The Internet is gaining 13 million malicious new domains every month • The Register

Akamai estimates that it flagged nearly 79 million newly observed domains (NODs) as malicious in the first half of 2022 alone.

According to the internet infrastructure giant, that amounts to 13 million Malicious domain detections per month, representing 20 percent of all successfully resolved NODs.

For Akamai purposes, a NOD is any domain queried for the first time in the last 60 days. And by “malicious” is meant a domain name that resolves to a target designed to proliferate or control malware or cause harm to others online.

“[The NOD dataset] This is where you’ll find newly registered domain names, typos, and domains that are very rarely consulted around the world,” Akamai said. That list is growing at about 12 million NODs a day, we’re told, far more than any sane team of humans could hope to scan.

Akamai’s methods of determining which domains are malicious or not are fairly simple. One approach examines a list of known domain generation algorithms (DGAs) that Akamai, with help from the larger cybersecurity community, has been able to integrate into a 30-year prediction list that it can use to identify DGA-registered domains.

DGA domains are often used by cyber criminals to share malware, host phishing pages and the like since they can be registered in bulk even for short-lived campaigns. The idea is that if you need a bunch of random-looking domain names from which to launch attacks, run botnet command-and-control servers, or host malicious sites, you don’t want those domains to be easily guessed and blocked of, say, network security filters. So you have an algorithm that generates a deterministic set of domains, registers them, and your malware or phishing operation in the wild can predict the domains they need to use at any given time and connect to them.

Think of generating DGAs meeting places the internet for malware and other things you can connect to or use.

NOD-based detection is also achieved through the use of “more than 190 NOD-specific detection rules” used by Akamai, which it says are responsible for most malicious domain detections. Akamai claims it had just a 0.00042 percent false positive rate among the 79 million malicious NODs it detected in the first half of the year.

NOD detection can catch what others miss

Akamai claimed it compared its NOD detection system to “a large and well-known threat intelligence aggregator,” and its findings raise some questions at first glance.

Akamai looked at all flagged malicious NODs and compared them to domain names on the aggregator that were queried at least once, and found that 91.4 percent of its detections were missing from the aggregator.

“We also found that of the names we were able to find, more than 99.9 percent had a ‘reputation’ of 0, meaning they had not yet been flagged as benign or malicious,” Akamai said.

Rather than viewing the lack of consistency between it and the aggregator as bad news, Akamai said the differences, coupled with the proclaimed low rate of false positives, prove that a variety of detection methods are necessary to build a complete picture of cybersecurity risks.

“This demonstrates the need for a multi-faceted approach so that we can get the best of both systems,” write Akamai’s Stijn Tilborghs and Gregorio Ferreira in a research note. “The NOD dataset offers great supplemental value as there is very little overlap between its output and other key threat intelligence.”

Akamai’s NOD detection isn’t the only game in town: Cisco offers a “newly seen domain“Detection system that checks DNS logs and flags potentially malicious websites, as well as Cybersecurity firm Farsight and Palo Alto Networks.

It’s unclear how these services compare to Akamai’s, but their end goals appear to be similar, suggesting NODs are a known security issue that multiple vendors are trying to address. ®