Education

Internet and Jurisdiction Policy Network Publications 

The Internet and Jurisdiction Policy Network’s Domain and Jurisdiction Contact Group has published a number of very helpful and informative documents addressing both questions of DNS Abuse as well as dealing with website content abuse questions at the DNS infrastructure level. These resources help inform people and organizations that want to report abuse in making those reports more actionable as well as information to registries and registrars in identifying and addressing abuse. 

• Operational Approaches, Norms, Criteria and Mechanisms   

• • In 2019, I&J published this foundational document. This is a comprehensive work on issues relating to DNS Abuse and website content abuse questions. It examines the role of “Operators” (registries and registrars) and their role in DNS infrastructure. It examines the impact of acting via the DNS to address both DNS Abuse and website content abuse questions. 

In 2020, I&J also put out a series of smaller one/two page documents covering specific topics.

• • • Effect of Action at the DNS Level  
      • This document notes the impact of using the DNS to take action to mitigate a threat, including issues such as collateral damage.  It includes graphics for what happens when a domain is locked or suspended.
    • DNS Operator’s Guide to Action on Technical Abuse 
      • This document focuses on questions like identification, evaluation, choice of action and remediation for DNS Abuse.
    • Due Diligence Guide for Notifiers
      • This document helps inform what sorts of due diligence someone making a complaint or notification should take before referring the issue to a registry or registrar.
    • Choice of Action 
      • This document notes the limited tools available to a registry or registrar to address abuse and describes the effect of each action. .
    •  Procedural Workflow for Addressing Phishing and Malware 
      • This is a very interesting document that works as a flowchart/decision tree for both registries or registrars when they receive a referral for phishing or malware.  
    • Minimum Notice Components for Abuse 
      • This sets forth what must go into an effective notification for DNS Abuse. 
    • Typology of Technical Abuse 

Security Framework for Registry Operators

This document Framework for Registry Operators to Address Security Threats (the “Security Framework”) was jointly published between the Public Safety Working Group (a consortium of law enforcement agencies from around the world) and gTLD registries in 2017. It describes what different actions a registry operator can take when it has identified a security threat. It also delineates an implicit hierarchy of notifiers where, for instance, a particular law enforcement agency might have a particularized expertise (e.g., identifying domain generating algorithms). It also sets forth expected communications between law enforcement and registries when a security threat has been identified.

ICANN Competition, Consumer Trust, And Consumer Choice Review, Final Report

The ICANN Competition, Consumer Trust, And Consumer Choice Review (CCT RT) was created when “ICANN’s Affirmation of Commitments (AoC) called for a regular review of the degree to which the New Generic Top-Level Domain (gTLD) Program promoted consumer trust, choice and increased competition in the Domain Name System (DNS) market.” The CCT RT published its Final Report in 2018 and made several policy recommendations. It should be noted that the CCTRT utilized an early definition of “DNS Abuse” that included issues relating to website content abuse. Its definition of “DNS Security Abuse” tracks more closely to currently understood definitions of “DNS Abuse.” The CCT RT Final Report is available here. 

In 2017, a study commissioned by the CCT RT was published, titled Statistical Analysis of DNS Abuse in gTLDs – Final Report. This report compared abuse trends in legacy gTLDs and new gTLDs and across the entire DNS at that time.

Specification 11(3)(b) Advisory

This “Advisory, New gTLD Registry Agreement Specification 11 (3)(b)” was developed jointly between ICANN and gTLD registries in 2017. Specification 11(3)(b) is a part of the base Registry Agreement that requires gTLD registries to conduct periodic analysis for security threats and maintain data for purposes of reporting on those identified threats. The Advisory defines “Security Threats” very similarly to DNS Abuse and describes what technical analysis for registries should look like. It also describes the use of Reputation Service Providers and details the reports ICANN expects from registries under Specification 11(3)(b).

CENTR Resources

The Council of European National Top-Level Domain Registries (CENTR) is a consortium of predominantly European ccTLDs. CENTR seeks to promote and participate in the development of high standards for ccTLDs to the benefit of its members and the Internet.

CENTR has published a document titled “Domain Name Registries and Online Content” that provides a thorough explanation of a registry operator’s role in the infrastructure of the DNS. CENTR has also published a video that provides a similar explanation, as it relates to the DNS infrastructure and dealing with website content online.

Anti-Phishing Working Group (APWG) Phishing Activity Trends Report

The APWG publishes a quarterly update on observed phishing activity reported by its member organizations, partners, and third-parties. The current quarterly phishing report and prior reports are available here.

FIRST Best Practice Library

FIRST is the Forum of Incident Response and Security Teams. FIRST maintains its Best Practice Library “to assist FIRST Team Members and public in general in configuring their systems securely by providing configuration templates and security guidelines.” The FIRST Best Practice Library is available here.

M3AAWG Resources

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) strives “to work against botnets, malware, spam, viruses, DoS attacks and other online exploitation.” M3AAWG maintains a series of its best practices, available here.

Spamhaus Botnet Threat Reports

The Spamhaus Project “is an international nonprofit organization that tracks spam and related cyber threats such as phishing, malware and botnets”. Spamhaus publishes an annual Botnet Threat Report, describing trends and data in observed incidences of botnets.  

• 2019 Botnet Threat Report
• 2018 Botnet Threat Report 
• 2017 Botnet Threat Report 

Spamhaus also publishes quarterly updates on its observed botnets.