Now You See It, Now You Don't: A Large-scale Analysis of Early Domain Deletions

Abstract

Domain names are a valuable resource on the web. Most domains are available to the public on a first-come, first-serve basis and once domains are purchased, the owners keep them for a period of at least one year before they may choose to renew them. Common wisdom suggests that even if a domain name stops being useful to its owner, the owner will merely wait until the domain organically expires and choose not to renew.

In this paper, contrary to common wisdom, we report on the discovery that domain names are often deleted before their expiration date. This is concerning because this practice offers no advantage for legitimate users, while malicious actors deleting domains may hamper forensic analysis of malicious campaigns, and registrars deleting domains instead of suspending them enable re-registration and continued abuse. Specifically, we present the first systematic analysis of early domain name disappearances from the largest top-level domains (TLDs). We find more than 386,000 cases where domain names were deleted before expiring and we discover individuals with more than 1,000 domains deleted in a single day. Moreover, we identify the specific registrars that choose to delete domain names instead of suspending them. We compare lexical features of these domains, finding significant differences between domains that are deleted early, suspended, and organically expiring. Furthermore, we explore potential reasons for deletion finding over 7,000 domain names squatting more popular domains and more than 14,000 associated with malicious registrants.

Publication
International Symposium on Research in Attacks, Intrusions, and Defenses
Avatar
Timothy Barron
PhD Candidate

Timothy Barron is a PhD candidate working on web security with Professor Nick Nikiforakis in the PragSec Lab at Stony Brook University.