Jump to content

NetBeacon Reporter

From ICANNWiki

NetBeacon Reporter or simply NetBeacon is a free tool that simplifies DNS Abuse reporting for individuals and organizations and provides domain registrars with the information and tools they need to act.[1] It is a tool developed by the NetBeacon Institute in collaboration with CleanDNS to combat DNS Abuse.[2] The tool enables online abuse reporting, and provides vetting and identity verification for abuse complaints. Reports are routed to the relevant organizations after vetting.[2] It handles reports of malware, phishing, botnets, and spam.

History

NetBeacon grew out of a need in the domain community about how to approach the problems DNS abuse presents. For this reason, the Net Beacon Institute (at the time named DNS Abuse Institute) worked to understand the complexities of mitigating DNS Abuse and the came up with programs and goals to fulfill their mission.[3]

In November 2021, Graeme Bunton, Director of the Institute, published that they were developing a Centralized Abuse Reporting Tool (CART). The intention of this tool was to provide a single platform to report DNS Abuse by outlining the evidence requirements for each abuse type, properly formatting and enriching the request details provided, and then forwarding it to the appropriate registry or registrar. The goal was to standardize reliable processes to improve both the act of reporting abuse and the abuse reports that registrars and registries receive. As part of it’s requirements gathering, the Institute researched the reporting processes of the largest registries and registrars in order to better understand how they accept reports of abuse. Publicly available information from registry and registrar websites was collected to obtain data on their abuse reporting implementations and processes.[4] They concluded that there two main - and interrelated - problems:

  • Complexity: Reporting DNS Abuse to registrars and registries required technical knowledge and ability to navigate the entire ecosystem, which could be onerous, confusing, non-standardized, and extremely difficult to do at Internet-scale.
  • Quality: The DNS Abuse reports that registrars and registries received were frequently duplicative, unevidenced, unactionable, and often contained domains that aren’t related to them. This consumed time and resources with little of that effort improving the Internet. [3]

In April 2022, they provided updates and what the tool was going to be: an abuse reporting intermediary, which would improve the experience for people who want to report abuse by providing a single place to report DNS Abuse across the ecosystem in a simple, standardized fashion. A centralized solution had been called for in several important cross-community outputs, including in the recommendations of the Second Security and Stability Review Team (SSR2) and in the SAC 115: Report on an Interoperable Approach to Addressing Abuse, a report from ICANN’s Security and Stability Advisory Committee (SSAC). They also announced that the name CART would be changed to NetBeacon.[5]

In June 2022, the Institute, supported by Public Interest Registry (PIR) and CleanDNS launched NetBeacon Reporter, mostly called only NetBeacon.

The service is free and was mainly directed at registrars. NetBeacon aimed to make it easier for registrars to receive actionable, high quality reports of phishing, malware, botnets, and spam. It also included customization to individual needs.

They claimed that their reports were:

  • Evidenced: The standardized abuse reporting forms prevent reporters from submitting a report that does not meet a basic evidentiary standard. The reports were enriched with additional external API sources (like Reputation Block Lists, Hybrid Analysis).
  • Relevant: The service associates the domain name with the relevant registrar to ensure that only reports relevant to your domains under management are received. There was also the possibility of redirecting potential reporters to use NetBeacon instead of providing the abuse teams with reports one cannot action. Also, one could embed the NetBeacon tool in their own abuse reporting webpage, filtering out the irrelevant reports and sending them to NetBeacon for redirection to the relevant registrar.
  • Flexible on format: One could choose which email address the standardized report should go to, and pick human readable format or XARF, or consume reports via API.
  • Customizable: One was able to decide if reports were wanted instantly, or compiled and sent daily, and also which types of reports were to be received (phishing, malware, botnets and spam).
  • Simplifying Triage: If some reporters send particularly useful reports (or not), they and their subsequent reports could be labeled to speed and simplify the triage processes.[3]

Function

NetBeacon’s core functions are designed to make it easier for registrars to receive and process abuse claims. By providing a single venue, with standardized fields and evidence requirements, NetBeacon aims to improve the quality of reports. Each report includes fields for the domain in question, the type of abuse, a description of abuse, date of abuse, and any additional evidence. The Institute accepts DNS Abuse reports through three core mechanisms. Reports can be submitted via NetBeacon’s website (www.netbeacon.org).[6]

In April 2023 came the second Annual Report from the Institute, which included content about NetBeacon Reporter. It said that the reception of NetBeacon was overwhelmingly positive, with multiple references from the ICANN Governmental Advisory Committee, and positive press. Although report recipients, primarily registrars, were generally well served by the service, there was also the need more features to help abuse reporters. As such, new features started being developed to:

  • Allow registries to use NetBeacon to distribute reports to their registrar channel
  • Enable the verification of DNS Abuse reporters
  • Enable branded reports with boilerplate text for verified abuse reporters [7].

References