In early September, during the Latin American and Caribbean Association of ccTLDs (LACTLD) Technical Workshop, I presented the benefits of a system that ICANN has developed to tackle domain name registration and security threats across top-level domain (TLD) registries. The system is called Domain Abuse Activity Reporting (DAAR).
Since country-code top-level domains (ccTLD) started joining DAAR, LAC regional countries Chile, Guatemala, and El Salvador have joined the system, and I am encouraging more LAC ccTLDs to follow these countries' successful experiences. Have you heard about DAAR?
The DAAR system provides a robust, reliable, reproducible, and replicable methodology for analyzing security threat activity, and it empowers the ICANN community to make informed policy decisions about malicious domain names. It offers another layer of defense in keeping the Internet more secure for its users.
How does it work? The system collects TLD zone data and complements these with high-confidence Reputation Block List (RBL) security threat data feeds. As you know, RBLs are lists of domain names, Universal Resource Locators (URLs), and Internet Protocol (IP) addresses that have been identified by security professionals as posing security threats. In the DAAR system, the threats included are phishing, malware, spam, and botnet command and control activity.
Current DAAR datasets go back to 2018 and cover over 1,000 generic top-level domains (gTLDs) and more than 195 million domain names. DAAR updates its gTLD zone files information once a day and RBL data collection occurs, on average, every hour. This provides its users with information on areas where security threats are concentrated within the TLD space and how this concentration changes over time.
What does it do for you? DAAR data can be used to monitor and report on threat activity at the TLD level and it provides historical analyses of security threats or domain registration activity. This helps registry operators understand the reputation in the DAAR RBLs and its impact on their own anti-abuse programs or terms of service. System users will also get a monthly global report as well as a customized specific report on their own TLD.
Note that DAAR data is neither intended to provide information about security threat mitigation nor to account for how reliably or quickly security threats are mitigated by TLDs.
So how can you join DAAR? You can join the DAAR system for free. Interested ccTLD operators should send a request to email@example.com to begin the process, which includes a couple of technical and administrative steps to make sure ccTLDs are able to periodically upload their zone files to the system while also being able to pull the data, via ICANN's Monitoring System API (MoSAPI). There is also a Memorandum of Understanding (MOU) process in place, for those ccTLDs willing to have one. In any case, ccTLDs zone file data is always kept private and is neither disclosed to any other ccTLD nor publicly.