Skip links

The web’s cruising at 13 million new and nefarious domain names a month

Akamai reckons that, in the first half of 2022 alone, it flagged nearly 79 million newly observed domains (NODs) as malicious.

According to the internet infrastructure giant, that amounts to 13 million malicious domain detections per month, equal to 20 percent of all successfully resolving NODs.

For Akamai’s purposes, a NOD is any domain that has been queried for the very first time in the past 60 days. And by malicious, it means, a domain name that resolves to a destination that’s intended to phish, spread or control malware, or cause some other online harm.

“[The NOD dataset] is where you find freshly registered domain names, typos, and domains that are only very rarely queried on a global scale,” Akamai said. That list grows by approximately 12 million NODs per day, we’re told, far more than a reasonable team of humans could hope to scan.

Akamai’s methods of determining which domains are malicious or not are pretty straightforward. For one approach, it looks at a list of known domain generation algorithms (DGAs) that, with help credited to the greater cybersecurity community, Akamai was able to build into a 30-year predictive list it can use to identify DGA-registered domains. 

DGA domains are often used by cybercriminals to share malware, host phishing pages, and the like, as they can be registered in bulk for even short-lived campaigns. The idea being that if you need a bunch of random-looking domain names from which to launch attacks, run botnet command-and-control servers, or host malicious pages, you don’t want those domains to be easily guessed and blocked by, say, network security filters. So you have an algorithm that generates a deterministic series of domains, registers them, and your malware or phishing operation out in the wild can predict the domains they need to use at a given moment and connect to them.

Think of DGAs generating rendezvous points on the internet for malware and other stuff to connect to or use.

NOD-based detection is also accomplished through the use of “more than 190 NOD-specific detection rules” that Akamai uses, which it said is responsible for most of its malicious domain detections. Akamai claims it only had a 0.00042 percent false positive rate among the 79 million malicious NODs it detected in the first half of the year.

NOD detection may catch what others miss

Akamai claimed it evaluated its NOD detection system against “a large and well-known aggregator of threat intelligence,” and its results raise some questions at first glance.

By looking at all the malicious NODs it flagged, and comparing them to domain names on the aggregator that had been queried at least once, Akamai said it found that 91.4 percent of its detections were missing from the aggregator. 

“We also found that from the names that we were able to find, more than 99.9 percent had a ‘reputation’ of 0, which means these had not yet been tagged as either benign or malicious,” Akamai said.

Rather than looking at the lack of consistency between it and the aggregator as bad news, Akamai said the differences, combined with its proclaimed low rate of false positives, proves that a wide variety of detection methods are necessary to build a complete picture of cybersecurity risks. 

“This demonstrates the need for a multifaceted approach so we get the best of both systems,” Akamai’s Stijn Tilborghs and Gregorio Ferreira wrote in a research note. “The NOD dataset provides a lot of complementary value, since there is only a very small overlap between its output and other major threat intelligence feeds.” 

Akamai’s NOD detection isn’t the only game in town: Cisco offers a “newly seen domain” detection system that checks DNS logs and flags potential malicious sites, as does cybersecurity firm Farsight and Palo Alto Networks

It’s unclear how those services compare to Akamai’s, but their end goals appear similar and point to NODs being a well-known security concern that multiple vendors are attempting to address. ®