Domain names and DNS

Report: Criminal Abuse of Domain Names, Bulk Registration and Contact Information Access

My Interisle Consulting Group colleague, Dr. Colin Strutt and I have published a report,
 
Criminal Abuse of Domain Names:
Bulk Registration and Contact Information Access
 
In this report, we study "bulk registration misuse" by criminal actors. Bulk registrations refers to the practice of rapidly acquiring domain names, using these in an attack, and abandoning them as if they were throw-away ("burner") phones. These domains are a critical resource for cyber criminals. 
 
We use reputation block list (RBL) data to reveal how the use of bulk registrations, coupled with the crippling of registration data access by the ICANN Temp Spec for Whois, presents cybercrime investigators with the dual impediments of harder-to-pursue criminal activity and harder-to-obtain information about the criminals. From our analyses of sample RBL data for five Top-level Domains we:
  1. confirm that cyber criminals take advantage of bulk registration services to "weaponize" large numbers of domains for their attacks,
  2. identify four specific registrars at which abusive registration activity appears to be concentrated, 
  3. profile registrants that misuse bulk registrations to acquire and weaponize thousands of domains,
  4. confirm that ICANN's Temp Spec policy of redacting Whois point of contact information to comply with the GDPR significantly encumbers and delays cybercrime investigation.
Based on these findings, we recommend that the ICANN organization and community consider several Consensus Policies which, if adopted and incorporated into contracts, would contribute to reducing cybercrime and mitigating its effects on victims.

ICANN prepares for more gTLDs... has enough been done to mitigate threats?

2384711319_b75212d9cd_mICANN organization has published a memorandum that describes its Readiness to Support Future Rounds of New gTLDs. The last time I looked, new TLD registrations from the 2012 round constituted around 12 percent of the total gTLD registrations. Despite justifications most commonly cited for expansion - for example, "all the good names are taken" - COM, NET, and many country code TLDs continue to prosper and grow. We should ask, "What benefits other than brand- and geo-TLDs does ICANN use to justify this new round?"  More importantly,

What's the hurry, and has enough been done to study and rectify the concentration of security threats in the new TLD space? 

In an earlier post, I commented on a January 2019 domain abuse report generated from the Domain Abuse Activity Reporting system (DAAR). DAAR is a system for studying and reporting on domain name registration and security threat (domain abuse) behavior across top-level domain (TLD) registries and registrars. From the limited data that ICANN shared, I observed that

"Over one-half of the domains identified as security threats are
registered in one-eighth of the generic TLD name space."

From the reputation data that I study nearly daily, I can say with confidence that little has changed statistically, and that no meaningful progress has emerged from ICANN concensus policy to course correct this readily observable concentration of security threat activity in the new TLDs. 

ICANN organization has asked its Advisory Committees to comment on its readiness plan. The Security Stability and Resiliency Advisory Committee, SSAC, recently published its correspondence to ICANN's Senior Vice President of Global Domains Division, where it mentioned in its closing remarks"

"it remains a significant concern for the SSAC that the last round of new gTLDs appears to have introduced the phenomenon of TLDs with exceptionally high rates of abusive registrations. It is also not clear if the ICANN Community is effectively addressing these potential threats and risks or what kind of deliberation will occur on how to mitigate them through consensus policy or contractual negotiation. The SSAC continues to be concerned that a further round of new gTLDs could be delegated prior to comprehensive metrics and mitigations being put in place to prevent such a recurrence."

Someone may have a good argument for hurrying the next round along, but if you use the same individual or composite reputation data that ICANN uses for DAAR, it's obvious that the answer to "has enough been done to study and rectify the concentration of security threats in the new TLD space?" is a resounding "NO!"