ICANN Panel Seeks Differentiated Response to DNS Abuse
As ICANN continues to struggle with combating domain name system (DNS) abuse, it should distinguish between maliciously registered and legitimate but compromised domain names, stakeholders said Wednesday at this week's ICANN virtual meeting from San Juan, Puerto Rico. Representatives from the Registries Stakeholder Group, Registrar Stakeholder Group, Governmental Advisory Committee, Intellectual Property Constituency and Security and Stability Advisory Committee (SSAC) also agreed that coming up with a process for dealing with compromised domains is probably harder than doing so for maliciously registered names. ICANN can play a key role, but the issues go far beyond the internet body, they said.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
A maliciously registered domain name should be handled by its registry/registrar and by the hosting provider, and a compromised domain should be handled by the hosting provider and the owner/administrator of the website, said Maciej Korczynski, a computer network security professor at Grenoble Institute of Technology. Once a domain has been determined to be maliciously registered, its registry can delete it from the global DNS, suspend it or redirect it, said SSAC Chair Rod Rasmussen. For a compromised domain, the issues are more nuanced, with suspension often a last resort, panelists said. Taking down a domain name is a blunt instrument that affects everything connected with it, from the website to email, said Alan Woods, Donuts senior compliance and policy manager, for the Registries Stakeholder Group. Proportionality is essential: Donuts shutters domains that are harmful to human life or extremely derisory, Woods said.
Asked what ICANN can do about this situation, panelists offered several recommendations. Its compliance team has the ability under registry and registrar contracts to step in when the parties that should be responsible fail to deal with the problem, and it should enforce those provisions better, said Reg Levy, Tucows compliance head, for the Registrar Stakeholder Group. DNS abuse is a subset of all abuse on the internet, and there should be a broader debate about evidentiary standards, expectations about acknowledging and mitigating reported abuse, and on processes and proportionality for all forms of abuse, said Rasmussen. ICANN could also gather some "low-hanging fruit" on the maliciousness side of registrations, said DNS Abuse Institute Director Graeme Bunton.
DNS abuse is such a key cybersecurity issue for the EU, which is negotiating a revised network and information security directive (NIS2), that the European Commission ordered a study on its scope, impact and magnitude. The report, published Jan. 31, defines DNS abuse as "any activity that makes use of domain names or of the DNS protocol to carry out harmful or illegal activity." Among other findings: (1) In relative terms, new generic top-level domain names (gTLDs), with an estimated market share of 6.6%, are the most abused group of TLDs, but not all new TLDs suffer from DNS abuse to the same extent. (2) EU country-code TLDs are by far the least abused in absolute terms. (3) The vast majority of spam and botnet command-and-control domain names are maliciously registered. (4) About 25% of phishing domains and 41% of malware distribution domains are presumably registered by legitimate users but compromised at the hosting level.
The report also assessed regulatory shortcomings and gaps. Among other things, it said the high rate of technological development means "it is increasingly difficult to create top-down public regulation that is sufficiently effective and future-proof." After reviewing international laws, EU legislation, including its proposed Digital Services Act, industry self-regulation and ICANN, the study recommended voluntary good practices, domain industry-led initiatives and organizations such as the DNS Abuse Framework to tackle the problem. It noted, however, that legislators and regulators should support such efforts by, for instance, establishing a centralized registration data disclosure system and/or abuse reporting platform.
ICANN plans to do nothing about the study, President Goran Marby said at this week's meeting. It's an interesting entry in the DNS abuse discussion, but it's for the community, not ICANN the organization, to act, he said: ICANN must remain neutral in the conversation and in this debate there seem to be a lot of different facts.