14,927
edits
Changes
Jump to navigation
Jump to search
Line 2:
Line 2: − + Line 15:
Line 15: − + Line 28:
Line 28: − + Line 75:
Line 75: − + + − + Line 88:
Line 89: + + + − + Line 98:
Line 102: + + + + + + + + + Line 122:
Line 135: − + + + + − + − ''Getting better'':+ − + + + + + + + + + + + + + + + + + + + + + +
→Open Questions
|__TOC__
|__TOC__
|}
|}
'''[[:Category:DNS Abuse|DNS Abuse]]''' is any malicious activity aimed at disrupting the DNS infrastructure or causing the DNS to operate in an unintended manner. It is different from [[:Category:Bad Practice|bad practices]]. Abusive activities include corrupting DNS zone data, gaining administrative control of a name server, and flooding the DNS with thousands of messages to degrade name-resolution services.<ref>[https://www.icann.org/en/icann-acronyms-and-terms/domain-name-system-abuse-en ICANN definition of DNS Abuse]</ref>
'''[[:Category:DNS Abuse|DNS Abuse]]''' is any malicious activity aimed at disrupting the [[DNS]] infrastructure or causing the DNS to operate in an unintended manner. It is different from [[:Category:Bad Practice|bad practices]]. Abusive activities include corrupting DNS zone data, gaining administrative control of a name server, and flooding the DNS with thousands of messages to degrade name-resolution services.<ref>[https://www.icann.org/en/icann-acronyms-and-terms/domain-name-system-abuse-en ICANN definition of DNS Abuse]</ref>
'''Abuse ''of the'' DNS''': Traffic that causes DNS servers or intermediate architecture involved in the transmission or processing of DNS services, or both, to be degraded or unavailable to third parties, or that causes unintended results in the service provided by DNS service operators or registry service providers.
'''Abuse ''of the'' DNS''': Traffic that causes DNS servers or intermediate architecture involved in the transmission or processing of DNS services, or both, to be degraded or unavailable to third parties, or that causes unintended results in the service provided by DNS service operators or registry service providers.
Definitions of DNS abuse can refer to the abuse of the protocol or the infrastructure or using DNS services or domain names to carry out other forms of abuse<ref>[https://www.icann.org/en/system/files/files/sac-115-en.pdf SAC115 pg. 5]</ref>. Manual mistakes, escalation of privileges, and compromised account access are all hallmarks of most breaches or attacks.<ref>[https://www.cisa.gov/sites/default/files/publications/CDM%20Success%20Story-CISA%20PAM%20Tool%20.pdf PAM Success Story, CISA]</ref>
Definitions of DNS abuse can refer to the abuse of the protocol or the infrastructure or using DNS services or domain names to carry out other forms of abuse<ref>[https://www.icann.org/en/system/files/files/sac-115-en.pdf SAC115 pg. 5]</ref>. Manual mistakes, escalation of privileges, and compromised account access are all hallmarks of most breaches or attacks.<ref>[https://www.cisa.gov/sites/default/files/publications/CDM%20Success%20Story-CISA%20PAM%20Tool%20.pdf PAM Success Story, CISA]</ref>
According to the [[Internet and Jurisdiction Policy Network]], there are five broad categories of DNS abuse:<ref>[https://www.internetjurisdiction.net/uploads/pdfs/Papers/Domains-Jurisdiction-Program-Operational-Approaches.pdf Domains Jurisdiction Operational Approaches]</ref>
According to the [https://www.internetjurisdiction.net/ Internet and Jurisdiction Policy Network], there are five broad categories of DNS abuse:<ref>[https://www.internetjurisdiction.net/uploads/pdfs/Papers/Domains-Jurisdiction-Program-Operational-Approaches.pdf Domains Jurisdiction Operational Approaches]</ref>
* [[malware]], such as [[ransomware]],
* [[malware]], such as [[ransomware]],
* [[Botnet Attacks]],
* [[Botnet Attacks]],
* [[Protocol Attack]]s,
* [[Protocol Attack]]s,
* the exploitation of implementation vulnerabilities, <ref>[https://www.verisign.com/en_US/company-information/dns-abuse/index.xhtml DNS Abuse, Verisign]</ref>
* the exploitation of implementation vulnerabilities, <ref>[https://www.verisign.com/en_US/company-information/dns-abuse/index.xhtml DNS Abuse, Verisign]</ref>
* [[Registrar Hopping]], aka TLD Hopping<ref>[https://annualreport2020.iwf.org.uk/trends/international/other/toplevel TLD Hopping, IWF 2020 Annual Report]</ref>
* [[Hopping]] can refer to registrar or registry hopping<ref>[https://annualreport2020.iwf.org.uk/trends/international/other/toplevel TLD Hopping, IWF 2020 Annual Report]</ref><ref>[https://www.zdnet.com/article/the-pirate-bays-domain-hopping-tour-takes-it-to-perus-pe/ The Pirate Bay's Domain Hopping Tour Takes It to Peru]</ref>
