ICANN Blogs

Read ICANN Blogs to stay informed of the latest policymaking activities, regional events, and more.

Learn about how the Domain Abuse Activity Reporting (DAAR) Project is Changing its Generic Top-Level Domain (gTLD) Monthly Reports

5 May 2021
By

As part of the Security, Stability and Resiliency (SSR) team of the Office of Chief Technology Officer (OCTO), I would like to thank the community and, in particular, the Registry Stakeholder Group (RySG) for their very constructive discussions and recommendations on the Domain Abuse Activity Reporting (DAAR) project.

After extensively discussing and consolidating all of the feedback our team received on the current version of the DAAR project, the DAAR monthly reports, and DAAR daily stats, as well as the communications around it, we have made the following modifications to the existing DAAR documents and communications:

DAAR Documentation

  • The language used throughout the DAAR online web page and FAQ page has been updated. Where applicable, the term [abuse] has been replaced with the term [security threat], as the term [abuse] could include a broader set of threats, including those outside of ICANN's remit. The change will be applied to all of the online documents.
  • New text has been added to the DAAR web page to clarify what the DAAR reports and DAAR data can and cannot show. This includes clarifications about Reputation Block List (RBL) feeds, DAAR and its relationship with mitigations, and differences between maliciously registered and compromised domains.

DAAR Monthly Report

  • The language throughout the report has been updated. Where applicable, the term [abuse] has been replaced with the term [security threat], as the term [abuse] could include a broader set of threats including those outside ICANN's remit.
  • All the point-in-time metrics (metrics created based on the last day of the month) have been updated to averages (median) over a month.
  • New plots have been added to the report which show the percentage of security threats over time and in proportion to total domains in zone files (figures 2 and 3 in the report).
  • Most plots that combined multiple types of security threats have been removed from the document, except for those that aim to show the importance of the normalized [percentage of security threat] metric.

Future Changes

  • Currently, country code top-level domains (ccTLDs) that voluntarily participate in DAAR receive a monthly individualized report. These reports contain analytics specifically based on the data submitted by each ccTLD and are only shared with them. In each report, ccTLD-related statistics are shown with all the other ccTLDs and generic TLDs (gTLDs) are being anonymized. The intention of these personalized reports is to help TLDs understand where they stand in terms of the security threat data listed by Reputation Block Lists (RBLs) in comparison to other TLDs. In the near future, we are planning to develop such individualized reports for gTLD managers as well.
  • Starting May 2021, the new DAAR report is going to be published on the DAAR website and will replace the previous version. We are continuing to move forward with improving the DAAR system and output to make it an increasingly useful tool for the community and to inform policy-making related to domain name security threats. Other recommendations made, such as mitigation-related metrics, are items that are being researched by the DAAR team. If you have further suggestions or feedback, please feel free to share it with us via daar@icann.org or on the ICANN DNS Abuse measurement mailing list.
  • Additionally, we are also translating the content of our FAQ and our DAAR dedicated page into all UN languages (Spanish, French, Arabic, Chinese and Russian). This will be available by the end of May 2021.

Finally, the following recommendations from the RySG DAAR Working Group recommendation document are currently undergoing study to determine their feasibility for future inclusion in DAAR.

  • Recommendation #3: Display a measure of the "persistence" of reported abusive activity.
  • Recommendation #7: Collaborate with ICANN OCTO to create an infographic explaining the role, capabilities, and limitations of the various components in the abuse-reporting process. Post the infographic on the DAAR page and provide a link in the DAAR report.

For more information regarding DAAR project data-sharing and any other measurement of DNS security threats and abuse-related topics, I invite you to join the DNS-Abuse-Measurements mailing list or visit the DAAR webpage: https://www.icann.org/octo-ssr/daar.

Authors

Samaneh Tajalizadehkhoob

Samaneh Tajalizadehkhoob

Director, Security, Stability and Resiliency Research