Difference between revisions of "DNS Abuse"

DNS Abuse is any malicious activity aimed at disrupting the DNS infrastructure or causing the DNS to operate in an unintended manner. It is different from bad practices. Abusive activities include corrupting DNS zone data, gaining administrative control of a name server, and flooding the DNS with thousands of messages to degrade name-resolution services.^[1]

Abuse of the DNS: Traffic that causes DNS servers or intermediate architecture involved in the transmission or processing of DNS services, or both, to be degraded or unavailable to third parties, or that causes unintended results in the service provided by DNS service operators or registry service providers.

Abuse via the DNS: Harmful cyber activity that cannot take place without using the DNS, but where the threat actors' operations do not constitute abuse of the DNS.^[2]

Related Articles

• See here for an overview of various stakeholders' opinions of and reactions to DNS Abuse.
• See here for the closely related but much broader topic of cybercrime.

Overview

Definitions of DNS abuse can refer to the abuse of the protocol or the infrastructure or using DNS services or domain names to carry out other forms of abuse^[3]. Manual mistakes, escalation of privileges, and compromised account access are all hallmarks of most breaches or attacks.^[4]

According to the Internet and Jurisdiction Policy Network, there are five broad categories of DNS abuse:^[5]

• malware, such as ransomware,
• Botnet Attacks,
• phishing,*(FIRST DNS Abuse SIG argues phishing that does not rely on the DNS is not DNS Abuse; e.g., it may be content abuse or it may occur via an unregistered domain)^[6]
• pharming, and
• spam (when it is used to deliver other forms of DNS Abuse), accounting for over 85% of DAAR-reported DNS abuse in February 2021.^[7]

A broader set of DNS security threats include:

• DoS Attacks,
• DDoS Attacks,
• Cache Poisoning,
• Protocol Attacks,
• the exploitation of implementation vulnerabilities, ^[8]
• Hopping can refer to registrar or registry hopping^[9][10]

DNS abuse adjacent issues

• Credential stuffing
• password spraying attacks
• Compromise of email accounts
• Password compromise
• Poor password management
• Insider credential theft and abuse

Vectors

The DSFI-TSG identified seven categories of attack vectors.^[11]

Identity and Access Management

• Attacks on and through credential systems result in the modification of registration data, which can lead to Domain Name Hijacking, traffic interception, and Social Engineering Attacks.
• when a registrant’s credentials are compromised, the attacker can impersonate the registrant to
  1. Transfer the domain out of the registrant’s control,
  2. Modify the DNS servers to intercept traffic or redirect it to a criminal destination,
  3. Modify the Authoritative DNS Servers allowing attackers to monitor, alter or deny queries and redirect end users to malicious endpoints,
  4. Modify DNSSEC-related data by removing the DS records,
  5. Modify authoritative records of the domain name, domain registration, or DNS service, or
  6. Delete or de-register the domain.

Access Control and Authorization

• Bad actors can gain access to unauthorized services and/or data. In the case of a subdomain takeover, non-authorized users gain access to publish content under a DNS label that they have not been authorized to control.

Resource Impersonation

• A bad actor can impersonate a recursive resolver by intercepting traffic to it at the network layer after changing the user's configuration.
• When illegitimate server operators receive DNS queries for an authoritative nameserver, they can return incorrect response data, make it so only certain geographic areas see altered data, and populate a recursive cache with incorrect results.^[12]
• Using look-alike domains relies on similarities in domain names, such as Domain suffix appending, Typosquatting, or internationalized domain name homographs, or bitsquatting to lead users into interacting with a bogus website, generally to carry out a phishing attack.
• Transport Layer Security (TLS) certificates can be issued to a requestor who is not the legitimate operator of the service secured by the certificate when there are inadequate access controls of DNS entries or the BGP route has been manipulated with path injection or prefix, route, or IP hijacking.

