AT-LARGE GATEWAY

At-Large Website

ALAC

RALOs

At-Large Regional Policy Engagement Program (ARPEP)

At-Large Governance

At-Large Reports

Policy Comments & Advice

Working Groups

ICANN Meetings

At-Large Summit (ATLAS III)

At-Large Review Implementation Plan Development

ALAC and RALO Elections, Selections, and Appointments

At-Large Priority Activities - 2021

Public Comment CloseStatement
Name 

Status

Assignee(s)

Call for
Comments Open		Call for
Comments
Close 		Vote OpenVote CloseDate of SubmissionStaff Contact and EmailStatement Number


27 September 2017


Statistical Analysis of DNS Abuse in gTLDs (SADAG) Report


No Statement


TBC







Brian Aitchison
brian.aitchison@icann.org


TBC

Hide the information below, please click here 


Brief Overview

Purpose: Public comment is sought on the data, methodology, and results of this report.

Current Status: The report is under review by the Competition, Consumer Choice, and Trust Review Team (CCTRT) during the public comment proceeding.

Next Steps: Findings from the SADAG study, as well as any relevant public comments, will be incorporated into the CCTRT's Final Report as the CCTRT deems appropriate.

Section I: Description and Explanation

The CCTRT has sought to measure the effectiveness of a number of technical safeguards developed for the New gTLD Program in mitigating various forms of DNS abuse. As part of this process, the CCTRT requested a comprehensive DNS abuse study to analyze levels of abuse in legacy and new gTLDs, which would produce a baseline set of data for future analyses.

The SADAG study serves to inform the CCTRT's analysis of potential factors explaining abuse rates in a given gTLD. The study analyzes rates of spam, phishing, and malware distribution in the global gTLD DNS from 2014 to 2016, distinguishing between legacy and new gTLDs.

The study provides measures and analysis of:

  • Absolute counts of abusive domains per gTLD and registrar from 1 January 2014 until 31 December 2016
  • Abuse rates, based on an "abused domains per 10,000" ratio (as a normalization factor to account for different TLD sizes), per gTLD and registrar from 1 January 2014 until 31 December 2016
  • Abuse associated with privacy and proxy services
  • Geographic locations associated with abusive activities
  • Abuse levels distinguished by "maliciously registered" versus "compromised" domains
  • Effects of DNSSEC, domain parking, and registration restrictions on abuse levels

The aim of this study is to enable the CCTRT to determine abuse level correlations between registries and registrars, gTLD zones, and, to the extent possible, corresponding safeguards. This research will also serve as a baseline for future CCTRTs and other review teams, including the Security, Stability and Resiliency Review Team, which began its work in March 2017.

Section II: Background

In preparation for the CCTRT's review of "safeguards put in place to mitigate issues involved in…the expansion" of the gTLD space as mandated by its Affirmation of CommitmentsICANNissued the report "New gTLD Program Safeguards to Mitigate DNS Abuse." This report analyzed the history of DNS abuse safeguards tied to the New gTLD Program. In doing so—and with the input of the community via two webinars held in January 2016 and a public comment process in March 2016—the report assessed a number of means to define and measure DNS abuse.

However, challenges arose in definition and measurement of abusive activities, as some are considered abusive in some jurisdictions but not others. Some of these activities, such as those focused on intellectual property violations, are interpreted differently not only in terms of substance but also in terms of available remedies depending upon the jurisdiction. Another challenge is the lack of data available regarding certain types of abuse. Nonetheless, some common activities are widely regarded as abusive and also generate useful data for analysis; these include spam, phishing, and malware distribution.

The CCTRT recognized the absence of a comprehensive comparative study of DNS abuse in new and legacy gTLDs that would allow them to assess the effectiveness of New gTLD Program safeguards. The SADAG study aims to fill this absence, and serve as a baseline for future studies focused on explaining the variation in abuse rates in different gTLDs.

Section III: Relevant Resources



Section IV: Additional Information


Section V: Reports

Staff Contact

Brian Aitchison
brian.aitchison@icann.org

FINAL VERSION TO BE SUBMITTED IF RATIFIED

The final version to be submitted, if the draft is ratified, will be placed here by upon completion of the vote. 


 

FINAL DRAFT VERSION TO BE VOTED UPON BY THE ALAC

The final draft version to be voted upon by the ALAC will be placed here before the vote is to begin.


 

FIRST DRAFT SUBMITTED

The first draft submitted will be placed here before the call for comments begins.


2 Comments

  1. Ariel Liang

    Olivier Crepin-Leblond advised the ALAC not to comment on this public comment proceeding, with the following assessment: 

     I have read the SADAG report and have found it very interesting.

    First thing, I was surprised to see that .pharmacy was seen as community TLD. (p.2) but then that's not the topic of the report. There are a few other grammatical errors, but that's no big deal either. What matters is the substance of the paper. 

    It basically confirms our suspicions when we spoke of misuse of TLDs and made our case regarding sensitive strings. Alan will remember this episode in Singapore when Alan, Evan and I had a meeting with the NGPC and several members of the GNSO - including contracted parties. What we are seeing now is the proof of the pudding - that:

    "While legacy gTLDs collectively
    had a spam-domains-per-10,000 rate of 56.9, in the last quarter of
    2016, the new gTLDs experienced a rate of 526.6–which is almost
    one order of magnitude higher. "

    The methodology and technical details of the analysis are of good quality. The model which they used to perform the crawl of the domain name space appears to be thorough, thus I have no reason to believe that the analysis would be flawed.

    Some of the report's findings show that some new gTLDs are very affected by misuse/malware domains.
    Gibraltar (surprise!) figures on the top of Registrars with most malware domains.
    Community gTLDs are less likely to be used for malware that standard gTLDs.
    Cheaper domains appear to be more used for malware - although the authors do writein their conclusions:  "It is not clear, however, if pricing is the only factor driving high concentra-
    tions of maliciously registered domains."

    But they do also say:

    "Our findings suggest that some new gTLDs have become
    a growing target for malicious actors." (page 25)

    Well, nothing really new in this, but it corroborates the work that ICANN has done, as well as many other groups like the APWG.

    But at present, short of congratulating the authors of the report and asking the CCT-RT to take strong note of the report's finding, including expressing the concern that we have about the use of new gTLD for malware, I don't see any other reason to write a Statement/Comment.
    I asked Tatiana Tropina to also go through the report. She did note that one thing was missing: whether abuse correlates with semantic properties of the gTLD names, e.g. some names are more attractive to abuse because of the words themselves. As the authors are explaining that they are seeing some potential for further work, it might be interesting to suggest this to them.

    Last, I note that there is a Webinar about the topic: https://www.icann.org/news/announcement-2017-08-31-en[icann.org]
    I would encourage At-Large participants to participate in the Webinar. Perhaps during that Webinar should many At-Large participants express their concerns.

  2. Holly Raiche

    First, a big thank you to Olivier for his response and the concerns it raises, yet again,  I'm sorry I missed the webinar - I was on holidays and staying with friends so couldn't participate - but I hope we follow through on what is an important issue for end users