The Ever-Evolving Problem of DNS Abuse


For several years, many in ICANN circles have raised concerns about the growing nature of domain name system (DNS) abuse. While some progress has been made towards a more secure DNS, new data, this time from an in-depth study of DNS misuse by the European Union— demonstrates that child abuse remains a frustrating and stubborn problem that requires urgent attention.

We have seen some registries and registrars test industry-led initiatives in an effort to resolve the issues. Unfortunately, as recognized by the European Union and others, this has only gotten us so far. ICANN – the global DNS policy coordinator – is asking for much more to tackle this problem and make a measurable dent by adopting the common sense recommendations of the EU report.

The problem of longstanding abuse persists

As the EU report points out, DNS abuse cuts across a wide spectrum. The report analyzed 1.68 million abused names1— a staggering number that, even without further context, represents pervasive rates of abuse. The actions of the bad actors show no signs of slowing down.

Interestingly – and industry insiders have known this for some time – abuse tends to be concentrated in certain top-level domains (TLDs) and/or at certain registrars. According to the EU study:

  • The two most abused new gTLDs together account for 41% of all new gTLD names abused in Q2 2021.
  • The five most abused registrars account for 48% of all maliciously registered domain names.

As mentioned, industry’s voluntary actions are commendable, but limited in scope. In fact, two of the three “most abused” registrars are signatories to the DNS Abuse Frameworkthe industry initiative launched in 2019 to try to mitigate abuse.

Building on the EU findings, our experience at Appdetex in managing enforcement efforts for major brands and corporations further shows that, while applaudable, industry self-regulation does not don’t go that far. As part of our service, we often notify registrars and registries of DNS abuse, following the procedures set forth in the DNS Abuse Framework. Unfortunately, the results suggest that known abuse often goes unaddressed, and even framework signers are slow to respond to abuse notifications or, in some cases, abuse complaints are ignored altogether. In 2021, for example, we found that some registrar abuse complaint mitigation rates ranged up to 25% of submitted notifications; even for signatories to the framework and for non-signatories, the rate sometimes oscillates at 0%. Registry framework signers were more active in their mitigation work, with a much higher resolution rate of 93%, though again non-signer rates were worse, at just 34%.

Debates over definitions block action

As a precursor to considering mitigation strategies, a working definition of DNS abuse has long been debated. Domain Name Registries and Registrars – known to ICANN as the contracting parties— sought to narrowly limit the definition to malware, botnets, phishing, pharming, and spam (as a method of distributing the first four types of abuse). The contracted parties argue that this scope is appropriate.

Of course, this does not address all forms of abuse. But then what East abuse, if not only the above? One could recall by analogy the Justice of the Supreme Court of the United States, Potter Stewart, who said of the definition of obscenity:

I won’t attempt today to further define the types of material I understand to be encompassed within this abbreviated description… But I know it when I see it.

Similarly, it would be hard to believe that this industry is not it know about domain name abuse when witnessing it and, therefore, abuse cannot reasonably be limited to an overly restrictive definition. To do so would be to ignore the changing nature of abuse and the new vectors of abuse that are emerging. As noted by ICANN’s Security and Stability Advisory Committee (SSAC) in SAC115 (emphasis added):

These categories have been adopted within the ICANN domain in specific contracts, but do not represent all forms of DNS abuse that exist, are reported and implemented by service providers. New types of abuse are commonly created and their frequency increases and decreases over time. Thereby, no particular list of types of abuse will ever be complete.

If the community insists on defining abuse, that definition must be broad enough to remain flexible and responsive to changes in abuse. So far, however, ICANN org and contracted parties have not followed the advice of SSAC experts appointed to provide, well, expert advice. So while some cling to a narrow definition, the bad guys are getting smarter and more prevalent.

Conversely, the EU report finally offers a definition of DNS abuse that is rightly inclusive:

Abuse of the Domain Name System is any activity that uses domain names or the DNS protocol to conduct harmful or illegal activities.

No doubt some will balk at definitional inclusiveness and tell us that too broad a definition is unworkable. But as we have seen, too narrow a definition has also not helped to solve what is a very broad problem. It would be wise to define more broadly and, if necessary, to tighten in time.

