en

ICANN Promotes Good Cybersecurity Practices During EU Cybersecurity Month

3 October 2022
By Matt LarsonMatt Larson and Samaneh TajalizadehkhoobSamaneh Tajalizadehkhoob

October is the European Union's "Cybersecurity Month." We are using this event to highlight some of the ways our organization promotes good cybersecurity practices and helps make the Internet safer for everyone.

As part of ICANN's mission to ensure the security, stability, and resiliency of the Domain Name System (DNS), we work on topics related to DNS threats and misuse of domain names. To this end, we provide training on DNS threats, share security hygiene tips and best practices, and support many technical projects and initiatives. Below are four noteworthy examples of our efforts.

Domain Abuse Activity Reporting (DAAR)

Five years ago, ICANN developed the DAAR tool to visualize and analyze security threat data in an anonymous and aggregated manner. The DAAR tool takes domain names that appear in well-known domain reputation blocklists for phishing, spam, malware, and botnet command and control and checks how such domains are concentrated over legacy and new generic top-level domains (gTLDs). This also allows users to conduct a time-series analysis of trends.

For example, four years of DAAR data show that, while the number of registered domains has been increasing in both legacy and new gTLDs, the total counts of security threat domains are not growing. The trend even looks like it is slightly decreasing when normalizing the total count of security threat domains by the number of registered domains within each gTLD. As of today, DAAR data shows that about one percent of all registered domains are used for malicious purposes.

Domain Name Security Threat Information Collection and Reporting (DNSTICR)

The DNSTICR project started during the COVID-19 pandemic with the objective of monitoring and combating malicious online activities related to the pandemic. We wanted to collect credible evidence to differentiate between "suspect" domains and those demonstrably malicious. We also wanted to provide this evidence to registrars which would allow them to quickly ascertain whether the domain was indeed malicious and take appropriate action.

Using a list of terms related to the pandemic, DAAR monitors new registrations in many languages. This list of terms has evolved as new terms were observed (e.g., vaccines, variant names, etc.). We have also added registrations related to the Russia-Ukraine war. These domains are then queried in several sources, like VirusTotal and URLScan, which allows us to get a good picture of their true status. Since the beginning of 2020 to the end of August 2022 we have seen about 470,000 new registrations that matched one or more of our search terms, of these only around 26,500 had any suggestion of active malicious use.

Domain Name System Security Extensions (DNSSEC)

We are strong proponents of DNSSEC to increase the overall security of the DNS. It makes spoofing DNS data impossible, eliminating "cache poisoning" attacks, where attackers cause resolvers to return fraudulent data. With DNSSEC, Domain Name System data is cryptographically signed by its owner and the resulting digital signature is sent whenever that data is queried. DNS clients, called resolvers, verify the signature to confirm that the data hasn't changed since the owner signed it and wasn't modified in transit by an attacker.

In DNSSEC, the DNS root is especially important, since it contains the most important cryptographic public key of all, the root key-signing key. The ICANN organization carefully manages this key. It must be configured on all resolvers performing validation.

DNSSEC deployment requires participation from everyone, including top-level domain operators, in the DNS ecosystem to support these two fundamental operations: signing DNS data and validating that data. Registrants also need to sign their DNS data, which is only possible if DNS software vendors and DNS hosting providers support DNSSEC. Signed data is only useful when DNS resolvers enable DNSSEC validation to actually check the digital signatures.

Knowledge-sharing and Instantiation Norms for DNS and Naming Security (KINDNS)

Finally, on 6 September 2022, ICANN launched the KINDNS initiative. It promotes DNS operational security best practices and encourages DNS operators to voluntarily commit to their implementation to make the Internet safer and more resilient for all users.

ICANN collaborated with the technical community to create KINDNS as a mechanism to share best practices and to better secure DNS operations. The result is a simple, effective framework that large and small DNS operators can follow voluntarily and easily. For example, a good practice shared through KINDNS wants to ensure that domain name servers are geographically and topologically diverse (KINDNS Practice-5 of Authoritative and Recursive server operators). Another example is to encourage operators to enable DNSSEC, as previously outlined (KINDNS Practice-1 of Authoritative and Recursive server operators).

As shown, in its effort to combat malicious online activities and promote security best practices, ICANN has developed several projects. To learn more about our monitoring and reporting efforts, visit the DAAR and DNSTICR pages on icann.org. To learn more about DNS security hygiene and best practices, visit ICANN's DNSSEC page and our dedicated website for KINDNS.

Authors

Matt Larson

Matt Larson

VP, Research
Read biographyRead biography
Samaneh Tajalizadehkhoob

Samaneh Tajalizadehkhoob

Principal Security, Stability & Resiliency Specialist
Read biographyRead biography