Posted on by Network Situational Awarenessin
Hello, this is Jonathan Spring with my colleague Leigh Metcalf. Today, we're releasing a CERT/CC whitepaper on our investigations into domain name parking. The title summarizes our findings neatly: "Domain Parking: Not as Malicious as Expected."
First, let's review some definitions to make sure we're all on the same page. Domain parking is the practice of assigning a nonsense location to a domain when it is not in use to keep it ready for "live" use. When a domain is "parked" on an IP address, the IP address to which the domain resolves is inactive or otherwise not controlled by the same entity that controls the domain.
We investigated domain parking only on private and reserved IP address space (namely, on the netblocks 10.0.0.0/8; 127.0.0.0/8; 169.254.64.0/18; 172.16.0.0/12; 192.168.0.0/16). So we have a limited but precise conclusion: "domains that use private IP space in parking behavior" does not appear to be a particularly good indicator of maliciousness. Furthermore, the malicious behavior detected in this way would very likely be easier to detect by other existing methods.
We used a passive DNS data source to determine what names resolved to what IP address over time. We found only 21,328 domains that exhibited parking on private IP space out of over 610 million domains in our dataset in a calendar month. We don't often say this in information security, but it seems like this is not a big deal. We'll keep an eye on it to see if that changes.
We're also making the list of 21,328 domains available with their parking patterns so you can see for yourself. The pattern notation is explained in the paper. Let us know if you see something we missed that looks suspicious.