One-day Wonders: Here Today, Gone Tomorrow
Date: Sep 4, 2014
Guest blog: Blue Coat.
The report highlights that creators of malware often hide their malicious code in short-lived websites, as sites that are new and unknown can more easily evade Web security measures.
Websites come and go over time; rarely is a second thought given to those sites left by the wayside. Recently, the Blue Coat Security Labs team has looked into the nature of the host names that make up the Web, and the fleeting nature of many of them is truly surprising.
In a recent 90-day period of traffic, we counted over 660 million unique host names. (That’s about one host name for every 10.6 people in the world.) While the sheer number of hosts is notable, more remarkable is the volume of hosts that were present for only a single day in that 90-day window; we call these hosts “one-day wonders”.
An astounding 71% (~470M) of the hosts were so transient that they only appeared in a single day’s traffic over the course of 12 weeks. Despite the famed speed at which new sites and services come online, and the Internet’s highly distributed nature, this percentage seemed a bit extreme — what was going on in there?
It is not intuitive that something would exist so briefly. The skeptical mind promptly questions whether these sites exist at all. Are these simply vacuous requests to misspelled or unallocated host names? The paranoid part of the brain suggests that these must be randomly generated domain names used to control the millions of infected machines throughout the world.
Digging deeper into the data provided some answers…read more
A white paper, with many more details, including geolocation information and mitigation strategies, can be downloaded here: