October 23, 2024

Reflections on a Year of Publishing Registrar and TLD Abuse Rates

In June 2023, after ten months of publishing general DNS Abuse trends at the aggregate level, we published our first report listing high and low abuse rates per Domains Under Management (DUM) and new registrations for registrars and TLDs, which we refer to as Specific Reporting. 

Our DNS Abuse reporting methodology focuses on counting unique domain names used for phishing and malware. For our Specific Reporting tables, we specifically focused on malicious abuse: domains that our methodology identified as registered for the purpose of phishing and malware, as opposed to benign domains that are compromised (typically at the website level) and used for abuse. 

The journey to releasing our Specific Reporting was lengthy as we spent considerable time and energy to ensure the metrics were as fair as possible to registrars and TLDs. This meant we did complex things like introducing “consistency requirements” and redactions. It was also important to us that all registrars and registries included in our reporting were given notifications prior to publication.

With just over a year of Specific Reporting behind us, it is time to reflect on what we’ve learned and consider emerging trends.

Challenges and lessons 

False positives 

One of the biggest challenges we faced with publishing registrar and registry data was working to  reduce the likelihood of unfairly identifying registrars and TLDs as “bad actors.” This challenge exists partly because accurate measurement of DNS Abuse is so difficult. In particular, all measurement efforts currently begin with the imperfect starting point of Reputation Block Lists (RBLs). RBLs tend to have a higher tolerance for false positives because they are typically designed for network blocking, not for mitigation at the DNS level. Even the most reliable RBLs still contain false positives. To manage this challenge, we made a number of choices in how we presented the data. Specifically, we included minimum requirements for the number of unique domains identified as maliciously registered per month per registrar/TLD (more than 10 for high abuse tables, more than five for low abuse tables). We reasoned that listing a registrar credential or TLD in the low abuse tables due to false positives was less of an issue than a high abuse table. We included an explanation in our Monthly Analysis

Consistency 

Secondly, consistency quickly emerged as  an issue. One bad month does not make a registrar credential or a TLD “bad”. All registrars and TLDs can be targeted by malicious actors. Consistency over time is what indicates an issue needs to be addressed. We introduced a consistent requirement to prevent us from reporting unusually high abuse as compared to previous performance. Especially if all the abuse is mitigated. Only registrar credentials and TLDs who had been consistently (4 or more of the last 6 months) listed in a high abuse table would be identified; the rest would be redacted. 

We considered using a statistical average (over 3, 6, or 12 months), but this could still result in artificially high abuse rates. The example below shows a small TLD that we believe was targeted by malicious actors resulting in an exceptional spike of identified abuse in July 2023, all of which appeared to be mitigated. Even if we took an average over 12 months (June 2022 – July 2023), the abuse rate would have been very high (428 unique domain names maliciously registered per 100,000 DUM). To put this into context, the highest equivalent abuse rate in our published tables was 34 (unique domain names maliciously registered per 100,000 DUM). 

For the most part, it’s not immediately apparent that we have this requirement, until readers wonder why some names are redacted. When we explain this requirement, we tend to find people think it’s relatively fair. We’re very open to hearing feedback on it. 

Figure 1: Example of a small TLD targeted by abuse in one month; a demonstration of why our consistency requirements were introduced. 

Transparency 

The third challenge we faced was living up to our principle of transparency. We committed to this principle wholeheartedly even though it made our work more complex. We felt it was fundamentally unfair for the registrar credentials and TLDs to be identified in the report and not receive advance notice (prior to publication). Manually emailing 120 operators each month with tailored abuse information was a large task for our small team. We have since operationalized this into a smoother process and introduced an additional (free) product for registries and registrars: the Individualized Dashboard. 

From October 2024, all TLDs and all registrars can access their own individual data in a private dashboard—completely free of charge (like all our products and services). We’ll continue to expand and improve these Dashboards and plan to make the monthly data input available here first before we publish our public reporting. 

Anyone interested can read more on our website. Requests for access can be made to support@netbeacon.org

Registrar trends over 12 months

So how has this worked out over a 12 month period of reporting? 

Table 3 of our report focuses on registrar credentials with the highest observed rates of malicious phishing and malware normalized to a number per 100,000 Domains Under Management (DUM). This metric is aimed at understanding the concentration of abuse compared to the existing DUM. 

When we looked back over 12 months (August 2023 – July 2024) we found high levels of consistency (approximately 70%) month to month. We listed a total of 28 registrar credentials, most of these (75%, 21 of 28) were listed more than once. Half (50%, 14 of 28) appeared in these tables four or more times; meaning they met our consistency requirements and appeared unredacted. Three registrar credentials were listed in this table every month.  

Table 6 of our report focuses on registrars with the highest observed rates of malicious phishing and malware compared to new registrations. This metric is aimed at understanding the percentage of new registrations coming into a zone that are identified as abusive.

When we looked back over 12 months (August 2023 – July 2024) we found this table had moderate variability; on average 3.9 registrars are new to the table each month. We listed 37 registrar credentials in Table 6. One registrar credential was listed in this table every month, an additional 3 registrars appeared for 10 out of 12 months. 13 of the 37 registrars (35%) appeared enough times to be unredacted (4 or more of the last 6 months). 23 registrar credentials (62%) appeared in Table 3 2 times or less. 

What next? 

So, one year on, we’re more operationally efficient but remain equally committed to our principles that underpin NetBeacon MAP: Transparency, Credibility & Independence, Accuracy & Reliability. 

In the coming year, we will continue to build on our progress while remaining committed to our core principles. We’re already focused on measuring the gTLD amendments, analyzing specific trends and publishing more information on mitigation. 

We welcome any feedback or suggestions: info@netbeacon.org

Latest News

Read about the latest news and research concerning DNS Abuse.