Warnings were ignored for more than six years

Security experts have not only long warned against abuse, but have prescribed various ways to at least begin to address it. For example, more than six years ago, in SAC077The SSAC wrote (emphasis added) about ICANN’s proposed Market Health Index:

The SSAC notes that to develop and maintain effective measures for the security and stability of the gTLD ecosystem, ICANN will need to undertake auditing activity, including mandating future disclosure of aspects of registry operations and behavior and registrars, in a form that emphasizes consumer protection rather than industry standards.

This is something that ICANN org has not done. In fact, it has been made clear to the community from various directions that ICANN is terribly behind on its deliverables to the community, including those like above, intended to update us all on the health of the DNS and where patches are advised.

Even as recently as 2020, during the onset of the COVID-19 pandemic, when abuse rates spiked, industry watchers underline the community’s response to security threats and abuse, calling it “weak tea”.

This industry has some catching up to do, otherwise it will have solutions imposed on it.

What CAN WE do about DNS abuse?

The EU report calls for certain reasonable practices that registries and registrars can and should adopt to mitigate DNS abuse. These include:

  • Verification of the accuracy of the data of the holder of the domain name;
  • Develop tools for identifying names that infringe intellectual property rights;
  • Use predictive algorithms to prevent abusive registrations;
  • Monitor abuse rates with the cooperation of regulators and independent researchers; and
  • In collaboration with ICANN org, be financially rewarded for reducing abuse rates.

There are few reasons why contracted parties and ICANN org cannot take these actions today in the name of DNS health.

The authors of the EU study recommend new measures to mitigate abuse:

  • Public identification of registries and registrars with higher than normal DNS abuse rates;
  • Revocation of credentials for those whose abuse rates continually exceed predetermined thresholds;
  • Use of DNSSEC; and
  • Harmonization by gTLDs of ccTLD regulations and practices with lower rates of abuse.

These last four steps are also not out of reach. We know that the Danish .DK registry has been extremely effective in preventing abuse, primarily by verify the identity of its subscribers. The .EU registry employs an anti-abuse mechanism called APEWSwhich allows domain name registrations to proceed, but preemptively identifies potential domain name registrants.

Even a few forward-thinking entities are more proactive when it comes to anti-abuse measures. Radix Registry, for example, reviews records for potential abuse. Among other steps, Radix reserves the right to cancel a domain registration:

  • where the Registered Name Holder fails to maintain accurate or up-to-date Whois information;
  • if the use of the Registered Name is abusive or violates the Acceptable Use Policy, or the rights of any third party or the Acceptable Use Policies, including, but not limited to, violation of any right of author or brand; Where
  • when the registered name is found to have been registered as part of a set of pattern-based registrations that have shown abusive trends in the past, or is part of a current or ongoing abusive campaign, including, but not limited to, domains registered using any domain generation algorithms, scripts, dictionaries, etc., whether detected by Radix or a registrar.

Most registrars and gTLD registries have yet to use these types of implementable solutions, even though their effectiveness has been widely demonstrated.

Conclusion

It’s obvious that ICANN is overloaded as an organization, to say the least. However, ICANN org needs to prioritize its workload to avoid further government incursions, volunteer burnout, and frustration with lack of results. In this case, the EU report is full of facts and practical suggestions that ICANN can immediately deploy, and ICANN is well overdue in taking a strong stance against DNS abuse.

The concern is that ICANN Org and industry will continue to send their messages to this day – that not much can be done with (by ICANN Org’s admission) enforcement provisions contractual weaknesses, that contracted parties are unable to take broader action against DNS abuse, and that various obstacles prevent meaningful action.

The time for apologies is over. The DNS community, suffering from a deluge of abuse and little recourse to intransigence, needs action from contracted parties and ICANN Org. The EU report is an excellent starting point, and we look forward to good faith engagement in exploring its anti-abuse recommendations.

  1. European Commission, Directorate-General for Communication Networks, Content and Technology, Paulovics, I., Duda, A., Korczynski, M., Domain Name System (DNS) Abuse Study2022, https://data.europa.eu/doi/10.2759/616244 (p.53) ↩
Previous Russia shares list of 17,000 allegedly DDoSing IP addresses of Russian organizations
Next DNS, DHCP and IP Address Management (IDM) Market 2022-2030, by Top Key Players – ВluеСаt Nеtwоrkѕ, NСС Grоuр, РС Nеtwоrk, Місrоѕоft Соrроrаtіоn, ТСРWаvе Іnс., АрЅ