===DNS abuse adjacent issues===
===DNS abuse adjacent issues===
** attackers can use DNS requests as the medium to transmit data to an external resource.
** attackers can use DNS requests as the medium to transmit data to an external resource.
===Denial of Service===
===[[DoS Attack|Denial of Service]]===
* Flooding a website with too much traffic can stop it from responding to queries; bugs can also be used to destabilize the system's security.[2] Distributed denial of service attacks ([[DDoS Attack]]s) are a form of DoS attack that is particularly dangerous and has received a lot of attention in the last few years.
==History==
==History==
''In 2009-2010'', the [[Registration Abuse Prevention Working Group]] (RAPWG) generated a report that distinguished between “Registration Abuse” (technical abuse) and “Use Abuse” (content abuse). Technical abuse was defined as attempts to harm the DNS infrastructure and/or using the DNS to cause harm. Content abuse was defined as harms carried out through the use of a domain name, such as through the content on a website. This category of harm includes trademark and copyright infringement, defamation, piracy, child sexual abuse, and hate speech. The RAPWG concluded that technical abuse was within ICANN’s jurisdiction but content abuse was not. However, the working group recommended the development of the Uniform Dispute Resolution Policy ([[UDRP]]) because it involved the registration and use of domain names in bad faith.<ref>[https://comlaude.com/app/uploads/2019/11/DNS-Abuse-History.pdf Com Laude History of DNS Abuse PDP]</ref>
''In 2009-2010'', the [https://gnso.icann.org/sites/default/files/filefield_12530/rap-wg-final-report-29may10-en.pdf Registration Abuse Prevention Working Group] (RAPWG) generated a report that distinguished between “Registration Abuse” (technical abuse) and “Use Abuse” (content abuse). Technical abuse was defined as attempts to harm the DNS infrastructure and/or use the DNS to cause harm. Content abuse was defined as harms carried out through the use of a domain name, such as through the content on a website. This category of harm includes trademark and copyright infringement, defamation, piracy, child sexual abuse, and hate speech. The RAPWG concluded that technical abuse was within ICANN’s jurisdiction but content abuse was not. However, the working group recommended the development of the Uniform Dispute Resolution Policy ([[UDRP]]) because it involved the registration and use of domain names in bad faith.<ref>[https://comlaude.com/app/uploads/2019/11/DNS-Abuse-History.pdf Com Laude History of DNS Abuse PDP]</ref>
''In 2013'', conversations between the [[GAC|Governmental Advisory Committee]] and the [[ICANN Board]] led to an amendment to [[Registry Agreements]] in 2013 to include [[Specification 11]]. [[Registry]] operators must now periodically conduct a technical analysis to assess whether domains within their [[TLD]] are used to carry out security threats, such as pharming, phishing, malware, and botnets. They must also include terms in their [[RRA]]S such that registrants are prohibited from perpetuating technical and content abuse.
''In 2013'', conversations between the [[GAC|Governmental Advisory Committee]] and the [[ICANN Board]] led to an amendment to [[Registry Agreements]] in 2013 to include [[Specification 11]]. [[Registry]] operators must now periodically conduct a technical analysis to assess whether domains within their [[TLD]] are used to carry out security threats, such as pharming, phishing, malware, and botnets. They must also include terms in their [[RRA]]S such that registrants are prohibited from perpetuating technical and content abuse.
==Open Questions==
==Open Questions==
===Defining and Measuring the Problem===
===Defining and Measuring the Problem===
''Should we worry about defining it completely?''
