Line 28: |
Line 28: |
| * [[Protocol Attack]]s, | | * [[Protocol Attack]]s, |
| * the exploitation of implementation vulnerabilities, <ref>[https://www.verisign.com/en_US/company-information/dns-abuse/index.xhtml DNS Abuse, Verisign]</ref> | | * the exploitation of implementation vulnerabilities, <ref>[https://www.verisign.com/en_US/company-information/dns-abuse/index.xhtml DNS Abuse, Verisign]</ref> |
− | * [[Registrar Hopping]], aka TLD Hopping<ref>[https://annualreport2020.iwf.org.uk/trends/international/other/toplevel TLD Hopping, IWF 2020 Annual Report]</ref><ref>[https://www.zdnet.com/article/the-pirate-bays-domain-hopping-tour-takes-it-to-perus-pe/ The Pirate Bay's Domain Hopping Tour Takes It to Peru]</ref> | + | * [[Hopping]] can refer to registrar or registry hopping<ref>[https://annualreport2020.iwf.org.uk/trends/international/other/toplevel TLD Hopping, IWF 2020 Annual Report]</ref><ref>[https://www.zdnet.com/article/the-pirate-bays-domain-hopping-tour-takes-it-to-perus-pe/ The Pirate Bay's Domain Hopping Tour Takes It to Peru]</ref> |
| | | |
| ===DNS abuse adjacent issues=== | | ===DNS abuse adjacent issues=== |
Line 89: |
Line 89: |
| ==Open Questions== | | ==Open Questions== |
| ===Defining and Measuring the Problem=== | | ===Defining and Measuring the Problem=== |
| + | ''Should we worry about defining it completely?'' |
| + | * [[Graeme Bunton]]: no, let's stop focusing on the edges and focus on the areas of core consensus.<ref>[https://74.schedule.icann.org/meeting At-Large Policy: An End User's Perspective on the Role of At-Large in DNS Abuse, ICANN 74]</ref> |
| + | |
| ''Is there a hard and fast difference between technical abuse and content abuse?'' | | ''Is there a hard and fast difference between technical abuse and content abuse?'' |
| *The [[BC]] and [[GAC]] want more enforcement from [[ICANN]] in terms of gray areas, for instance, when technical and content abuse overlap<ref>[https://www.circleid.com/posts/20200723-the-state-of-dns-abuse-moving-backward-not-forward/ Cole, Mason. "The State of DNS Abuse Moving Backward," CircleID. July 23, 2020.]</ref> | | *The [[BC]] and [[GAC]] want more enforcement from [[ICANN]] in terms of gray areas, for instance, when technical and content abuse overlap<ref>[https://www.circleid.com/posts/20200723-the-state-of-dns-abuse-moving-backward-not-forward/ Cole, Mason. "The State of DNS Abuse Moving Backward," CircleID. July 23, 2020.]</ref> |
− | *The [[ICANN Board]] does not want to deliberate over content issues | + | *The [[ICANN Board]] does not deliberate over content issues |
| | | |
| ''How should DNS abuse be measured?'' | | ''How should DNS abuse be measured?'' |
Line 99: |
Line 102: |
| # [https://www.phishtank.com/index.php PhishTank] | | # [https://www.phishtank.com/index.php PhishTank] |
| # [https://thenew.org/org-people/about-pir/resources/anti-abuse-metrics/ .ORG Anti-Abuse Metrics] | | # [https://thenew.org/org-people/about-pir/resources/anti-abuse-metrics/ .ORG Anti-Abuse Metrics] |
| + | |
| + | ''What are the best tools and techniques for measuring DNS abuse?''<br/> |
| + | In April 2022, [[Adiel Akplogan]], vice president for technical engagement at ICANN, furthered the conversation around DNS Abuse measurement, opening the [https://community.icann.org/display/SIFT/DNS+Abuse+Measurement+Technology Special Interest Forum on DNS Abuse Measurement Technology] and seeking in particular: |
| + | # Techniques for detecting DNS abuse (including machine learning techniques) |
| + | # Techniques to categorize types of DNS abuse |
| + | # Industry tools (commercial or open-source) and matters of commercial or practical interest regarding DNS abuse measurements |
| + | # New standards/tools to measure and share DNS abuse information |
| + | # Analysis of open source threat intelligence datasets related to DNS abuse |
| + | # Description of real-world examples of emerging/existing DNS abuse |
| | | |
| ===Responsibility=== | | ===Responsibility=== |
Line 123: |
Line 135: |
| | | |
| ===Progress=== | | ===Progress=== |
− | ''Is it getting better or worse''? | + | ''Is it getting better or worse?'' |
| + | |
| + | ''Getting worse''<br/> |
