What are "one-day wonder" websites and why do they cause such a security concern? Is there anything that can be...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
done at the enterprise level to protect against them?
The term "one-day wonders" was recently used by Blue Coat Systems Inc. to describe a phenomenon its researchers discovered in a recent study of the Internet. Over a 90-day period, Blue Coat looked at more than 660 million unique hostnames requested by 75 million global users. What came as a surprise was that 71% -- about 470 million hostnames -- persisted for less than 24 hours. Dubbed by Blue Coat, these sites came and went within a day. This presents antimalware services with a huge challenge of trying to determine whether these new, unknown and transient sites are benign, or should be blocked as dangerous.
Most one-day wonders are legitimate and are a byproduct of processes used to help accelerate the delivery of content. A large percentage is created by the likes of Google, Amazon and Yahoo, as well as companies that make use of Content Delivery Networks (CDNs). It appears these CDNs use several levels of unique subdomains to keep track of content in the CDN. This could be to identify a particular user, session or request, but once that user/session/request is finished, the subdomain isn't used again. Blogging sites such as Blogspot, Tumblr and Wordpress also add to the proliferation of one-day wonders.
Although these sites don't pose any security threat, their sheer volume provides ideal cover for malicious activity -- 22% of the top 50 parent domains most frequently creating one-day wonders were malicious. Not only can hackers take advantage of the site being new and unknown to evade spam and Web filters, but transient sites are a critical component of attack support infrastructures. One .info domain, for example, was a command-and-control server for a Trojan dialer that over the 90-day analysis period spawned more than 1.3 million sub-domains. Another 10 similar parent domains were identified as being part of command-and-control infrastructures.
Given the dynamic nature of malicious one-day wonders, a static or infrequently updated blacklist of known malicious sites will not be sufficient to protect a network's users. Automated, real-time intelligence updates that identify and assign risk levels to one-day wonders should be used to update the filters on policy-based security controls, blocking access to sites that are rated dangerous. Enterprises will probably need a feed from a third-party threat intelligence provider as they have the ability to collate and analyze vast amounts of traffic from across the Internet and put these transient hostnames into context and identify how they are being used.
Ask the Expert:
Have a question about application security? Send it via email today. (All questions are anonymous.)
Get help defending against Web-based malware
Dig Deeper on Web browser security
Related Q&A from Michael Cobb
Geofencing technology is increasingly being used as a security tactic, such as to control access to servers with DNS settings. Expert Michael Cobb ...continue reading
After a remote code execution flaw in PHPMailer was patched, the problem persisted, and had to be repatched. Expert Michael Cobb explains how the ...continue reading
The same-origin security feature in Adobe Flash Player was implemented incorrectly, allowing local attackers to spy on users. Expert Michael Cobb ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.