|
|
| Line 1: |
Line 1: |
| − | '''DNS Abuse''' is any malicious activity aimed at disrupting the DNS infrastructure or causing the DNS to operate in an unintended manner. Abusive activities include corrupting DNS zone data, gaining administrative control of a name server, and flooding the DNS with thousands of messages to degrade name-resolution services.<ref>[https://www.icann.org/en/icann-acronyms-and-terms/domain-name-system-abuse-en ICANN definition of DNS Abuse]</ref>
| |
| | | | |
| − | ==Overview==
| |
| − | According to the [[Internet and Juridiction Policy Network]], there are five broad categories of DNS abuse:<ref>[https://www.internetjurisdiction.net/uploads/pdfs/Papers/Domains-Jurisdiction-Program-Operational-Approaches.pdf Domains Jurisdiction Operational Approaches]</ref>
| |
| − | * [[malware]],
| |
| − | * [[Botnet Attacks]],
| |
| − | * [[phishing]],
| |
| − | * [[pharming]], and
| |
| − | * [[spam]] (when it is used to deliver other forms of DNS Abuse), accounting for over 85% of DAAR-reported DNS abuse in February 2021.<ref>[https://www.icann.org/en/system/files/files/daar-monthly-report-28feb21-en.pdf DAAR monthly report Feb 2021]</ref>
| |
| − |
| |
| − | ==History==
| |
| − | ''In 2009-2010'', the [[Registration Abuse Prevention Working Group]] (RAPWG) generated a report that distinguished between “Registration Abuse” (technical abuse) and “Use Abuse” (content abuse). Technical abuse was defined as attempts to harm the DNS infrastructure and/or using the DNS to cause harm. Content abuse was defined as harms carried out through the use of a domain name, such as through the content on a website. This category of harm includes trademark and copyright infringement, defamation, piracy, child sexual abuse, and hate speech. The RAPWG concluded that technical abuse was within ICANN’s jurisdiction but content abuse was not. However, the working group recommended the development of the Uniform Dispute Resolution Policy ([[UDRP]]) because it involved the registration and use of domain names in bad faith.<ref>[https://comlaude.com/app/uploads/2019/11/DNS-Abuse-History.pdf Com Laude History of DNS Abuse PDP]</ref>
| |
| − |
| |
| − | ''In 2013'', conversations between the [[GAC|Governmental Advisory Committee]] and the [[ICANN Board]] led to an amendment to [[Registry Agreements]] in 2013 to include [[Specification 11]]. [[Registry]] operators must now periodically conduct a technical analysis to assess whether domains within their [[TLD]] are used to carry out security threats, such as pharming, phishing, malware, and botnets. They must also include terms in their [[RRA]]S such that registrants are prohibited from perpetuating technical and content abuse.
| |
| − |
| |
| − | ''In 2016'', when the [[ICANN Bylaws]] were re-written as part of the [[IANA]] Transition, a provision was added to state that ICANN is not responsible for content.
| |
| − |
| |
| − | ''In 2019'', a group of domain name [[registries]] and [[registrars]] developed and released a document called the "Framework to Address Abuse," with 11 signatories.<ref>[https://www.circleid.com/posts/20191017_domain_registries_and_registrars_release_joint_document_on_dns/ CircleID article introducing DNS Abuse Framework]</ref> By 2021, 48 signatory registrars and registries had voluntarily bound themselves by the principles laid out in the [https://dnsabuseframework.org/media/files/2020-05-29_DNSAbuseFramework.pdf framework].<ref>[https://dnsabuseframework.org/ DNS Abuse Framework website]</ref>
| |
| − |
| |
| − | ==Open Questions==
| |
| − | ===Defining and Measuring the Problem===
| |
| − | ''Is there a hard and fast difference between technical abuse and content abuse?''
| |
| − | *The [[BC]] and [[GAC]] want more enforcement from [[ICANN]] in terms of gray areas, for instance, when technical and content abuse overlap<ref>[https://www.circleid.com/posts/20200723-the-state-of-dns-abuse-moving-backward-not-forward/ Cole, Mason. "The State of DNS Abuse Moving Backward," CircleID. July 23, 2020.]</ref>
| |
| − | *The [[ICANN Board]] does not want to deliberate over content issues
| |
| − |
| |
| − | ''How should DNS abuse be measured?''
| |
| − | # [[Domain Abuse Activity Reporting]] (DAAR) - ICANN releases a monthly report on malicious activity
| |
| − | # [http://www.surbl.org/lists SURBL]
| |
| − | # [https://www.spamhaus.org/ Spamhaus]
| |
| − | # [https://www.phishtank.com/index.php PhishTank]
| |
| − | # [https://thenew.org/org-people/about-pir/resources/anti-abuse-metrics/ .ORG Anti-Abuse Metrics]
| |
| − |
| |
| − | ===Responsibility===
| |
| − | '''Remit''': ''Whose job is it to stop the abuse?''
