Game of Registrars: An Empirical Analysis of Post-Expiration Domain Name Takeovers

Every day, hundreds of thousands of Internet domain names are abandoned by their owners and become available for re-registration. Yet, there appears to be enough residual value and demand from domain speculators to give rise to a highly competitive ecosystem of drop-catch services that race to be the first to re-register potentially desirable domain names in the very instant the old registration is deleted. To pre-empt the competitive (and uncertain) race to re-registration, some registrars sell their own customers’ expired domains pre-release, that is, even before the names are returned to general availability. These practices are not without controversy, and can have serious security consequences. In this paper, we present an empirical analysis of these two kinds of postexpiration domain ownership changes.We find that 10 % of all com domains are re-registered on the same day as their old registration is deleted. In the case of org, over 50 % of re-registrations on the deletion day occur during only 30 s. Furthermore, drop-catch services control over 75 % of accredited domain registrars and cause more than 80 % of domain creation attempts, but represent at most 9.5 % of successful domain creations. These findings highlight a significant demand for expired domains, and hint at highly competitive re-registrations. Our work sheds light on various questionable practices in an opaque ecosystem. The implications go beyond the annoyance of websites turned into “Internet graffiti” [26], as domain ownership changes have the potential to circumvent established security mechanisms.

[1]  Nick Feamster,et al.  PREDATOR: Proactive Recognition and Elimination of Domain Abuse at Time-Of-Registration , 2016, CCS.

[2]  Wouter Joosen,et al.  You are what you include: large-scale evaluation of remote javascript inclusions , 2012, CCS.

[3]  Vern Paxson,et al.  The BIZ Top-Level Domain: Ten Years Later , 2012, PAM.

[4]  Vern Paxson,et al.  Redirecting DNS for Ads and Profit , 2011, FOCI.

[5]  Zhou Li,et al.  Understanding the Dark Side of Domain Parking , 2014, USENIX Security Symposium.

[6]  Lawrence K. Saul,et al.  Who is .com?: Learning to Parse WHOIS Records , 2015, Internet Measurement Conference.

[7]  S. Savage,et al.  Empirically Characterizing Domain Abuse and the Revenue Impact of Blacklisting , 2014 .

[8]  Gianluca Stringhini,et al.  Why allowing profile name reuse is a bad idea , 2016, EuroSec '16.

[9]  Stefan Savage,et al.  XXXtortion?: inferring registration intent in the .XXX TLD , 2014, WWW.

[10]  Wouter Joosen,et al.  Seven Months' Worth of Mistakes: A Longitudinal Study of Typosquatting Abuse , 2015, NDSS.

[11]  Georg Carle,et al.  The Abandoned Side of the Internet: Hijacking Internet Resources When Domain Names Expire , 2015, TMA.

[12]  Gianluca Stringhini,et al.  What's in a Name? Understanding Profile Name Reuse on Twitter , 2017, ArXiv.

[13]  Michael K. Reiter,et al.  Understanding domain registration abuses , 2012, Comput. Secur..

[14]  Tobias Lauinger,et al.  WHOIS Lost in Translation: (Mis)Understanding Domain Name Expiration and Re-Registration , 2016, Internet Measurement Conference.

[15]  He Liu,et al.  Click Trajectories: End-to-End Analysis of the Spam Value Chain , 2011, 2011 IEEE Symposium on Security and Privacy.

[16]  Patrick D. McDaniel,et al.  Domain-Z: 28 Registrations Later Measuring the Exploitation of Residual Trust in Domains , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[17]  Wouter Joosen,et al.  Parking Sensors: Analyzing and Detecting Parked Domains , 2015, NDSS.

[18]  Chris Kanich,et al.  The Long "Taile" of Typosquatting Domain Names , 2014, USENIX Security Symposium.

[19]  Tyler Moore,et al.  Measuring the Perpetrators and Funders of Typosquatting , 2010, Financial Cryptography.

[20]  Nick Feamster,et al.  Understanding the domain registration behavior of spammers , 2013, Internet Measurement Conference.

[21]  Lawrence K. Saul,et al.  From .academy to .zone: An Analysis of the New TLD Land Rush , 2015, Internet Measurement Conference.

[22]  Stefan Savage,et al.  Juice: A Longitudinal Study of an SEO Botnet , 2013, NDSS.