Easy creation of domain names by hackers leaves SMBs dangerously exposed
Cooling-off period urged to vet site and decide whether it should be blocked
By Jaikumar Vijayan, ThirdCertainty
The vast majority of new Web domains established every day on the Internet are created for malicious purposes.
That shocking truism of the Information Age comes from none other than Internet pioneer and thought leader Paul Vixie.
Vixie is the founder of the Internet Systems Consortium, a nonprofit group dedicated to supporting the infrastructure of the Internet—and the autonomy of its participants. He is best known in tech circles for designing and implementing several Domain Name System protocols, extensions and applications.
Sadly, Vixie recently told ThirdCertainty, DNS as it is being used on a daily basis today is largely broken.
“One new domain is created every second and pretty much 199 out of 200 of them are junk domains created for the purpose of search engine optimization, spam, phishing or other completely useless things,” says Vixie, who is now CEO of Farsight Security.
Other examples of malicious use include newly created domains to set up botnet command-and-control servers, to establish download sites for malware, or to host phishing and drive-by-malware-download pages.
For criminals, time is of the essence
Those who set up such domains tend to want to use them as quickly as possible after registering before the site can get blacklisted or before it is taken down by network operators.
The logic of cyber criminals engaged in this activity goes something like this, Vixie says: “I want to do something that absolutely no else in the world wants me to do, and I am using this cooperative structure to allocate the resources to me that I need to do the thing that everybody wishes I wasn’t doing.”
Since it is almost a certain bet that the only people seeking to use a new domain immediately upon registration are those with malicious intent, the best way to deter them is to introduce a waiting period, Vixie says.
Small change, big difference
This simple practice would go a long way toward deterring cyber criminals from registering new domains for nefarious purposes that typically include spamming, malware distribution and carrying out phishing campaigns.
In Vixie’s view, those who control DNS should move forward on implementing such a cooling-off period. Imposing a six- to 24-hour delay between when a site is registered and when it becomes available could give the security industry enough time to vet the new domain and decide whether if it’s something that should be blocked or monitored.
“The registration event has been published, the domain isn’t actually working yet … that gives the security industry an advance look to find out, ‘Am I going to want to block that by the time it comes out of its 24-hour waiting period’,” Vixie says.
Previous studies that have attempted to understand the domain registration behavior of spammers have noted the difficulty that network operators face in making decisions about whether to blacklist a domain or not.
Because of the rate at which new domains appear, making blacklist decisions at registration has become particularly challenging, the studies noted. As a result, the typical response model has been to wait for a domain to start exhibiting malicious behavior before attempting to stop it.
Money likely to rule the day
Introducing a waiting period as Vixie suggests could give the security industry the time needed to vet new sites and reduce the risk posed by new domains to small, medium and large businesses. But Vixie isn’t holding his breath that the industry will implement the delay he proposes any time soon.
Vixie admits that when he made the proposal at RSA this year, it wasn’t widely picked up by anyone. He plans to air it again at an ICANN meeting next month in Dublin, Ireland, but isn’t too optimistic.
“It’s all about money,” Vixie says. “There’s a lot of money to be made in registering new domains, and the companies that do that for a living are going to be unwilling to make any change that could slow down their revenues.
“There’s some very big, very successful companies making a lot selling this stuff,” he says. “If I come along and throw a wet blanket over it and said that action is fundamentally destructive to the social order, we need to slow this down a little bit, they’d think I’m nuts.”
ThirdCertainty Editor-In-Chief Byron Acohido contributed to this report.
More on domain names and cybersecurity:
What’s in a (domain) name? For generic TLD hackers, a lot
Faked PayPal sites hard to distinguish from the real thing
SMBs should start with simple solutions to manage security risks