Overview

• The new gTLD contract amendments, introduced in April 2024, created obligations for registrars and registries to mitigate DNS Abuse.
• Early data, covering the first 6 months following the amendments, suggests a promising trend of higher mitigation rates among the 20 registrar credentials that held 80% of the unique domains identified for malicious phishing and malware between Jan 2023 and Oct 2024 in NetBeacon MAP data. This group is not identical  to the largest 20 registrar credentials when ordered by Domains Under Management (DUM), but 11 credentials appear in both groups.
• We present a variety of visualizations in this blog to understand the impact of the amendments on registrar behavior. We welcome feedback from the DNS community on which charts are most valuable.
• We may see changes in future data that reflect registrar and registry behavior triggered by public ICANN compliance activity in July and September 2024.

In this context, DNS Abuse is defined as malware, botnets, phishing, pharming, and spam (when spam serves as a delivery mechanism for the other forms of DNS Abuse).

This was a tremendous achievement. ICANN, the participating registries and registrars, and the ICANN community all deserve recognition for this work.

These new obligations include specific requirements for registrars and registries to promptly take appropriate mitigation actions against domains for which they have actionable evidence demonstrating that the domains are being used for DNS Abuse. The obligations also recognise the need for contracted parties to exercise reasonable discretion in selecting and implementing appropriate mitigation actions depending on the circumstances of each case.

Since taking effect on April 5, 2024, ICANN compliance has issued two contract breach notices: one to a TLD on July 16 and another to a registrar on September 20. The progress of these notices can be tracked on ICANN’s website. 

To understand the impact of these amendments on the behavior of contracted parties, we look at mitigation rates over time. While the contractual amendments came into effect in April, public ICANN compliance activity may also impact the behavior of contracted parties. 

How to measure the impact? 

We believe an important place to look is at registrar-level mitigation rates for maliciously registered domain names. While abuse related to compromise is still a concern, typically the registry and registrar are not well-placed to appropriately mitigate harm (especially at scale) related to compromised websites because of the potential for collateral damage. Using data from our NetBeacon Measurement and Analytics Platform (MAP) we can look at how mitigation rates have changed over time in registrar credentials. 

Aggregate mitigation rates

Figure 1 shows the aggregate mitigation rate across all registrars from January 2023 to October 2024. ‘Mitigated’ means that, according to our methodology, we believe a mitigating action has occurred. This action could be taken by a registrar, registry, a hosting provider, or another relevant actor. ‘Not Mitigated’ means that our methodology did not detect any indication of mitigation.

One of the measurement challenges we face is that there is a proportion of ‘uncategorized’ domains, where our methodology was unable to determine whether or not mitigation occurred. If we exclude this group from the denominator, it leads to a higher rate of mitigation. If we include this group in the denominator, it leads to a lower rate of mitigation. 

A third option, which we believe is helpful, is to proportion these domains into other two categories ‘mitigated’ and ‘not mitigated’ at the same ratio. Figure 1  (below) uses this option to more accurately reflect the distribution, although the overall percentage changes that result from implementing this method are relatively small. 

Figure 1: Aggregate registrar mitigation rates: Jan 2023 – Oct 2024

Key for all Figures: (a) April 5, 2024: gTLD contract amendments become effective. (b) July 16, 2024: ICANN compliance issues first breach notification to a TLD. (c) September 20, 2024: ICANN compliance issues first breach notification to a registrar credential.

The vertical axis indicates what percentage of unique domains identified as phishing and malware were ‘mitigated’, or ‘not mitigated’. For the first time in this 22-month period, August through October 2024 saw single digits for the percentage of unique domains that were ‘not mitigated’. This was true for all months in this 3-month period. While it is difficult to attribute this to the amendments, it will be interesting to monitor whether this trend continues. Figure 2 explores this data using the average ‘mitigated’ rate across three month blocks, with the final block average at 92%. This quarterly view shows a solid trend of increasing registrar mitigation throughout the portion of 2024 for which we have data.

Figure 2: Registrar ‘Mitigated’ Trend in 3 Month Averages

Registrar-specific mitigation rates

While the aggregate data provides a picture of the overall mitigation rates, we believe it’s worth looking at registrar-specific mitigation rates over time, as the signals of change could be hidden in the aggregated data. 

We’re currently exploring the data and different ways of visualizing it. Here, we provide a first look at these ideas and the structure of the underlying registrar-specific data. We intend to publish a series of blogs exploring this topic from different perspectives and ultimately create a number of interactive charts. 

With over 2,800 registrar credentials, many of which have no, or low malicious domains identified per month, it’s important to consider which group should receive focus. We started by plotting the registrar credentials by the largest total volume of unique domains identified as maliciously registered and associated with phishing and malware over the 22-month period. This told us that 20 registrar credentials accounted for 80% of the overall unique maliciously registered domain names.

Interestingly, this group differs from the “top 20” registrars ranked by DUM. Just over half (11) of the registrar credentials identified in the “top 20” based on malicious registration abuse volume, also appear in the “top 20” based on average DUM over the same period.  The “top 20” based on abuse remains the same whether we take an average over the 22-month period or an absolute volume. 

Figure 3 and 4 explore mitigation rates for these registrar credentials. As above, we have proportioned the number of ‘uncategorized’ domains into the categories of ‘mitigated’ and ‘not mitigated’ based on the ratio of each registrar. 

In Figure 3, each dot represents a registrar credential, the darker the dots, the more clustered together the credentials are. While there are few outliers, these credentials are slowly becoming closer together and more concentrated at the top right, which tells us that we are seeing higher rates of mitigation. This also suggests that we are seeing more consistency in the rates of mitigation per registrar credential. 

Figure 3: Heat Visualisation, Mitigation Rate per Registrar Credential, Jan 2023 – Oct 2024 

In Figure 4, the visualization provides the details of the mitigation rate of each registrar credential over time. Each row represents one registrar credential. The darker the color, the higher the percentage of mitigation. There are some early indications in the last few months that more registrar credentials are achieving higher rates of mitigation. It also appears that some registrar credentials are improving over time. 

Figure 4: Heat Table, Mitigation Rate per Registrar Credential, Jan 2023 – Oct 2024

Scale:  

We explore this more closely in Figure 5, where we compare the averages of two 6-month periods: before and after the amendments. 

We calculated the average mitigation rates for the first 6-month period (Nov 2023-Apr 2024) and the second 6-month period (May-Oct 2024). The difference between the two gave us an indication of how much each registrar credential had changed over time. We ordered the registrar credentials from the largest increase in mitigation to the largest decrease. Finally, we use visual breaks to indicate 3-month blocks, in line with Figure 2 above. 

Most registrar credentials (12) saw an increase in mitigation rates, two stayed the same, and six decreased (although the percentage change among these six was typically lower than the credentials that increased). For three registrar credentials, the increase in average mitigation was in double digits, a considerable improvement. 

Figure 5:  Heat Table, Mitigation Rate per Registrar Credential, Nov 2023 – Oct 2024

Conclusions 

It is still early in understanding the impact of these amendments. It’s possible that the date of implementation (April 2024) will be less impactful on registrar behavior than the public ICANN enforcement notices (July – TLDs, September – registrars). 

However, early data suggests a promising trend toward higher and more concentrated mitigation rates among the 20 registrar credentials, who held 80% of the unique domains used for malicious phishing and malware between January 2023 and October 2024 in NetBeacon MAP data.

We’ll continue to analyse this issue from different perspectives, including TLDs,  and create some interactive charts on our website. We’d love to hear feedback from the DNS community on what they find most helpful and interesting.