DNS Abuse Detection: Malicious registration of (effective) second level domains

Definition

Malicious registration of domains is the creation of new domains by threat actors online.

This technique is when someone who is going to do a bad thing registers a domain themselves. It is distinguished from an actor stealing, compromising, taking over, or otherwise hijacking DNS resources.

Advice

Malicious registration is about the intent of how the domain will be used after it is registered. While it is impossible to predict with 100% accuracy who is registering a domain for malicious purposes, registrars and registries have signals that can be used as indicators for future malicious intent.

Registries and registrars are the only stakeholders able to detect malicious domains before or at the time of registration since they are the only ones who have insight in the relevant data at this time. Registrars have the most information to correlate with potential malicious use, followed by registries, and then everyone else. Public information on registration data has decreased since ICANN restricted the public WHOIS. However, registries can correlate registrant activity across registrars; therefore, a large registry can gather this information widely in a way that many registrars cannot.

Registries and registrars can use this data to check for things like:

• Stolen credit cards
• Fraudulent addresses and stolen identities or any inconsistencies ins customer data
• Standard Know Your Customer (KYC) techniques used to detect criminal activity
• History of abuse reports against a registrant

Higher registration fee is correlated with fewer malicious domain registrations. Fees raise the cost for the attackers, who are assessing return on investment.

When a domain is reported to the registry/registrar as malicious, the registrar should check other domains owned by the registrant to determine if they also are malicious.

After registration, other stakeholders can look for signals to detect malicious intent, such as:

• History of abuse or complaints against the registrant
• The registrant’s domain registration history
• Signs of typosquatting
• Known malicious infrastructure
• Use of known bulletproof hosting providers
• Registration IP address geo-ip
• IP address reputation, including history of blocklists mentioning the IP
• How long ago the domain was registered

These lists are illustrative and are not exhaustive.

When a domain is reported as malicious, it should be put on blocklists enforced at the recursive/resolver level. Blocklist information can be shared via cyber threat intelligence channels.

One of the primary purposes of protective DNS is to ingest blocklists and domain information and perform correlations to determine domain reputation scores across indicators of compromise. Protective DNS then will block malicious domains as they are detected.

Examples

MITRE’s entry for “Acquire Infrastructure: Domains” has a good list of examples with links to external reports.

Potential Resources

• Palo Alto page on “What Are Malicious Newly Registered Domains?”
• A M3AAWG Introduction to Addressing Malicious Domain Registrations
• MITRE entry for “Acquire Infrastructure: Domains”
• Newly Registered Domains blocklist

• DNS Abuse SIG
  • Stakeholder Advice
    • Detection
      • Cache Poisoning
      • DGA Domains
      • DNS As a Vector for DoS
      • DNS Rebinding
      • DNS Server Compromise
      • DoS Against the DNS
      • Domain Name Compromise
      • Dynamic DNS (as obfuscation technique)
      • Fast Flux (as obfuscation technique)
      • Infiltration and exfiltration via the DNS
      • Lame Delegations
      • Local Resolver Hijacking
      • Malicious registration of (effective) second level domains
      • On-path DNS Attack
      • Stub Resolver Hijacking
  • Code of Conduct & Other Policies
  • Examples of DNS Abuse