Domain Parking: Not as Malicious as Expected
December 2014 • White Paper
In this paper we discuss scalable detection methods for domain names parking on reserved IP address space, and then using this data set, evaluate whether this behavior appears to be indicative of malicious behavior.
Software Engineering Institute
Domain parking is the practice of assigning a nonsense location to a domain when
it is not in use in order to keep it ready for "live" use. This practice is peculiar
because it indicates someone has administrative control over the domain name,
does not have hardware ready to respond to requests, but wants the domain to appear
active. A more appropriate response would seem to us to be that the domain
does not exist. This mismatch between expected benign behavior (no such domain)
and actual observed behavior (parking) made us suspicious. In this paper we discuss
scalable detection methods for domain names parking on reserved IP address
space, and then using this data set, evaluate whether this behavior appears to be
indicative of malicious behavior.
We find that during the month of January 2014 only 21;328 unique domains
exhibited parking on reserved address space, out of over 610 million total unique
observed domains. Thus, parking appears to be an uncommon Internet behavior
with only 0:0035% of domains exhibiting parking on reserved IP addresses. Of
these 21;328 domains, relatively few were observed listed on any of 16 domain
black lists any time from January 1 to February 28, 2014. Only 1;563, or 7:3%,
were listed in this time period. Therefore, we conclude that parking is a poor
indicator of malicious activity, or at least not an indicator of any kind of malicious
activity usually examined by any public list of malicious domain behavior.