DNS-abuse in the age of COVID-19: Lessons learned

9 Nov 2020 07:00h - 08:30h

Event report

Moderator Mr Adiel Akplogan (Vice President for Technical Engagement at ICANN) opened the panel discussion on domain name system (DNS) abuse. Akplogan introduced the first speaker Jeff Bedser (CEO and President of iThreat) who reviewed the measurability of DNS abuse.

Bedser highlighted that abuse is measurable at various stages from creation to launch and use, and indicated that DNS abuse will always need attention and focus to keep it manageable. It is possible to measure the abuse by examining questionable registration, phishing attempts, and malware distribution. Additionally, measurement can be achieved by looking at the number of botnets, the amount of spam, and the number of incidents of cybersquatting and attacks or child exploitation and human trafficking. Existing groups and organisations track these incidents and the associated accounts or domain information.

Commercial entities report Internet Protocol (IP) or domain abuse for block lists that allow for e-mail inboxes to be kept free of spam. Other entities track abuse for protection against phishing attacks. Academic institutions and NGOs and governments are also involved in some level of research on abuse patterns. Passive DNS providers track outbound DNS requests which help identify the purpose for which a domain has been used. 

During the COVID-19 period, there was a large spike of domain registrations containing Corona or COVID at the beginning of the pandemic when countries closed their borders and businesses were shut down. The registration records reduced as the months progressed and by 1 October zero domains needed any escalation at the registry indicating a lot of speculative domain purchases but little fraud in the volume of domains. The pattern mirrored other major events like natural disasters or shooting incidents.

At a registry level, being able to identify whether particular domains were live with phishing or spam content associated with them is important. The hosting company or Content Delivery Networks (CDNs) can take action against domains based on the nature of the abuse by associating IP addresses that were previously used for abuse or batch domain registrations in large volumes, and tracking how many domains appeared in abuse lists. Such analysis allows for filtering to reduce the abuse of consumers, as the majority of abuse targets consumers rather than companies and corporations.

The European Commission recently revealed that the global cost of cybercrime is estimated to be €530 billion or $630 billion. In an upcoming paper on security and stability, it is recommended that standard definitions of abuse be adopted, along with primary responsibility points for any abuse resolution. This aids smaller registries with less structure and fewer resources to work with a standard abuse resolution escalation path with reasonable timeframes for reporting.

Ms Ashley Heineman (Director of Global Policy at GoDaddy) spoke from a registrar’s perspective. She mentioned their work in the registrar community and how mitigating against abuse is a priority for GoDaddy. Heineman made the distinction between DNS abuse and content-specific abuse and the limits to what GoDaddy can do and what is within ICANN’s remit. Registrars are careful before taking action on domains to ensure collateral damage is limited.

In September 2019, 11 registries and registrars together launched a DNS abuse framework to standardise definitions and expected actions. DNS abuse was defined as malware, BOT ware, phishing and pharming, and spam. The signatories have increased to 50 for surveillance over the past year.

GoDaddy witnessed a similar uptick in phishing reports with a year-on-year growth of 15%. It processes approximately 2,000 phishing reports daily with the majority not being actionable or duplicates. In late March and early April there was a peak of cases using the COVID name. They did not find it useful to just block all registrations with the word COVID, as there were good uses for advocacy groups or health information providers.

Many requests were received to block domains, but they contained insufficient evidence and information to allow action. GoDaddy relied on the cybersecurity community and law enforcement to address concerns and through these relationships clarified the key actionable information that was required.

Mr John Crane (Chief Security Stability and Resiliency Official at ICANN) highlighted a similar March/April incidents peak and discussed the restraint required in stopping the resolution of particular domains and ensuring sufficient checks are done before flagging as malicious. Through analysis, their team found the number of suspicious domains to be much smaller than anticipated. They also found that in a lot of cases problematic names were removed by the time their team got to look carefully at the data. Over the last few months, between 100 and 200 names have been reportable.

The team spent a lot of time educating people on required evidence, advising on the use of white lists, and working with law enforcement. They have seen that when a report with evidence is made to a registry, appropriate action is taken.

Ms Merike Kaeo (Chief Security Strategist at Double Shot Security, Inc.) spoke about the Domain Name System Security Facilitation Initiative Technical Study Group (DSFI-TSG) that is examining DNS security issues. It was born out of a project initiated by the ICANN CEO last autumn to see what ICANN should be doing to improve DNS security and where best practices need to be promoted or new ones created.

This process required cross-functional expertise including members from outside the ICANN community bringing expertise from large-scale DNS operations, routing architecture along with registrar operations, etc.

Much of the discussion focused on the mechanisms powering particular attacks and not the content of the attacks; discussing some current attacks may not have been publicly possible. The group took a broad approach examining current vulnerabilities and how to avoid potential threats, looking at validation deployment, architecture, etc.

The answers coming from the discussions will be presented to the ICANN CEO on best practices and include appropriate technologies to address DNS security and processes and roles in the ecosystem. While understanding that the criminal element will never go away, increasing deterrents and mitigating factors can be put in place.

In the Q&A, Bedser and Heineman discussed the need to be nimble in responding to malicious incidents and called for consistent and increased monitoring of events like the COVID-19 pandemic in the future; these cause a huge surge in activity that needs to be sifted through to identify the bad.

Akplogan asked Crane how ICANN’s technical group initiative and the measurement work can build momentum and help the community discussion around abuse. In answering, Crane highlighted the policymaking, research, and technical strengths of ICANN and indicated an interest in leveraging predictive technologies within the work to provide neutral data and benefit both the industry and the wider community.

All panellists agreed on the need for greater collaboration between the roles within the ecosystem and for knowledge sharing and improved protocols.