Glossary
What Are Co-hosted Domains?
Co-hosted domains are hostnames that resolve to the same IP address — meaning they share a server. In bulk shared hosting this is benign and meaningless; in attacker infrastructure, co-hosting is one of the strongest signals available, because operators routinely group campaign assets on the same machine.
How Co-hosting Reveals Campaigns
When an attacker stands up a phishing kit, they typically register several typosquat or theme-named domains and point them all at the same VPS to keep cost down. Months later, a defender finds one of those domains in an alert. Pivoting on the IP often surfaces the rest — including domains that were never used and never appeared in any threat feed.
Where Co-hosting Is Noise
Shared hosting providers can put thousands of unrelated customer domains on a single IP. CDNs (Cloudflare, Fastly, Akamai) front millions of hostnames behind a small set of edge IPs. Co-hosting against those IPs means almost nothing — the signal lives only when the IP is dedicated or near-dedicated.
How to Use Co-hosting Well
- Filter out shared-hosting and CDN ASNs before drawing any conclusions.
- Look at ASN reputation — co-hosting on a bulletproof ASN is far more meaningful than co-hosting on AWS.
- Use passive DNS to see who has ever co-hosted on the IP, not just who resolves there now.
- Combine with WHOIS and registration-time clustering — campaigns often share registrar and registration burst.
- Check the size of the co-hosted set: 4 obscure domains on one VPS is meaningful; 4,000 domains on a shared host is not.
Co-hosting in Whisper
Whisper treats RESOLVES_TO as a typed graph edge with a time range. Analysts ask "every hostname that has ever resolved to this IP, excluding shared-hosting ASNs" or "hostnames currently co-hosted on this IP whose ASN reputation is below threshold X" — and get a clustered answer in milliseconds.