Domain Parking: Not as Malicious as Expected
CARNEGIE-MELLON UNIV PITTSBURGH PA SOFTWARE ENGINEERING INST
Pagination or Media Count:
Domain parking is the practice of assigning a nonsense address to a domain when it is not in use in order to keep it ready for live use. This practice is peculiar because it indicates someone has administrative control over the domain name, does not have hardware ready to respond to requests, but wants the domain to appear active. A more appropriate response would seem to us to be that the domain does not exist. This mismatch between expected benign behavior no such domain and actual observed behavior parking made us suspicious. In this paper we discuss scalable detection methods for domain names parking on reserved IP address space, and then using this data set evaluate whether this behavior appears to be indicative of malicious behavior. We find that during the month of January 2014 only 21328 unique domains exhibited parking on reserved address space, out of over 610 million total unique observed domains. Thus, parking appears to be an uncommon Internet behavior with only 00035 of domains exhibiting parking on reserved IP addresses. Of these 21328 domains, relatively few were observed listed on any of 16 domain black lists any time from January 1 to February 28, 2014. Only 1 563, or 73, were listed in this time period. Therefore, we conclude that parking is a poor indicator of malicious activity, or at least not an indicator of any kind of malicious activity usually examined by any public list of malicious domain behavior.
- Computer Systems Management and Standards