New research from Akamai Technologies Inc. found that around 20% of all new domain names registered, or some 79 million, were for malicious purposes in the first half of the year.
The search was based on queries through instances of Akamai CacheServer which currently handle over 80 million DNS queries per second, or 7 trillion daily queries. An anonymized subset of the data was used for the search, with emphasis on newly observed domains. A NOD in this case is a domain name queried for the first time in the last 60 days.
On a typical day, the researchers observed around 12 million NODs in total, of which just over 2 million were successfully resolved. In the first six months of 2022, 79 million resolved domain names were reported as malicious.
NOD types vary, with many resembling names that would never be typed into a browser window, are not human readable, and appear to have been computer generated. The question posed is: Why?
According to the researchers, malicious actors often register thousands of domain names en masse. They do this so if one or more of their domains gets flagged and blocked, they can just switch to any of the others they own. Domain names are usually created programmatically using a domain generation algorithm. This process is part of what makes these NODs dangerous, as they are a persistent means of attacking an organization.
Common threats that use the NOD technique include malware, ransomware attacks, cryptominers, typosquatting, botnets, and advanced persistent threats.
Over the years, Akamai’s systems have been designed to detect malicious NODs, with over 190 specific NOD detection rules in place. The system involves heuristic analysis and inputs such as the domain name itself, its top-level domain, resolved IP address, autonomous system numbers, and other factors.
The system is also designed to avoid false positives. Of the 79 million flagged domains resulting from the heuristic analysis, there were exactly 329 false positives, which equals 0.00042%. The system also checks domain similarity against a list of well-known brands and popular websites to detect NODs with very high similarity.
The other advantage of focusing on NOD detection is the short average time to detect them. Akamai’s system can be triggered simply by a single DNS query to a newly created malicious domain. “All of our NOD-based detection systems and rules are fully automated,” the researchers explain. “This means that once a new NOD arrives, the time it takes for us to classify it as malicious is measured in minutes, not hours or days. No human intervention is required.
