A Deeper Look at Dangerous TLDs

Each day at AlphaSOC we process billions of network events to identify infected hosts and anomalies within customer environments. Our analytics engine scores DNS, IP, and HTTP telemetry to uncover malware implants through deep analytics, versus correlation with indicator lists.

Digging into our dataset and the malicious domains cataloged in recent years, we’ve curated a list of dangerous top-level domains (TLDs) that don’t serve a legitimate business purpose to our customers, but are commonly used to operate command and control (C2) infrastructure.

The three primary types of TLD as as follows:

  • Country code top-level domains(ccTLDs)
  • Generic top-level domains (gTLDs)
  • Effective top-level domains (eTLDs, known as the public suffix list)

eTLD domains are maintained by dynamic DNS providers, hosting providers, local governments, and other entities. Legitimate users can register arbitrary domains within these namespaces, but some eTLDs are heavily used within malware campaigns.

The Most Unsavory Neighborhoods

The chart below describes the top 15 malicious TLDs online. This data was compiled by counting known C2 domains by TLD and disregarding particular TLDs used for legitimate business purposes (i.e. com, net, org, info, and ru). Unsurprisingly, dynamic DNS provider domains account for 83% of the 16,427 total C2 domains across the top 50 malicious TLDs.

Raw Data and Block Lists

We’ve prepared two files for consumption, as follows:

  • c2_tlds.csv, which lists malicious TLDs by C2 domain count
  • bad_tlds.txt, which is a block list of TLDs (sorted by severity)

Practically blocking egress traffic to domains within these TLDs in an enterprise setting should be relatively safe and not impact operations.