| |
| − | *Registries do not host content and therefore cannot remove a piece of content from a website. The only way to remove content from the Internet is to delete it from the computer that hosts it via the hosting provider, or permanently remove that device from the Internet.
| |
| − |
| |
| − | '''Interoperability''': ''Can the various stakeholders work together to combat attacks?''
| |
| − |
| |
| − | ===Mitigation===
| |
| − | ''What tools are available to mitigate or respond to attacks?''
| |
| − |
| |
| − | Technically, there are limits on what each type of stakeholder can do to stop abuse.
| |
| − | *The [[DNS Abuse Framework]] was developed by registries and registrars. The framework discourages a registry or registrar from taking action against domains, except in certain types of Website Content Abuse:
| |
| − | # child sexual abuse materials,
| |
| − | # illegal distribution of opioids online,
| |
| − | # human trafficking, or
| |
| − | # specific, credible incitements to violence
| |
| − | *[[ICANN]]'s
| |
| − | :*[[OTCO]] monitors gTLD zone files,
| |
| − | :*[[SSAC]] advises on the stability and security of the DNS, and
| |
| − | :*[[Contractual Compliance]] is not beholden to the DNS Abuse Framework; instead, the office can reprimand registrars or registries that do not maintain abuse contacts (or a webform) to receive abuse complaints or promptly investigate allegations of DNS Abuse in good faith.
| |
| − | *[[TTL]] on [[Domain Abuse Activity Reporting|DAAR]]-listed domains
| |
| − | *Site Operators, [[Registrant]]s, and [[Hosting]] Providers can remove content.
| |
| − | *[[Registrar]]s and registry operators can
| |
| − | # include their own acceptable use policies or terms of use to set forth provisions to cover Website Content Abuses,
| |
| − | # contract [[Trusted Notifier]]s to monitor content and report abuse
| |
| − | *[[Registry]] Operators
| |
| − | # Have to determine whether the domain in question was maliciously registered or if the domain has been compromised. Registries cannot generally directly remediate a compromised domain; instead, it is up to the sponsoring registrar.<ref>[https://84e2b371-5c03-4c5c-8c68-63869282fa23.filesusr.com/ugd/ec8e4c_a75734f6f1ff4513a00bb07fb4952a68.pdf RySG recommended options for registries]</ref> Conversely, if a domain has been maliciously registered, the registry has six options:
| |
| − | # Suspend the domain (most common)
| |
| − | # Refer to the sponsoring registrar
| |
| − | # Lock the domain
| |
| − | # Redirect a domain by changing the name servers
| |
| − | # Transfer the domain
| |
| − | # Delete the domain (generally considered an ineffective and extreme response)
| |
| − | :If a registry encounters unregistered domain names resulting from an automatic Domain Generation Algorithm (DGA), the operator can:
| |
| − | # Reserve the domains or
| |
| − | # create the domains in order to suspend or [[DNS sinkholing|sinkhole]] the domains for victim identification
| |
| − |
| |
| − | ===Intersecting Issues===
| |
| − | ''Jurisdictional confusion''
| |
| − |
| |
| − | ''Law enforcement wants more cooperation from industry leaders''
| |
| − |
| |
| − | ''Data privacy and limits imposed by the [[General Data Protection Regulation]]''
| |
| − |
| |
| − | ===Progress===
| |
| − | ''Is it getting better or worse''?
| |
| − |
| |
| − | ''Getting worse'': In March 2021, the FBI’s [[Internet Crime Complaint Center]] (IC3) released its 2020 Internet Crime Report. There were 791,790 complaints of suspected internet crime, which indicated an increase of more than 300,000 from 2019, involving losses in excess of US$4.2 billion. Phishing, non-payment/non-delivery scams, and extortion were the top three types of crime reported.<ref>[https://www.fbi.gov/news/pressrel/press-releases/fbi-releases-the-internet-crime-complaint-center-2020-internet-crime-report-including-covid-19-scam-statistics FBI releases 2020 Internet Crime Report]</ref>
| |
| − | ''Getting better'':
| |
| − |
| |
| − | ''Are new or Legacy gTLDs experiencing more problems?''
| |
| − | The February 2021 DAAR report indicates the majority (64.8%) of security issues are occurring in legacy [[TLDs]], which comprise 88.8% of resolving gTLD domains in zone files.<ref>[https://www.icann.org/en/system/files/files/daar-monthly-report-28feb21-en.pdf DAAR monthly report Feb 2021]</ref>
| |
| − |
| |
| − | ==References==
| |
| − |
| |
| − | [[Category:Practices]]
| |
