Assessing the Effectiveness of Domain Blacklisting Against Malicious DNS Registrations

Domain blacklists are widely-used in security research. However, given their proprietary nature, there is little insight into how they operate and how effective they are. In this paper, we analyze a unique combination of DNS traffic measurements with domain registration and blacklisting data. We focus in particular on large-scale malicious campaigns that register thousands of domain names used in orchestrated attacks. This allows us to gain insights into how blacklists and cybercriminals interact with each other. Furthermore, it enables us to pinpoint scenarios where blacklist operators struggle to detect campaign registrations.