en

Keep Up to Date With ICANN’s DNS Security Threat Mitigation Program

9 June 2022
By Russ WeinsteinRuss Weinstein

The ICANN organization (org) is committed to doing what it can, within its mission, to mitigate Domain Name System (DNS) abuse. To support this, ICANN org has created a dedicated cross-functional team focused on the mitigation of DNS security threats. ICANN defines DNS security threats as malware, phishing, botnets, and spam, when it's used to deliver a DNS security threat.

The DNS Security Threat Mitigation Program strives to make the Internet a safer place for end users by reducing the prevalence of DNS security threats. The program is part of ICANN's strategic plan to "strengthen the security of the DNS and the DNS Root Server System."

The program focuses on three pillars:

  • Providing research, data, and expertise to help the community conduct fact-based discussions about the topic.
  • Providing resources that assist in raising levels of awareness and support in mitigating DNS security threats.
  • Interpreting and enforcing the contractual obligations related to DNS security threats and abuse generally in Registry Agreements, Registrar Accreditation Agreements, and ICANN consensus policies.

As we approach the end of the fiscal year, we feel it is important to provide an update to the community on this program and its many achievements and advancements. ICANN published its first DNS Abuse trends report, which was based on data from the Domain Abuse Activity Reporting System (DAAR). The report shows that DNS security threats have been trending downward over the last four years. ICANN developed DAAR to monitor domain abuse and registration activity across top-level domains (TLDs).

As part of ICANN's vision to evolve the DAAR system, ICANN org is planning to extend the reporting data in the DAAR project to the registrar level. The primary impediment to implementing registrar reporting has been consistent and dependable access to the identifier of the registrar (registrar ID) for each domain name registration. We are pleased to report that, following discussions with the leadership of the contracted parties, we have recently reached an agreement to amend the Base gTLD Registry Agreement. The required change will enable ICANN org to use an existing data set provided by registries for research purposes. ICANN org anticipates this change to the Base gTLD Registry Agreement as well as changes related to the introduction of the Registration Data Access Protocol (RDAP) will be available for Public Comment in the coming months as part of the contract amendment process.

We also continue to encourage ccTLD operators to participate in DAAR. This increases the community's understanding of the concentration of security threats across TLDs. Currently, 19 country code top level domain (ccTLD) operators are actively enrolled in DAAR and several more are likely to join in the coming months. If you are a ccTLD operator and interested in joining, please send a message to globalsupport@icann.org.

ICANN published a press release and brochure outlining the Domain Name Security Threat Information Collection and Reporting (DNSTICR) project's goals and objectives. ICANN created the DNSTICR project to analyze domain name registrations related to the COVID-19 to identify credible evidence of malware or phishing and notify the sponsoring registrars to help in their mitigation efforts. As a result, ICANN was able to track and analyze DNSTICR data from almost the inception of the COVID-19 pandemic and found that only five percent of domain names posed a potential threat to Internet users. The analysis used 579 separate terms to aggregate 438,819 domain names. Of these only 23,452 domain names appeared potentially active and malicious.

Over the course of FY22, ICANN solicited input from the Governmental Advisory Committee (GAC) to expand the multilingual terms used in the project's searches, which are not limited to ASCII or Latin-based languages. In March 2022, ICANN org broadened the project's focus to help stop bad actors from exploiting the Russia-Ukraine war via phishing and malware campaigns.

ICANN's Compliance team has also had a busy fiscal year. The team completed its Registrar Audit in August 2021, which focused on DNS abuse obligations. Team members also updated the compliance reporting system to provide better visibility into DNS abuse complaints and others.

In August 2021, ICANN org launched a new service for registrars called "Security Response Waivers." This service helps registrars deal with imminent or present security incidents (often related to domain generation algorithms) by offering a way to seek and obtain a waiver of certain ICANN contractual obligations for a specified circumstance.

ICANN org continues to engage and partner with public safety authorities and organizations like the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG), the Forum of Incident Response and Security Teams (FIRST) and the Global Cyber Alliance and the National Cyber Forensics and Training Alliance (NCFTA) to provide guidance and subject matter expertise on areas related to security and threats against the DNS. ICANN org's participation in cyber threat intelligence communities has allowed for the mitigation of real-life threats and has brought attention to activity like mobile-based domain name abuse.

Despite these efforts and achievements, there is still much to do. ICANN org continues to believe the ICANN community is best positioned to determine what, if any, new policies may be needed to further mitigate DNS abuse. As ICANN74 approaches, we invite you to follow the ICANN community discussions around this important topic. We look forward to working with you in making the DNS safer and more secure for Internet users around the world.

Authors

Russ Weinstein

Russ Weinstein

VP, GDD Accounts and Services
Read biographyRead biography