| + | In March 2021, the FBI’s [[Internet Crime Complaint Center]] (IC3) released its 2020 Internet Crime Report. There were 791,790 complaints of suspected internet crime, which indicated an increase of more than 300,000 from 2019, involving losses in excess of US$4.2 billion. Phishing, non-payment/non-delivery scams, and extortion were the top three types of crime reported.<ref>[https://www.fbi.gov/news/pressrel/press-releases/fbi-releases-the-internet-crime-complaint-center-2020-internet-crime-report-including-covid-19-scam-statistics FBI releases 2020 Internet Crime Report]</ref> <br/> |
| | | |
− | ''Getting worse'': In March 2021, the FBI’s [[Internet Crime Complaint Center]] (IC3) released its 2020 Internet Crime Report. There were 791,790 complaints of suspected internet crime, which indicated an increase of more than 300,000 from 2019, involving losses in excess of US$4.2 billion. Phishing, non-payment/non-delivery scams, and extortion were the top three types of crime reported.<ref>[https://www.fbi.gov/news/pressrel/press-releases/fbi-releases-the-internet-crime-complaint-center-2020-internet-crime-report-including-covid-19-scam-statistics FBI releases 2020 Internet Crime Report]</ref> <br/> | + | ''Getting better''<br/> |
− | ''Getting better'':
| + | In March 2022, [[ICANN]] released a report of DNS Abuse from the last 4 years and indicated the practice was trending down.<ref>[https://www.icann.org/en/blogs/details/icann-publishes-dns-abuse-trends-22-03-2022-en ICANN DNS Abuse Trends, March 2022, ICANN Blogs]</ref><ref>[https://domainnamewire.com/2022/03/22/icann-dns-abuse-is-going-down/ DNS Abuse is going down? Domain Name Wire]</ref><br/> |
| | | |
| ''Are new or Legacy gTLDs experiencing more problems?'' | | ''Are new or Legacy gTLDs experiencing more problems?'' |
− | The February 2021 [[DAAR]] report indicates the majority (64.8%) of security issues are occurring in legacy [[TLDs]], which comprise 88.8% of resolving gTLD domains in zone files.<ref>[https://www.icann.org/en/system/files/files/daar-monthly-report-28feb21-en.pdf DAAR monthly report Feb 2021]</ref>
| + | *On January 31, 2022, the [[European Commission]] published a [https://op.europa.eu/en/publication-detail/-/publication/d9804355-7f22-11ec-8c40-01aa75ed71a1/language-en/format-PDF/source-search Study on DNS Abuse], conducted by Fasano Paulovics Società tra Avvocati and Institut Polytechnique de Grenoble. Its key findings included:<ref>[https://op.europa.eu/en/publication-detail/-/publication/d9804355-7f22-11ec-8c40-01aa75ed71a1/language-en/format-PDF/source-search Study on DNS Abuse Technical Report Appendix 1, Directorate-General for Communications Networks, Content and Technology (European Commission), Fasano Paulovics Società tra Avvocati, Grenoble INP-UGA Institute of Engineering 2022-01-31]</ref><br/> |
− | | + | ''Legacy''<br/> |
− | On January 31, 2022, the [[European Commission]] published a [https://op.europa.eu/en/publication-detail/-/publication/d9804355-7f22-11ec-8c40-01aa75ed71a1/language-en/format-PDF/source-search Study on DNS Abuse], conducted by Fasano Paulovics Società tra Avvocati and Institut Polytechnique de Grenoble. Its key findings included:<ref>[https://op.europa.eu/en/publication-detail/-/publication/d9804355-7f22-11ec-8c40-01aa75ed71a1/language-en/format-PDF/source-search Study on DNS Abuse Technical Report Appendix 1, Directorate-General for Communications Networks, Content and Technology (European Commission), Fasano Paulovics Società tra Avvocati, Grenoble INP-UGA Institute of Engineering 2022-01-31]</ref> | + | * The February 2021 [[DAAR]] report indicates the majority (64.8%) of security issues are occurring in legacy [[TLDs]], which comprise 88.8% of resolving gTLD domains in zone files.<ref>[https://www.icann.org/en/system/files/files/daar-monthly-report-28feb21-en.pdf DAAR monthly report Feb 2021]</ref> |
− | # The overall health of [[TLD]]s:
| + | * Legacy TLD domains, 53% of the market, comprise almost 49% of DNS abuse. Domains in [[.com]] and [[.net]] TLDs are the most abused. <br/> |
− | #* nTLDs, 6.6% of the market, are the most abused group of TLDs in relative terms. In 2021, 20.5% of all abused domain names were registered in new gTLDs. Specifically, the two most abused nTLDs together account for 41% of all nTLD abuse.
| + | ''nTLDs'' <br/> |
− | #* Legacy TLD domains, 53% of the market, comprise almost 49% of DNS abuse. Domains in [[.com]] and [[.net]] TLDs are the most abused.
