quickly, either by being canceled by the person who registered them or by the registrar like GoDaddy or the gTLD registry that’s responsible for whatever dot-domain it is. There are three different ways a domain can be taken out of service — four if you count the name server operator because it’s possible the name server operator hosting the domain got a complaint and then had to take the domain down. There are also things like Spamhaus and other reputation providers; if they decide that your domain is used mostly for harm, then they will list you in their reputation service, which will remove the utility of the domain.
There are a bunch of causes of death for domains, and we wanted to characterize the main causes of domain name death. Ultimately, what we found was a lot of the domains that end up dead are killed within hours and even minutes after they are created. [The research paper states that 9.3% of new domains observed during the study effectively died in their first seven days, with a median lifespan of just over four hours.]
In the paper, you discuss how many of the new domains were malicious. What did you find there?
Vixie: The number of bad domains was lower than I expected. But I’m a cynic. I was looking at domains being created at three per second and thought, if we were creating value at that rate, then you’d see the evidence of that value.
Why were the nonmalicious domains you observed being killed? Were organizations just blacklisting some of the TLDs?
Vixie: I think a certain level of exhaustion sets in. If you complain about a domain, then that takes some effort. And if it gets taken down, then that’s a positive result. But that’s asymmetric; you spent more energy complaining about it than any benefit you received from the result, especially when you consider that the next act will be to rotate in a new, cheap domain name they have in their inventory.
The research shows domain blacklisting is the biggest cause of death. Are you seeing more blacklisting today than five years ago, and is it keeping up with the rate of domain creation?
Vixie: Yes, we’re seeing more blacklisting today. And I saw this coming — again, I’m a bit of cynic. In 2010 at my previous company, a nonprofit DNS research and operations company, we invented a language for DNS blacklisting (DNSBL). And we tried to get that language accepted as a standard so that no matter what name server you are operating, you’ll find a bunch of security providers who are capable of selling you a subscription to a policy feed that updates in real time. And it got a lot of traction because the industry that makes money creating new domain names is very well-represented within the ICANN organization, and anything that keeps them from selling more product is considered prior restraint or a lack of freedom; they want the rules of the road to be “more is better.” The further we get down the track with those people running the show, the more choices people who want to do malicious things will have. I’m thinking about making a T-shirt and giving it to the people I know who attend ICANN meetings that says, ‘We needed 1,900 new top-level domains because spammers didn’t have enough choices.’
What can be done about the problem of new malicious domains being created so quickly?
Vixie: There are structural things we can do, despite the immense influence the corporate constituency has, that can be snuck into the process. For example, the public comment period where, if a new domain is sold, it might go into a cooling off period for a few hours or maybe even a whole day. Even 10 minutes would be enough because if we could see that a domain has been allocated, we can see all the public information that’s associated with it — who registered it, what’s the name server associated with it — before it becomes live and determine whether or not the domain is part of a negative pattern and decide as a private right of action not to accept it. I’m not asking for a complaint process where while it’s in the public comment period, you can sort of try to defeat it before it goes live. I’m just asking to have a head start rather than watching a company sell the domain, it goes live, we watch for malicious use and then do the research after it’s live. And it cannot harm anyone because if your business model depends on being able to use a domain before anyone knows it exists, then you’re probably not part of the constituency that we want to serve.
We’ll see what comes of the research. I don’t have a silver bullet to offer — I have a suggestion, which I have put into the at-large advisory committee inside of ICANN. And they seem to be somewhat responsive to it, so we’ll see if they vote for it. I’m open to other alternatives — the public comment period doesn’t have to be what we do. But I’m hoping that we don’t continue to do nothing and pretend this isn’t a problem.