Akamai Reports a Surge in Malicious Domains

Amy Larsen DeCarlo – Principal Analyst, Security and Data Center Services

Summary Bullets:

• Akamai has identified almost 13 million malicious domains per month in 2022, roughly 20% of all newly observed domains (NODs) that access the provider’s content delivery network (CDN).

• While it remains to be seen how threat actors will operationalize these, it is indicative of looming state-backed cyberwarfare attacks.

Security, cloud, and CDN provider Akamai offers some insights into a looming cyber threat. In a report published at the end of September 2022, Akamai says it has seen a significant uptick in the number of malicious NODs on its CDN. The company says NOD-based threat detection gives the company a means to assess the “long tail” of DNS queries to identify new threats in a very early phase. Akamai defines a NOD as a domain name queried for the first time within a 60-day window.

Threat actors typically register thousands of domain names at the same time, so if any are blocked, they can move to a backup. The names are created via a domain generation algorithm (DGA), which makes it easier to automate an attack.

Akamai notes, in the two weeks before Russia invaded Ukraine, that it had identified a steady rise in malicious NODs, peaking at 40,000 flagged per day. Ukrainian government officials have recently said Russia is planning a cyberwarfare attack aimed at its own critical infrastructure and potentially allies’ assets. Specifically, Ukrainian officials have said they anticipate Russia to lodge “massive cyberattacks” in an effort to elevate the impact of missile strikes on electrical facilities. Ukraine has also alerted allies, particularly Poland and neighboring allies, to expect increases in distributed denial-of-service (DDoS) attacks.

Akamai’s DNSi CacheServe software processes more than 80 million DNS queries per second from around the world. That adds up to seven trillion requests per day. The company’s Security Research team assesses an anonymized subset of the total number of DNS queries to identify potential threats before an attack.

The Akamai Security Research team applies a combination of heuristic analysis, phishing detection, and the DGA database to identify malicious NODs. The provider also tracks unresolved DNS queries (NXDOMAIN) because most domains malware attempts to connect through are unregistered. The result is an outsized data set, but one that Akami has said is more representative of reality.

What do you think?

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.