When Spamhaus Malware Labs observe a 40% increase in the number of domains that are being registered by cybercriminals to host a botnet command & control (C&C) it’s time to stop. Take a look. And understand where the threats are coming from in the top-level domains (TLDs) space and learn how you can protect against them.

The importance of domain names

Cybercriminals prefer to use a domain name registered exclusively to host a botnet C&C. A dedicated domain name allows them to fire up a new virtual private server (VPS), load the botnet C&C kit, and immediately be back in contact with their botnet after their (former) hosting provider shuts down their botnet C&C server. Not having to change the configuration of each infected computer (bot) on the botnet is a significant advantage.

Number of botnet C&C domain names registered in 2018

Last year, compared to 2017, Spamhaus Malware Labs saw a 40% increase in the number of the domain names registered and set up by cybercriminals for the sole purpose of hosting a botnet C&C:

2017: 50,000 domains

2018: 69,961 domains*

Top-level domains – a brief overview

Before we get into the detail of which top-level domains were abused the most by botnet C&Cs in 2018 let’s take a look at some of the different types of top-level domains:

  • Generic TLDs (gTLDs)– can be used by anyone
  • Country code TLDs (ccTLDs)– some have restricted use within a particular country or region; however, others are licensed for general use which provides the same functionality of gTLDs
  • Decentralized TLDs (dTLDs) –independent top-level domains that are not under the control of ICANN.

Most abused top-level domains in 2018

There were some interesting (and concerning) developments in this area, perhaps most notably was the rise of domain names registered to ‘.bit,’ a decentralized top-level domain (dTLD). Domain names with this type of TLD create additional issues when it comes to blocking malicious traffic and taking down these bad operators.

Top abused TLDs

Palau ‘.pw’ was the most abused TLD: The listings associated with ‘.pw’ rose by 56% in 2018, which was an additional 4,835 botnet C&Cs connected with this domain from the previous year.

Russia ‘.ru’ had a reduced number of domain registrations for botnet C&Cs: We noted a small decrease from 1,370 domain listings in 2017 to 1,183 in 2018. This saw ‘.ru’ ccTLD move out of the top ten rankings, down to #17.

Historically cybercriminals heavily abused ‘.ru’ & ‘.su’ ccTLDs, however, over recent years their operator has implemented measures which are having positive effects in reducing the amount of abuse across these 2 TLDs.

‘.tk,’ ‘.ml,’ ‘.ga,’ ‘.gg’ and ‘.cf’ made their first appearances in the Top 20: Originally ccTLDS; Freenom now operate them, and they are considered to be gTLDs. As the name implies ‘Freenom’ provide domain names for free.

Given this business model, it’s not surprising that there has been a massive increase in abusive activity associated with them: Cybercriminals realize that their nefarious actions are likely to lead to their domain name being shut down, therefore prefer to obtain them for free rather than pay for them.

dTLD ‘.bit’ had an upsurge in listings: This dTLD didn’t make it into the ‘Top 20’ however we observed 108 domain names hosting botnet C&Cs with the dTLD ‘.bit.’ dTLDs provide criminals with advantages over other TLDs and consequently pose additional threats to users; therefore we feel it is necessary to highlight them:

  • These domain names cannot be taken down or suspended when being used for malicious purposes, because there is no governing body associated with a dTLD.
  • Researching malicious activity becomes more challenging as domain name registrations within dTLDs are usually entirely anonymous, with registrant information not being required.
  • dTLDs bypass DNS Firewalls/Response Policy Zones (RPZ) that many ISPs and businesses use to protect their customers/users from cyber threats. They by-pass DNS Firewalls because dTLD domains are not resolvable through common DNS. Instead, they are resolved through nameservers that support ‘.bit,’ such as OpenNIC.

How can you protect against botnet C&C traffic on dTLD’s?

Border Gateway Protocol data feeds provide an added layer of protection. These feeds block connections to IPs involved in the most dangerous cybercrime and DDoS attacks via your edge router.

By taking just a few minutes to configure your edge router to peer with a Deteque BGP router and a null route, you can provide your network with up-to-date protection against botnets, alongside phishing and external attacks on your organization’s servers.

Diagram showing how Spamhaus Border Gateway Protocol Feeds work and help protect the network edge.

IT security has always required a multi-faceted approach, and with new threats continually coming to the fore, such as those posed by botnet C&C traffic registered to a dTLD, it is vital to continue to add layers of additional security.

*N.B. These numbers exclude hijacked domain names; domains owned by non-cybercriminals that were used without permission, and domains on ‘free sub-domain’ provider services.

Related Products

Border Gateway Protocol

Border Gateway Protocol (BGP) Feeds provide your users and network with up to date protection against botnets and other external attacks.

Set up takes minutes; our data is constantly updated in real time by our experienced researchers on your behalf, and can be utilized in your existing BGP capable routers.

  • Prevent data exfiltration
  • Protect your network from botnets
  • Reduce infected machines on your network


The Value of Threat Intelligence – The White Paper (2019)

29 October 2019


In this Osterman Report, over 200 companies were interviewed to find out how they were utilizing threat intelligence data. Compare yourself to the market place, and find out how others are protecting themselves.

The most abused top-level domains in 2018

22 February 2019


The team at Spamhaus observed a large 52% increase compared to 2017! Here’s everything you need to know when it comes to the most abused top-level domains (TLDs) in 2018, and how to protect yourself from a worrying trend concerning decentralized TLDs (dTLDs).

XS4ALL turns to DNS Firewall to provide protection to customers

29 November 2017

Case Study

Netherlands-based ISP XS4ALL is using Spamhaus' DNS Firewall to provide an improved security service to its customers. Discover their story.