Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type

Topics

Publication Date

White Paper

Domain Parking: Not as Malicious as Expected

  • December 2014
  • By Leigh B. Metcalf, Jonathan Spring
  • In this paper we discuss scalable detection methods for domain names parking on reserved IP address space, and then using this data set, evaluate whether this behavior appears to be indicative of malicious behavior.
  • Cybersecurity Engineering
  • Publisher: Software Engineering Institute
  • Abstract

    Domain parking is the practice of assigning a nonsense location to a domain when
    it is not in use in order to keep it ready for "live" use. This practice is peculiar
    because it indicates someone has administrative control over the domain name,
    does not have hardware ready to respond to requests, but wants the domain to appear
    active. A more appropriate response would seem to us to be that the domain
    does not exist. This mismatch between expected benign behavior (no such domain)
    and actual observed behavior (parking) made us suspicious. In this paper we discuss
    scalable detection methods for domain names parking on reserved IP address
    space, and then using this data set, evaluate whether this behavior appears to be
    indicative of malicious behavior.

    We find that during the month of January 2014 only 21;328 unique domains
    exhibited parking on reserved address space, out of over 610 million total unique
    observed domains. Thus, parking appears to be an uncommon Internet behavior
    with only 0:0035% of domains exhibiting parking on reserved IP addresses. Of
    these 21;328 domains, relatively few were observed listed on any of 16 domain
    black lists any time from January 1 to February 28, 2014. Only 1;563, or 7:3%,
    were listed in this time period. Therefore, we conclude that parking is a poor
    indicator of malicious activity, or at least not an indicator of any kind of malicious
    activity usually examined by any public list of malicious domain behavior.
    ©2014

  • Download