| + | * nTLDs, 6.6% of the market, are the most abused group of TLDs in relative terms. In 2021, 20.5% of all abused domain names were registered in new gTLDs. Specifically, the two most abused nTLDs together account for 41% of all nTLD abuse.<br/> |
− | #* EU ccTLDs are the least abused; only 0.8% of all abuse ([[Compromised Domain]]s and [[Malicious Domain]]s) were registered under EU ccTLDs. [[.eu]], [[.de]], [[.nl]], [[.fr]], [[.pl]], [[.it]], [[.es]], and [[.be]] account for 76% of all abuse among EU ccTLDs. Abused [[.ru]] and [[.su]] second-level domain names account for 75% of all abused domains among non-EU ccTLDs.
| + | ''among ccTLDs?''<br/> |
− | # [[Malicious Domain]]s and [[Compromised Domain]]s:
| + | * EU ccTLDs are the least abused; only 0.8% of all abuse ([[Compromised Domain]]s and [[Malicious Domain]]s) were registered under EU ccTLDs. [[.eu]], [[.de]], [[.nl]], [[.fr]], [[.pl]], [[.it]], [[.es]], and [[.be]] account for 76% of all abuse among EU ccTLDs. Abused [[.ru]] and [[.su]] second-level domain names account for 75% of all abused domains among non-EU ccTLDs. |
− | #* Most [[spam]] and [[Botnet Attacks|botnet]] control and command [[domain name]]s are maliciously registered.
| + | ''Which is more prevalent? Malicious or Compromised Domains?''<br/> |
− | #* Almost 25% of [[phishing]] domain names and 41% of [[malware]] are registered by legitimate users. They are compromised at the hosting level and thus cannot be addressed at the [[DNS]] level without collateral damage.
| + | ''[[Malicious Domain]]s''<br/> |
− | #* 42% of hacked websites occur among more frequently used TLDs. In less-used new gTLDs, hackers directly register domains for malicious activities.
| + | * Most [[spam]] and [[Botnet Attacks|botnet]] control and command [[domain name]]s are maliciously registered. |
− | #* [[Registries]] and [[registrars]] can act at the DNS level but not on the hosting infrastructure unless they also offer hosting services.
| + | * 42% of hacked websites occur among more frequently used TLDs. In less-used new gTLDs, hackers directly register domains for malicious activities. |
− | #* The top five most abused registrars account for 48% of all maliciously registered domain names.
| + | * [[Registries]] and [[registrars]] can act at the DNS level but not on the hosting infrastructure unless they also offer hosting services. |
− | #* Phishers use free subdomain and hosting providers, which do not work well for spammers and botnet C&C activity. For phishing abuse, half of the 10 most abused TLDs ([[.ml]], [[.tk]], [[.ga]], [[.cf]], and [[.gq]]) are operated by [[Freenom]].
| + | * The top five most abused registrars account for 48% of all maliciously registered domain names. |
− | # Adoption of [[DNSSEC]] and mail protection protocols:
| + | ''[[Compromised Domain]]s''<br/> |
− | #* DNSSEC adoption remains low. Of 227 million domain names, only 9.4 million meet all required resource records; however, 98% of them are correctly signed and validated.
| + | * Almost 25% of [[phishing]] domain names and 41% of [[malware]] are registered by legitimate users. They are compromised at the hosting level and thus cannot be addressed at the [[DNS]] level without collateral damage. |
− | #* In Europe, [[.cz]] (59%), [[.se]] (55%), [[.nl]] (51%), and [[.sk]] (48%) have the highest adoption of DNSSEC and offer price incentives and technical support.
| + | * Phishers use free subdomain and hosting providers, which do not work well for spammers and botnet C&C activity. For phishing abuse, half of the 10 most abused TLDs ([[.ml]], [[.tk]], [[.ga]], [[.cf]], and [[.gq]]) are operated by [[Freenom]]. |
− | #* Around the world, 2.5 million open DNS resolvers can be used as amplifiers in [[DDoS Attack]]s.
| + | ''Adoption of preventative measures?''<br/> |
− | #* 60% of 247 million domain names do not use SPF and 97% do not use DMARC records to prevent [[Cybercrime|Email Spoofing and Business Email Compromise]] scams.
| + | * DNSSEC adoption remains low. Of 227 million domain names, only 9.4 million meet all required resource records; however, 98% of them are correctly signed and validated. |
| + | * In Europe, [[.cz]] (59%), [[.se]] (55%), [[.nl]] (51%), and [[.sk]] (48%) have the highest adoption of DNSSEC and offer price incentives and technical support. |
| + | * Around the world, 2.5 million open DNS resolvers can be used as amplifiers in [[DDoS Attack]]s. |
| + | * 60% of 247 million domain names do not use SPF and 97% do not use DMARC records to prevent [[Cybercrime|Email Spoofing and Business Email Compromise]] scams. |
| | | |
| ==References== | | ==References== |
| | | |
| [[Category:Practices]] | | [[Category:Practices]] |