New research from Akamai Technologies Inc. has found that about 20% of all new domain names registered, some 79 million, were registered for malicious purposes in the first half of the year.
The research was based on queries through Akamai CacheServer instances that currently handle more than 80 million DNS queries per second, or 7 trillion daily requests. An anonymized subset of the data was used for the research, with newly observed domains the focus. A NOD in this case is a domain name queried for the first time in the last 60 days.
On a typical day, the researchers observed about 12 million NODs in total, of which a little over 2 million successfully resolved. Over the first six months of 2022, 79 million domain names that resolved were flagged as malicious.
The NODs varied in type, with many looking like names that would never be typed into a browser window, are not human-readable and look like they are computer-generated. The question raised is: Why?
According to the researchers, malicious actors often register thousands of domain names in bulk. They do that so if one or more of their domains are flagged and blocked, they can simply switch to one of the others they own. The domain names are typically created programmatically using a domain generation algorithm. That process is part of what makes these NODs dangerous, because they’re a persistent way of attacking an organization.
Common threats that use the NOD technique include malware, ransomware attacks, cryptominers, typosquatting, botnets and advanced persistent threats.
Over the years, Akamai’s systems have been designed to detect malicious NODs, with more than 190 specific NOD detection rules in place. The system involves heuristic analysis and inputs such as the domain name itself, its top-level domain, resolved IP, Autonomous System Numbers and other factors.
The system is also designed to avoid false positives. Of the 79 million flagged domains resulting from heuristic analysis, there were exactly 329 false positives, equating to 0.00042%. The system also checks the similarity of domains against a list of known brand names and popular websites to detect NODs with a very high similarity.
The other advantage of focusing on NOD detection is the short mean time to detect them. Akamai’s system can be triggered simply by a single DNS query to a newly created malicious domain. “All of our NOD-based detection systems and rules are fully automated,” the researchers explain. “This means, once a new NOD comes in, the time needed for us to classify it as malicious is measured in minutes, not hours or days. No human intervention is needed.”