Domain Abuse Activity Reporting

Revision as of 23:49, 13 July 2021 by Jessica (talk | contribs) (Process)

Domain Abuse Activity Reporting (DAAR) is a system for studying and reporting on domain name registration and DNS Abuse. The aim of the DAAR project is to develop a methodology for analyzing security threats to inform ICANN policy decisions.[1]

Process[edit | edit source]

DAAR collects TLD zone data and complements them with third-party Reputation Block Lists based on crowdsourcing, spam filters, and Honeypots that have identified Phishing, Malware, Spam, and Botnet Attacks. The iThreat Cyber Group (ICG) collects and reports to DAAR three data sets.[2]

Zone Data[edit | edit source]

  1. Top-Level Domain Zone Data (through ICANN’s Centralized Zone Data Service)[3]
  2. Sponsoring Registrar Registration Data (contractually mandated for gTLDs and volunteered by ccTLDs), and
  3. Domain Reputation Data

Reputation Data Sources[edit | edit source]

  1. SURBL
  2. Spamhaus
  3. Anti-Phishing Working Group
  4. PhishTank
  5. Malware Patrol
  6. Abuse.ch

Reporting[edit | edit source]

DAAR data are currently released to registries via ICANN's Service Level Agreement Monitoring (SLAM) system and shared in monthly reports with a median aggregate, aggregated statistics, and time-series analyses.

Critiques[edit | edit source]

At ICANN 71, several issues were raised during the discussion on RBLs and, by extension DAAR. They included that:

  1. Neither DAAR nor the RBLs distinguish between maliciously registered and compromised domains;
  2. DAAR does not address mitigation or reflect how quickly abuse is addressed;
  3. Not immediately up-to-date;
  4. Concerns over the inclusion of content-based complaints (see also Bambenek's 2018 validation report,[4] which also mentioned the outsized impact of activity on small registars' risk scores); and
  5. False positives.

References[edit | edit source]