Code and Protocol Vulnerabilities

• Modifying the protocol, for instance through a software update, can cause interoperability issues and requires coordination among many implementers and operators, leaving an opening for an attacker to access critical or trusted components within the DNS infrastructure chain.
• In the case of Cache Poisoning, a perpetrator can insert incorrect data into a recursive nameserver cache for end-users to receive and use.

Infrastructure Choices

• Potential opportunities for attackers:
  • long TTL values (lingering effects),
  • short TTL values (hard to catch the culprit),
  • relying on older, unpatched versions of nameserver software),
  • building in less redundancy (for affordability),
  • using all authoritative domain servers on the same IPv4 sub-network or physical network, and
  • fate sharing.^[13]

DNS

• The DNS can be a channel for enabling other attacks, infiltrating a system or network, and extracting data
  • DNS query and response channels can be used to enable surreptitiously communication between devices by appearing to be benign DNS traffic.
  • attackers can use DNS requests as the medium to transmit data to an external resource.

Denial of Service

• Flooding a website with too much traffic can stop it from responding to queries; bugs can also be used to destabilize the system's security.[2] Distributed denial of service attacks (DDoS Attacks) are a form of DoS attack that is particularly dangerous and has received a lot of attention in the last few years.

History

In 2009-2010, the Registration Abuse Prevention Working Group (RAPWG) generated a report that distinguished between “Registration Abuse” (technical abuse) and “Use Abuse” (content abuse). Technical abuse was defined as attempts to harm the DNS infrastructure and/or use the DNS to cause harm. Content abuse was defined as harms carried out through the use of a domain name, such as through the content on a website. This category of harm includes trademark and copyright infringement, defamation, piracy, child sexual abuse, and hate speech. The RAPWG concluded that technical abuse was within ICANN’s jurisdiction but content abuse was not. However, the working group recommended the development of the Uniform Dispute Resolution Policy (UDRP) because it involved the registration and use of domain names in bad faith.^[14]

In 2013, conversations between the Governmental Advisory Committee and the ICANN Board led to an amendment to Registry Agreements in 2013 to include Specification 11. Registry operators must now periodically conduct a technical analysis to assess whether domains within their TLD are used to carry out security threats, such as pharming, phishing, malware, and botnets. They must also include terms in their RRAS such that registrants are prohibited from perpetuating technical and content abuse.

In 2016, when the ICANN Bylaws were re-written as part of the IANA Transition, a provision was added to state that ICANN is not responsible for content.

In 2019, a group of domain name registries and registrars developed and released a document called the "Framework to Address Abuse," with 11 signatories.^[15] By 2021, 48 signatory registrars and registries had voluntarily bound themselves by the principles laid out in the framework.^[16]

Open Questions

Defining and Measuring the Problem

Should we worry about defining it completely?

• Graeme Bunton: no, let's stop focusing on the edges and focus on the areas of core consensus.^[17]

Is there a hard and fast difference between technical abuse and content abuse?

• The BC and GAC want more enforcement from ICANN in terms of gray areas, for instance, when technical and content abuse overlap^[18]
• The ICANN Board does not deliberate over content issues

How should DNS abuse be measured?

1. Domain Abuse Activity Reporting (DAAR) - ICANN releases a monthly report on malicious activity
2. SURBL
3. Spamhaus
4. PhishTank
5. .ORG Anti-Abuse Metrics

What are the best tools and techniques for measuring DNS abuse?
In April 2022, Adiel Akplogan, vice president for technical engagement at ICANN, furthered the conversation around DNS Abuse measurement, opening the Special Interest Forum on DNS Abuse Measurement Technology and seeking in particular:

1. Techniques for detecting DNS abuse (including machine learning techniques)
2. Techniques to categorize types of DNS abuse
3. Industry tools (commercial or open-source) and matters of commercial or practical interest regarding DNS abuse measurements
4. New standards/tools to measure and share DNS abuse information
5. Analysis of open source threat intelligence datasets related to DNS abuse
6. Description of real-world examples of emerging/existing DNS abuse

Responsibility

Remit: Whose job is it to stop the abuse?

