One-day hosts in DNS
Earlier this year, the Blue Coat Security Labs team launched an experiment whose goal was to obtain statistics on the lifetime of DNS names. As part of this study, more than 660 million unique names were analyzed within 90 days. 470 million of them ( 71% ) lasted no more than 24 hours . Such nodes were called “ephemeral”.
Creating short-lived names is common practice for some Internet services, so there is nothing unusual in the presence of a number of such nodes in the sample. But 71 percent! Suddenly, yes? Why are there so many? What is it - erroneous requests to non-existent sites? Or randomly generated bots subdomains used to communicate with C & C servers?
Approximately 164 million one-day use their IP address as the host name. From the analysis of AS, which announce these addresses, it became clear that most of them belong to ISP and telecom companies. In the remaining two thirds of the collected pool of names, there is some kind of life and it is just interesting to look at them in more detail.
')
The main TLD, in which appear one-day - .com . About 70% of such names are created in it, which is 2.5 times more than in all the others combined. Their geographical distribution roughly corresponds to the number of IPv4 addresses allocated to a country. Almost 40% of one-day projects are created in the USA and China , which for two occupy about 44% of the address space. Among the anomalies, Brazil can be distinguished (1.1% IP and 3.8% ephemeral) and Russia , which is not included in the Top-10 by the number of IP addresses (1.0% and 2.8%, respectively).
Analysis of parental ephemeral days shows how widely this technique is used by popular Internet services. Google is the real king of this rating, it owns almost half of the discovered ephemes. Most of the remaining lines in the list belong to either companies providing CDN services or large Internet services that use their own infrastructure for content delivery.
CDNs often use 3rd and more level names to store user data — their name, session ID, or even a specific request. After the session ends, the name used disappears and is no longer used. It seems that this is how most one-day flats are born.
Blogging platforms such as Blogspot, Tumblr, and Wordpress are likely to be on the Top-10 unfairly. The reason is that most of the millions of blogs hosted on them have sporadic attendance, which made them statistically similar to ephemeral ones.
But what about malware? Not have to go far.
The 12th place in the ranking got a domain with an unpronounced name that hosts the C & C server of the botnet. During the experiment, 1.3 million names belonging to him were recorded. And he is not alone. Another 20 similar domains were in the Top-50, which leaves the bad guys at 22% of this rating.
As you can see, the modern DNS structure of the Internet is far from the classic ideas. I would be glad if in the comments people who support large caching DNS (for example, from the Yandex.DNS or SkyDNS team) tell how this affects the real characteristics of the services.
Source: "One-day Wonders: Here Today, Gone Tomorrow"
Creating short-lived names is common practice for some Internet services, so there is nothing unusual in the presence of a number of such nodes in the sample. But 71 percent! Suddenly, yes? Why are there so many? What is it - erroneous requests to non-existent sites? Or randomly generated bots subdomains used to communicate with C & C servers?
Approximately 164 million one-day use their IP address as the host name. From the analysis of AS, which announce these addresses, it became clear that most of them belong to ISP and telecom companies. In the remaining two thirds of the collected pool of names, there is some kind of life and it is just interesting to look at them in more detail.
')
The main TLD, in which appear one-day - .com . About 70% of such names are created in it, which is 2.5 times more than in all the others combined. Their geographical distribution roughly corresponds to the number of IPv4 addresses allocated to a country. Almost 40% of one-day projects are created in the USA and China , which for two occupy about 44% of the address space. Among the anomalies, Brazil can be distinguished (1.1% IP and 3.8% ephemeral) and Russia , which is not included in the Top-10 by the number of IP addresses (1.0% and 2.8%, respectively).
The authors of the study do not provide explanations for these anomalies. I think that at least in parts of Russia this imbalance is caused by the presence of powerful local Internet companies (Yandex, Mail.ru, VKontakte) with its own infrastructure. I am not familiar with the Brazilian Internet segment, can someone tell me in the comments?
Analysis of parental ephemeral days shows how widely this technique is used by popular Internet services. Google is the real king of this rating, it owns almost half of the discovered ephemes. Most of the remaining lines in the list belong to either companies providing CDN services or large Internet services that use their own infrastructure for content delivery.
CDNs often use 3rd and more level names to store user data — their name, session ID, or even a specific request. After the session ends, the name used disappears and is no longer used. It seems that this is how most one-day flats are born.
Blogging platforms such as Blogspot, Tumblr, and Wordpress are likely to be on the Top-10 unfairly. The reason is that most of the millions of blogs hosted on them have sporadic attendance, which made them statistically similar to ephemeral ones.
No analysis of Internet activity can be considered complete without mentioning the role of pornography. The most popular (according to Wikipedia ) porn site in the world hit the seventh line of the rating.
But what about malware? Not have to go far.
The 12th place in the ranking got a domain with an unpronounced name that hosts the C & C server of the botnet. During the experiment, 1.3 million names belonging to him were recorded. And he is not alone. Another 20 similar domains were in the Top-50, which leaves the bad guys at 22% of this rating.
As you can see, the modern DNS structure of the Internet is far from the classic ideas. I would be glad if in the comments people who support large caching DNS (for example, from the Yandex.DNS or SkyDNS team) tell how this affects the real characteristics of the services.
Source: "One-day Wonders: Here Today, Gone Tomorrow"
Source: https://habr.com/ru/post/235237/
All Articles