* [[Graeme Bunton]]: no, let's stop focusing on the edges and focus on the areas of core consensus.<ref>[https://74.schedule.icann.org/meeting At-Large Policy: An End User's Perspective on the Role of At-Large in DNS Abuse, ICANN 74]</ref>
''Is there a hard and fast difference between technical abuse and content abuse?''
''Is there a hard and fast difference between technical abuse and content abuse?''
*The [[BC]] and [[GAC]] want more enforcement from [[ICANN]] in terms of gray areas, for instance, when technical and content abuse overlap<ref>[https://www.circleid.com/posts/20200723-the-state-of-dns-abuse-moving-backward-not-forward/ Cole, Mason. "The State of DNS Abuse Moving Backward," CircleID. July 23, 2020.]</ref>
*The [[BC]] and [[GAC]] want more enforcement from [[ICANN]] in terms of gray areas, for instance, when technical and content abuse overlap<ref>[https://www.circleid.com/posts/20200723-the-state-of-dns-abuse-moving-backward-not-forward/ Cole, Mason. "The State of DNS Abuse Moving Backward," CircleID. July 23, 2020.]</ref>
*The [[ICANN Board]] does not want to deliberate over content issues
*The [[ICANN Board]] does not deliberate over content issues
''How should DNS abuse be measured?''
''How should DNS abuse be measured?''
# [https://www.phishtank.com/index.php PhishTank]
# [https://www.phishtank.com/index.php PhishTank]
# [https://thenew.org/org-people/about-pir/resources/anti-abuse-metrics/ .ORG Anti-Abuse Metrics]
# [https://thenew.org/org-people/about-pir/resources/anti-abuse-metrics/ .ORG Anti-Abuse Metrics]
''What are the best tools and techniques for measuring DNS abuse?''<br/>
In April 2022, [[Adiel Akplogan]], vice president for technical engagement at ICANN, furthered the conversation around DNS Abuse measurement, opening the [https://community.icann.org/display/SIFT/DNS+Abuse+Measurement+Technology Special Interest Forum on DNS Abuse Measurement Technology] and seeking in particular:
# Techniques for detecting DNS abuse (including machine learning techniques)
# Techniques to categorize types of DNS abuse
# Industry tools (commercial or open-source) and matters of commercial or practical interest regarding DNS abuse measurements
# New standards/tools to measure and share DNS abuse information
# Analysis of open source threat intelligence datasets related to DNS abuse
# Description of real-world examples of emerging/existing DNS abuse
===Responsibility===
===Responsibility===
===Progress===
===Progress===
''Is it getting better or worse''?
''Is it getting better or worse?''
''Getting worse''<br/>
In March 2021, the FBI’s [[Internet Crime Complaint Center]] (IC3) released its 2020 Internet Crime Report. There were 791,790 complaints of suspected internet crime, which indicated an increase of more than 300,000 from 2019, involving losses in excess of US$4.2 billion. Phishing, non-payment/non-delivery scams, and extortion were the top three types of crime reported.<ref>[https://www.fbi.gov/news/pressrel/press-releases/fbi-releases-the-internet-crime-complaint-center-2020-internet-crime-report-including-covid-19-scam-statistics FBI releases 2020 Internet Crime Report]</ref> <br/>
''Getting worse'': In March 2021, the FBI’s [[Internet Crime Complaint Center]] (IC3) released its 2020 Internet Crime Report. There were 791,790 complaints of suspected internet crime, which indicated an increase of more than 300,000 from 2019, involving losses in excess of US$4.2 billion. Phishing, non-payment/non-delivery scams, and extortion were the top three types of crime reported.<ref>[https://www.fbi.gov/news/pressrel/press-releases/fbi-releases-the-internet-crime-complaint-center-2020-internet-crime-report-including-covid-19-scam-statistics FBI releases 2020 Internet Crime Report]</ref> <br/>
''Getting better''<br/>
In March 2022, [[ICANN]] released a report of DNS Abuse from the last 4 years and indicated the practice was trending down.<ref>[https://www.icann.org/en/blogs/details/icann-publishes-dns-abuse-trends-22-03-2022-en ICANN DNS Abuse Trends, March 2022, ICANN Blogs]</ref><ref>[https://domainnamewire.com/2022/03/22/icann-dns-abuse-is-going-down/ DNS Abuse is going down? Domain Name Wire]</ref><br/>
''Are new or Legacy gTLDs experiencing more problems?''
