This paper by Paul Vixie (Farsight Security) was presented at VB2018 in Montreal, QC, Canada.
The modality of mortality in domain names
Domain names established for routine use are typically registered for one or more years, and faithfully renewed thereafter. Knowing nothing else, we’d expect that a domain existing today will still be there tomorrow. This is an expectation of ‘domain continuity’.
Other domains get treated as effectively being ‘disposable’. Those domains get registered, quickly abused for cybercrime-related purposes (such as spamming, phishing, malware distribution, etc.), and are then abandoned after becoming unusable due to being blocklisted or ‘held’ by registrar action.
In this study, we’ve obtained an ongoing feed of ‘Newly Observed Domains’ from Farsight Security’s SIE, and then periodically probed those names from global measurement points to determine:
– What fraction of new domain names ‘die a premature death’ due to being blocklisted or suspended?
– What causes the ‘death’ of those domains? Do they mostly get blocklisted? Or do they ‘die’ due to action by registrars or others?
– What does the survival curve for those names look like over time?
– Are there differences between the traditional gTLDs, ccTLDs and ICANN’s new gTLDs?