Sergey Nivens - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Are one-day wonders enterprise Web security risks?

One-day wonders are websites that persist for 24 hour or less. Should these phenomena be an enterprise security concern? Expert Michael Cobb explains.

What are "one-day wonder" websites and why do they cause such a security concern? Is there anything that can be done at the enterprise level to protect against them?

The term "one-day wonders" was recently used by Blue Coat Systems Inc. to describe a phenomenon its researchers discovered in a recent study of the Internet. Over a 90-day period, Blue Coat looked at more than 660 million unique hostnames requested by 75 million global users. What came as a surprise was that 71% -- about 470 million hostnames -- persisted for less than 24 hours. Dubbed by Blue Coat, these sites came and went within a day. This presents antimalware services with a huge challenge of trying to determine whether these new, unknown and transient sites are benign, or should be blocked as dangerous.

Most one-day wonders are legitimate and are a byproduct of processes used to help accelerate the delivery of content. A large percentage is created by the likes of Google, Amazon and Yahoo, as well as companies that make use of Content Delivery Networks (CDNs). It appears these CDNs use several levels of unique subdomains to keep track of content in the CDN. This could be to identify a particular user, session or request, but once that user/session/request is finished, the subdomain isn't used again. Blogging sites such as Blogspot, Tumblr and Wordpress also add to the proliferation of one-day wonders.

Although these sites don't pose any security threat, their sheer volume provides ideal cover for malicious activity -- 22% of the top 50 parent domains most frequently creating one-day wonders were malicious. Not only can hackers take advantage of the site being new and unknown to evade spam and Web filters, but transient sites are a critical component of attack support infrastructures. One .info domain, for example, was a command-and-control server for a Trojan dialer that over the 90-day analysis period spawned more than 1.3 million sub-domains. Another 10 similar parent domains were identified as being part of command-and-control infrastructures.

Given the dynamic nature of malicious one-day wonders, a static or infrequently updated blacklist of known malicious sites will not be sufficient to protect a network's users. Automated, real-time intelligence updates that identify and assign risk levels to one-day wonders should be used to update the filters on policy-based security controls, blocking access to sites that are rated dangerous. Enterprises will probably need a feed from a third-party threat intelligence provider as they have the ability to collate and analyze vast amounts of traffic from across the Internet and put these transient hostnames into context and identify how they are being used.

Ask the Expert:
Have a question about application security? Send it via email today. (All questions are anonymous.)

Next Steps

Get help defending against Web-based malware

This was last published in April 2015

Dig Deeper on Web browser security