''Are new or Legacy gTLDs experiencing more problems?''
The February 2021 DAAR report indicates the majority (64.8%) of security issues are occurring in legacy [[TLDs]], which comprise 88.8% of resolving gTLD domains in zone files.<ref>[https://www.icann.org/en/system/files/files/daar-monthly-report-28feb21-en.pdf DAAR monthly report Feb 2021]</ref>
*On January 31, 2022, the [[European Commission]] published a [https://op.europa.eu/en/publication-detail/-/publication/d9804355-7f22-11ec-8c40-01aa75ed71a1/language-en/format-PDF/source-search Study on DNS Abuse], conducted by Fasano Paulovics Società tra Avvocati and Institut Polytechnique de Grenoble. Its key findings included:<ref>[https://op.europa.eu/en/publication-detail/-/publication/d9804355-7f22-11ec-8c40-01aa75ed71a1/language-en/format-PDF/source-search Study on DNS Abuse Technical Report Appendix 1, Directorate-General for Communications Networks, Content and Technology (European Commission), Fasano Paulovics Società tra Avvocati, Grenoble INP-UGA Institute of Engineering 2022-01-31]</ref><br/>
''Legacy''<br/>
* The February 2021 [[DAAR]] report indicates the majority (64.8%) of security issues are occurring in legacy [[TLDs]], which comprise 88.8% of resolving gTLD domains in zone files.<ref>[https://www.icann.org/en/system/files/files/daar-monthly-report-28feb21-en.pdf DAAR monthly report Feb 2021]</ref>
* Legacy TLD domains, 53% of the market, comprise almost 49% of DNS abuse. Domains in [[.com]] and [[.net]] TLDs are the most abused. <br/>
''nTLDs'' <br/>
* nTLDs, 6.6% of the market, are the most abused group of TLDs in relative terms. In 2021, 20.5% of all abused domain names were registered in new gTLDs. Specifically, the two most abused nTLDs together account for 41% of all nTLD abuse.<br/>
''among ccTLDs?''<br/>
* EU ccTLDs are the least abused; only 0.8% of all abuse ([[Compromised Domain]]s and [[Malicious Domain]]s) were registered under EU ccTLDs. [[.eu]], [[.de]], [[.nl]], [[.fr]], [[.pl]], [[.it]], [[.es]], and [[.be]] account for 76% of all abuse among EU ccTLDs. Abused [[.ru]] and [[.su]] second-level domain names account for 75% of all abused domains among non-EU ccTLDs.
''Which is more prevalent? Malicious or Compromised Domains?''<br/>
''[[Malicious Domain]]s''<br/>
* Most [[spam]] and [[Botnet Attacks|botnet]] control and command [[domain name]]s are maliciously registered.
* 42% of hacked websites occur among more frequently used TLDs. In less-used new gTLDs, hackers directly register domains for malicious activities.
* [[Registries]] and [[registrars]] can act at the DNS level but not on the hosting infrastructure unless they also offer hosting services.
* The top five most abused registrars account for 48% of all maliciously registered domain names.
''[[Compromised Domain]]s''<br/>
* Almost 25% of [[phishing]] domain names and 41% of [[malware]] are registered by legitimate users. They are compromised at the hosting level and thus cannot be addressed at the [[DNS]] level without collateral damage.
* Phishers use free subdomain and hosting providers, which do not work well for spammers and botnet C&C activity. For phishing abuse, half of the 10 most abused TLDs ([[.ml]], [[.tk]], [[.ga]], [[.cf]], and [[.gq]]) are operated by [[Freenom]].
''Adoption of preventative measures?''<br/>
* DNSSEC adoption remains low. Of 227 million domain names, only 9.4 million meet all required resource records; however, 98% of them are correctly signed and validated.
* In Europe, [[.cz]] (59%), [[.se]] (55%), [[.nl]] (51%), and [[.sk]] (48%) have the highest adoption of DNSSEC and offer price incentives and technical support.
* Around the world, 2.5 million open DNS resolvers can be used as amplifiers in [[DDoS Attack]]s.
* 60% of 247 million domain names do not use SPF and 97% do not use DMARC records to prevent [[Cybercrime|Email Spoofing and Business Email Compromise]] scams.
==References==
==References==
[[Category:Practices]]
[[Category:Practices]]