Today the NetBeacon Institute adds a new level of reporting for our measurement project: NetBeacon Measurement and Analytics Platform (MAP).
With this new level of reporting we intend to show the spectrum of how malicious phishing and malware is distributed across the DNS registration ecosystem. To demonstrate this, we are identifying registrars and TLDs with high and low volumes of malicious domain registrations in their Domains Under Management (DUM), or new registrations.
The metrics we have chosen in this section of reporting were selected to provide a straightforward mechanism to understand DNS Abuse using the data points observed by our methodology. In future reports, we may add additional metrics or combine various data points.
While preparing the report we faced a number of decisions about the presentation of data and the categorization of the industry. Many of these decisions were not straightforward so we have included detailed explanations providing our rationale. We remain open to ideas and suggestions, and look forward to improving these reports with future iterations. Several key points about this report are outlined below. The PDF is available and you can view our existing interactive charts online.
Policy of engagement
This reporting, about specific parties, is published a month behind our aggregate reporting. This slight delay has allowed us to attempt to contact all named registrars and registries prior to the data publication. We believe it is important to speak to registrars and registry operators prior to publication whenever possible. This allows a registry or registrar to provide us with context for its data which we may choose to include in commentary, the opportunity to prepare public communications, and for us to offer support on improving their management of DNS Abuse where appropriate. We welcome contact from those identified in the report to ensure we can engage with them in the future. We also hope to automate this process to allow us to align the aggregate reporting and the specific reporting dates in future reports.
Maliciously registered domain names
To the best of our ability in accordance with our methodology, all metrics are compiled using only observed maliciously registered domains, and exclude observed compromised domain names. This decision was made following significant outreach with the DNS Community and because malicious registrations are typically more directly within a higher degree of control of a registrar or registry operator. We also provide registrars and registries with data relating to compromised domain names within their DUM on a one-to-one basis.
Exclusions
With these metrics, we want to provide the industry with evidence and information on how phishing and malware is distributed across the ecosystem. We have therefore made several exclusions from each table to reduce the risk of including false positives and to increase the focus on the domain registrations with generalizable practices and policies. Excluded registrar credentials and registry operators are listed in Appendices which are available on our website.
Limitations
It is important to recognise the limitations of this work. We are faced with the universal challenge of understanding malicious activity in society; we can only measure the harms that are identified. In our case, we identify phishing and malware through the source lists we use for Compass, as detailed in our methodology. Identified phishing and malware will always be a subset of all existing phishing and malware. There will also be “false positives,” that is domain names categorized as phishing and malware that actually aren’t, due to both classification errors and differences in standards. There is also the potential that identified DNS Abuse is biased to particular geographic regions or activities that are more likely to be subject to reporting. Another challenge we encounter is accurately enumerating the number of DUM for each registrar and TLD (which can impact “per 100K DUM” density metrics). Generally, our observed DUM is lower than officially reported DUM for all TLDs and registrars. For additional information on the limitations of this work, please refer to our methodology.
Registrar credentials
Our reporting is indifferent to registrar corporate families, we report on the registrar IANA ID (i.e., at the credential level). This means that some corporate entities will have more than one IANA ID, and they may choose to operate these credentials differently.
Comparing ccTLDs and gTLD
We report on gTLDs and ccTLDs separately to reflect the fact that gTLDs have a consistent contractual framework, and are bound by consensus policies produced through the ICANN multistakeholder process, while ccTLDs are largely unique in their policies, processes, and governance models (e.g., nexus requirements, three-party contracts that include the ccTLD registry, only names for accredited businesses, etc.).
We have used the same methodology for reporting and abuse categorization. However, the absolute numbers of Observed Maliciously Registered Domains and rates of Maliciously Registered Domains Per 100,000 DUM are noticeably lower in the ccTLD table. This is shown in the report; if the relevant ccTLD list (Table 12) and the relevant gTLD list (Table 9) were grouped together, none of the ccTLDs listed in Table 12 would be identified in a similarly structured descending list of observed maliciously registered domains per 100,000 DUM.
We want to make meaningful comparisons between peer groups, which is not easy in an industry as diverse as domain names. We will keep this work under review and are open to improving our metrics and methodology.
We look forward to improving this reporting and working with the DNS Community to better understand, reduce, and prevent abuse.
Further information about the Institute and NetBeacon MAP
The Institute was created in 2021 by Public Interest Registry (“PIR”) in pursuit of its non-profit mission. The Institute aims to reduce DNS Abuse and empower the DNS Community. The Institute created NetBeacon MAP as a reliable, independent, transparent, and sufficiently granular way of measuring DNS Abuse in order to ultimately reduce it at the DNS level.
Compass is a collaboration with KOR Labs, led by Maciej Korczynski from Grenoble University. The technical analysis for this project is performed by KOR Labs. This data is provided to the Institute. The Institute then works with PIR’s Data Analytics team to create interactive charts for the purposes of writing this report.