Here<https://www.icann.org/en/blogs/details/new-icann-project-explores-the-drive…> and below is ICANN Org’s new blog related to DNS Abuse.
New ICANN Project Explores the Drivers of Malicious Domain Name Registrations
25 April 2023
By Samaneh Tajalizadehkhoob<https://www.icann.org/>
________________________________
The Internet Corporation for Assigned Names and Numbers (ICANN) is funding a new project that aims to systematically analyze the preferences of cyberattackers and possible measures to mitigate malicious activities across top-level domains (TLDs). This new project is called Inferential Analysis of Maliciously Registered Domains (INFERMAL), and will be supervised by ICANN's Office of the Chief Technology Officer Security, Stability, and Resiliency team.
This project is funded as a part of ICANN's Domain Name System (DNS) Security Threat Mitigation Program<https://www.icann.org/dns-security-threat>, which strives to make the Internet a safer place for end users by reducing the prevalence of DNS security threats across the Internet. When it comes to DNS security threats, one method cybercriminals use is to actively register domains to launch Internet-scale attacks, such as phishing, malware, and spam campaigns.
There are many theoretical reasons why malicious actors may prefer to use the domain names of certain registrars over others. Some evidence<https://www.icann.org/en/system/files/files/sadag-final-09aug17-en.pdf> suggests, for example, that malicious actors may prefer registrars that provide low registration prices or that accept specific payment methods. They also may look for registrars that offer free application programming interfaces (APIs) for bulk registrations or avoid registrars that require certain information in the purchasing process. Nonetheless, no study has systematically examined the preferences of attackers. This new project, INFERMAL, aims to expand the knowledge in this area.
ICANN is uniquely positioned to investigate this topic and has looked at the problem before. This investigation may also yield policy implications for ICANN.
The findings could help registrars and registries identify relevant DNS anti-abuse practices. Reducing DNS abuse via domain names is good for the DNS industry and all Internet users. Such findings could strengthen the self-regulation of the overall domain name industry and could reduce the costs associated with domain regulations. The project would also help increase the security levels of domain names and, thus, the trust of end-users.
The timing of the study should not be underappreciated. ICANN is launching this project as it is preparing for the next round of new generic TLDs and increasing efforts to promote Universal Acceptance (UA), having just celebrated the first-ever UA Day<https://uasg.tech/ua-day/>. ICANN's mission is to coordinate the global Internet's systems of unique identifiers, including the DNS. Our aim is to ensure a stable, secure, and unified global Internet.
Dr. Maciej Korczyński<https://mkorczynski.com/> will serve as the scientific coordinator of the INFERMAL project. He is an Associate Professor of computer networks and cybersecurity at the Grenoble Institute of Technology in France. His main interests revolve around large-scale passive and active measurements and analysis of cybersecurity, with a focus on the DNS. Since 2015, he has co-authored over 30 scientific articles about domain name and DNS infrastructure abuse, DNS vulnerabilities, security metrics, Internet Protocol address spoofing, distributed denial-of-service attacks, botnets, and vulnerability notifications.
So how will the project work? The project team plans to collect and analyze a comprehensive list of domain name registration policies pertinent to would-be attackers. This includes registration features such as an API registration panel, an ability to register in bulk, accepted payment methods (credit card, Bitcoin, or WebMoney), and retail pricing, among many other potential registry features. Using statistical modeling, the team plans to identify the registration factors preferred by attackers.
We expect that the project will result in highly impactful scientific publications and industry presentations at the most relevant security, Internet stability, and policy conferences hosted by ICANN; the Messaging, Malware and Mobile Anti-Abuse Working Group; the DNS Operations, Analysis, and Research Center; and the Council of European National Country Code Top-Level Domain Registries.
Another blog post will follow with a detailed timeline, information on the project website, and project deliverables. Stay tuned for our updates, and do not hesitate to contact us at octo(a)icann.org<mailto:octo@icann.org>.
Authors
[Samaneh Tajalizadehkhoob]
Samaneh Tajalizadehkhoob
Director, Security, Stability and Resiliency Research
Read biography<https://www.icann.org/>
Yuko,
Thank you for sharing the proposed data dictionary/data model.
I will be in-flight during our 24-Apr small team call, so wanted to share these thoughts via email before the call.
Since Cancun, the BC has been pressing ICANN staff to share their data model for the Registrant Data Request System (RDRS).