• Registries do not host content and therefore cannot remove a piece of content from a website. The only way to remove content from the Internet is to delete it from the computer that hosts it via the hosting provider, or permanently remove that device from the Internet.

Interoperability: Can the various stakeholders work together to combat attacks?

• The DNS Abuse Institute is working on bringing all solutions to content and technical abuse together.^[19]

Mitigation

• How is DNS Abuse being handled?
• How to make abuse notifications more helpful by

1. being more timely (immediately posted and immediately taken down) and
2. distinguishing between Compromised Domains and Malicious Domains?

• Is there too much focus on Authoritative DNS and not enough on the entire DNS ecosystem?
• How to reduce gap/time lag between policy and incident response?^[20]

Intersecting Issues

Jurisdictional confusion

Law enforcement wants more cooperation from industry leaders

Data privacy and limits imposed by the General Data Protection Regulation

Progress

Is it getting better or worse?

Getting worse
In March 2021, the FBI’s Internet Crime Complaint Center (IC3) released its 2020 Internet Crime Report. There were 791,790 complaints of suspected internet crime, which indicated an increase of more than 300,000 from 2019, involving losses in excess of US$4.2 billion. Phishing, non-payment/non-delivery scams, and extortion were the top three types of crime reported.^[21]

Getting better
In March 2022, ICANN released a report of DNS Abuse from the last 4 years and indicated the practice was trending down.^[22][23]

Are new or Legacy gTLDs experiencing more problems?

• On January 31, 2022, the European Commission published a Study on DNS Abuse, conducted by Fasano Paulovics Società tra Avvocati and Institut Polytechnique de Grenoble. Its key findings included:^[24]
  

Legacy

• The February 2021 DAAR report indicates the majority (64.8%) of security issues are occurring in legacy TLDs, which comprise 88.8% of resolving gTLD domains in zone files.^[25]
• Legacy TLD domains, 53% of the market, comprise almost 49% of DNS abuse. Domains in .com and .net TLDs are the most abused.
  

nTLDs

• nTLDs, 6.6% of the market, are the most abused group of TLDs in relative terms. In 2021, 20.5% of all abused domain names were registered in new gTLDs. Specifically, the two most abused nTLDs together account for 41% of all nTLD abuse.
  

among ccTLDs?

• EU ccTLDs are the least abused; only 0.8% of all abuse (Compromised Domains and Malicious Domains) were registered under EU ccTLDs. .eu, .de, .nl, .fr, .pl, .it, .es, and .be account for 76% of all abuse among EU ccTLDs. Abused .ru and .su second-level domain names account for 75% of all abused domains among non-EU ccTLDs.

Which is more prevalent? Malicious or Compromised Domains?
Malicious Domains

• Most spam and botnet control and command domain names are maliciously registered.
• 42% of hacked websites occur among more frequently used TLDs. In less-used new gTLDs, hackers directly register domains for malicious activities.
• Registries and registrars can act at the DNS level but not on the hosting infrastructure unless they also offer hosting services.
• The top five most abused registrars account for 48% of all maliciously registered domain names.

Compromised Domains

• Almost 25% of phishing domain names and 41% of malware are registered by legitimate users. They are compromised at the hosting level and thus cannot be addressed at the DNS level without collateral damage.
• Phishers use free subdomain and hosting providers, which do not work well for spammers and botnet C&C activity. For phishing abuse, half of the 10 most abused TLDs (.ml, .tk, .ga, .cf, and .gq) are operated by Freenom.

Adoption of preventative measures?

• DNSSEC adoption remains low. Of 227 million domain names, only 9.4 million meet all required resource records; however, 98% of them are correctly signed and validated.
• In Europe, .cz (59%), .se (55%), .nl (51%), and .sk (48%) have the highest adoption of DNSSEC and offer price incentives and technical support.
• Around the world, 2.5 million open DNS resolvers can be used as amplifiers in DDoS Attacks.
• 60% of 247 million domain names do not use SPF and 97% do not use DMARC records to prevent Email Spoofing and Business Email Compromise scams.

References