The 10 riskiest Internet domains firewall admins should block

04.09.2015
For years there was nothing much to be said about Internet top-level domains (TLDs). People had heard of .com, .net and perhaps a few of the country-specific suffixes such as .co.uk, extended over time by a few additions such as .info and the more notorious .xxx and .sex (the latter prompted a book by a former Techworld journalist, Kieren McCarthy, telling the story of one of the most fought-over domains in Internet history but we digress).

By 2013 this change almost overnight as hundreds of new and unfamiliar domain possibilities were approved for use by Internet governing body ICANN as part of its controversial liberalisation programme that to this day many still have doubts about.

There are now more than a thousand TLDs - including famous new examples such as .buzz, .cash, .ceo, .cool, .flights, .paris, .ninja and, infamously, .sucks, used to troll celebrities, politicians and large companies. Plenty of choice then.

New research by security firm Blue Coat offers us an interesting a petty mixed picture of how the new domains possibilities are being used and, sure enough, some of them are being abused on an industrial scale to game search engines and worse.

The firm's top 10 'shadiest' domains, based on the volume of spam, malware botnets and phishing emanating from websites using them, turned up some staggering statistics (see figure 1). According to this sample, 100 percent of two domains (.zip and .review) were being used for entirely nefarious purposes while the rest on the list were only fractions of a percent off this level of criminal saturation.

It's an open and shut case that the new domains are being abused although it should also be pointed out that plenty of the old domains were exploited for the same purposes.

Next: filtering

One surprise is the appearance of .science on the list, usually used in combination with other domain keywords. Back in March, a blog by the firm found that 96 percent of sites using this domain were dodgy but by August this had reached over 99 percent - what is going on Blue Coat uncovered a range of scam sites, including Chinese weight loss, mysterious e-books, search engine poisoning with a number of sites offering plagiarized essays for sale.

"Due to the explosion of TLDs in recent years, we have seen a staggering number of almost entirely shady web neighbourhoods crop up at an alarming rate," said Blue Coat CTO, Dr Hugh Thompson.

"The increase in Shady TLDs as revealed by Blue Coat's analysis is in turn providing increased opportunity for the bad guys to partake in malicious activity. In order to build a better security posture, knowledge about which sites are the most suspicious, and how to avoid them, is essential for consumers and businesses alike."

Blue Coat recommends that firewall admins simply block traffic to these domains safe in the absolute certainty that legitimate websites won't inadvertently be caught by such a filter. Blue Coat isn't the first to spot this trick with OpenDNS making much the same point earlier this year when it recommended adding commonly-used terms such as 'billing' or 'update' to blocklists when they are used in conjunction with TLDs.

The firm also offered data on the least risky domains (see figure 2), which includes stalwarts such as .gov, .jp, .mil and, pleasingly for the UK, .London.

All of these registered a dubious website counts down to fractions of a percent but Blue Coat cautions against taking the list to literally. Some of the domains such as .gov, have a major presence in the database used to design the test while others are much rarer with only a very small number of sites. TLDs such as .jobs could quickly go bad if even relatively small number of 'shady' sites appear. Domains can be blacklisted but not as easily whitelisted.

Another movement is to build whitelisting security around key domains and then persuade brands to use them, pushing their virtue and trustworthiness to customers and users. A good example of this is the .bank TLD, which several thousand banks and other finance companies are said to have registered an interest in. As with the .Trust domain launched in 2014 by Britain's NCC Group, a raft of security checking is built around anyone wanting to inhabit these domains, which inevitably adds to cost.

(www.computerworlduk.com)

By John E Dunn