We asked for the data model in order to understand whether RDRS would capture and retain enough detail to help us analyze the nature and origin of requests, evidence provided, reason given, etc. Also whether the requests result in disclosures, and why disclosure was denied.
We are glad to see that the proposed (attached) data model does include the detail we sought.
However, Yuko’s email below indicates ICANN will not make the detail available to community members for analysis.
That’s different from when the BC agreed to proceed with SSAD Light. At that time, the staff design paper<https://www.icann.org/en/system/files/files/whois-disclosure-system-design-…> and addendum<https://gnso.icann.org/sites/default/files/policy/2022/correspondence/ducos…> indicated access to data, even for non-participating registrars:
"The system will provide reporting on a periodic basis not to exceed the recommended durations. The exact form of the reporting is to be determined. It is envisioned that eventually the data will be made available through the Open Data platform for public consumption." (p.31)
Staff added this to the addendum<https://gnso.icann.org/sites/default/files/policy/2022/correspondence/ducos…> at p.4:
“To facilitate the evaluation of the WHOIS Disclosure System, the small team will continue to work with ICANN Org to ensure that the necessary data is available to ensure the proper evaluation of the Whois Disclosure System, taking into account legal limitations that may exist to share certain information.”
As the BC representative on this Council small team<https://community.icann.org/pages/viewpage.action?pageId=186779415>, I am asked to continue pressing the need for someone ( ICANN staff or trusted experts ) to be prepared to perform detailed analysis of the data before drawing any conclusions about whether to proceed with a full-blown SSAD.
From: GNSO-EPDPP2-SmallTeam <gnso-epdpp2-smallteam-bounces(a)icann.org> on behalf of Yuko Yokoyama <yuko.yokoyama(a)icann.org>
Date: Wednesday, April 19, 2023 at 2:59 PM
To: gnso-epdpp2-smallteam(a)icann.org <gnso-epdpp2-smallteam(a)icann.org>
Subject: [GNSO-EPDPP2-SmallTeam] RDRS Data Dictionary
Dear Small Team members,
Please see attached ICANN org’s data dictionary for the Registration Data Request Service. This document provides all the data fields captured in the system from both requestor and registrar sides, in a more digestible manner than the ones in the Design Paper<https://www.icann.org/en/system/files/files/whois-disclosure-system-design-…>.
* Tab 1: All the data fields captured in the requestor side of the System
* Tab 2: All the data fields captured in the registrar side of the System
* Tab 3: Reporting criteria specified in the Addendum<https://gnso.icann.org/sites/default/files/policy/2022/correspondence/ducos…> and whether those are reportable
Please note, this document is being shared for the purpose of transparency and to showcase that the reporting criteria that are specified in the Addendum can be achieved with the data elements being collected. Additionally, our aim is that this document can aid in the Small Team’s discussion should it wish to add additional reporting criteria.
We would like to add that ICANN org will not share any raw data collected through the System with external parties outside the System. While we understand the importance of transparency and accountability, we also want to ensure that ICANN org respects the privacy and the confidentiality of the requests logged through the system. The monthly reports will provide the necessary metrics as detailed in the Addendum, along with any other metrics deemed necessary by the Small Team to the extent that the data is available in a systematic manner, with the metrics being based on numerical and usage data. It should be noted that certain data elements listed in the data dictionary, for example, names of requestors, evidence and attachments, will not be analyzed or used as metrics for any other purpose that would go beyond gathering usage data.
ICANN org ensured that the principles of privacy-by-design are embedded in the System’s design and development from its inception. Principles such as role-based data access limitation, data minimization, and data retention, were carefully considered and the publication of raw data would violate these principles.
It is also important to remember that the purpose of this proof-of-concept system is not to perform contextual or content analysis, for example, evaluating the legitimacy of registrars’ disclosure decisions or analyzing outcome trends. We want to emphasize that GNSO Council's request and the ICANN Board's direction is to implement a cost-effective system that will simplify the process for submitting and receiving requests for nonpublic gTLD registration data for both the requestors and registrars and to report on usage of this system to help inform the Council–Board consultations on the next steps for the SSAD recommendations.
Regards,
Yuko Yokoyama
Program Director
Strategic Initiatives, Global Domains & Strategy
Internet Corporation for Assigned Names and Numbers (ICANN)
Direct Line: +1 310 578 8693
Mobile: +1 310 745 1517
E-mail: yuko.yokoyama(a)icann.org<mailto:yuko.yokoyama@icann.org>
www.icann.org<http://www.icann.org/>