Leigh B. Metcalf, Dan Ruef, Jonathan M. Spring

Software Engineering Institute, Carnegie Mellon University

Abstract

Background. Fast-flux is a technique malicious actors use for resilient malware communications. In this paper, domain parking is the practice of assigning a nonsense location to an unused fully-qualified domain name (FQDN) to keep it ready for “live” use. Many papers use “parking” to mean typosquatting for ad revenue. However, the original usage of “domain parking” is our use, which was relevant because it is a potentially confounding behavior for detection of fast-flux. The internet-wide prevalence of fast-flux networks and the extent to which domain parking confounds fast-flux detection have not been publicly measured at scale.

Method. We examine over five years of a large passive-DNS data source. We use an open-source implementation that identifies suspicious associations between FQDNs, IP addresses, and ASNs as graphs. We detect parking via a simple time-series of whether a FQDN advertises itself on IETF-reserved private IP space and public IP space alternately. Whitelisting domains that use this IP space for encoding non-DNS responses (e.g. blacklist distributors) is important for accurate results.

Results. Fast-flux is common, with 10M IP addresses and 20M FQDNs commonly in fast-flux networks daily. Domain parking, in our sense, is uncommon (94,000 unique FQDNs over five years) but exists mostly independent of fast-flux. Our open-source tool works well even at internet-scale.

Discussion. Real-time detection of fast-flux networks could help defenders better interrupt their operation. With our implementation, a resolver could potentially block name resolutions that would add to a known flux network if completed, preventing even the first connection to some fast-flux domains. Parking is a poor indicator of malicious activity, but seems unlikely to confound fast-flux detection.