Skip to main content

"Statistical Analysis of DNS Abuse in gTLDs" Report Available for Public Comment

LOS ANGELES – 9 August 2017 – ICANN today announced the publication of the report, "Statistical Analysis of DNS Abuse in gTLDs" [PDF, 2.23 MB]. The study was requested by the Competition, Consumer Trust and Consumer Choice Review Team (CCTRT). In defining the parameters of the study, the CCTRT sought to measure rates of common forms of abusive activities in the domain name system, such as spam, phishing, and malware distribution. The study aims to compare rates of these activities between new and legacy gTLDs, as well as employs inferential statistical analysis to measure the effects of DNSSEC, domain parking, and registration restrictions on abuse rates using historical data covering the first three full years of the New gTLD Program (2014 – 2016).

Comment on the report.

ICANN commissioned the study on behalf of the CCTRT in order to inform the review team's work. It was conducted by researchers from SIDN and the Delft University of Technology.

The report is available for public comment through 19 September 2017. The CCTRT will review public comments on the study's findings and incorporate them into their final report as they deem appropriate.

Key Findings:

  • The amount of "compromised" (i.e. "hacked") domains appear higher in legacy gTLDs
  • The amount of "maliciously registered" (i.e. domains registered for malicious purposes) appear higher in new gTLDs
  • Registration restrictions appear to have an impact on reduced abuse rates
  • Abuse counts—or absolute number of abused domains—show relatively constant and higher levels of abuse in legacy gTLDs and an upward trend of abuse in new gTLDs
  • With some exceptions and spikes, rates of phishing and malware domains in new gTLDs, which are based on an "abused domains per 10,000" ratio, tend to be lower than in legacy gTLDs. Phishing and malware trends in new and legacy gTLDs appear to be converging to similar levels by the end of 2016
  • Privacy and proxy service-associated domains do not appear to correlate with abnormally high levels of abuse

More Announcements
Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."