• About the Institute
  • Innovation
  • Education
  • Collaboration
  • Events
  • Blog
  • Contact
  • Events
  • Contact
  • Blog
  • NetBeacon
  • DNSAI Compass
DNS Abuse Institute

ABOUT US

Discover who we are and what we do

INNOVATION

Learn about our innovative solutions to strengthen the DNS.

EDUCATION

Access our resources and discover our projects and research.

COLLABORATION

Learn how to join, contribute, and participate!

Article

  • Home
  • Blog
  • Article
  • DNS Abuse Definition: Attributes of Mitigation

DNS Abuse Definition: Attributes of Mitigation

  • Posted by Graeme Bunton
  • Categories Article, News
  • Date August 24, 2021

By Graeme Bunton, Director of the DNS Abuse Institute

Introduction

A substantial amount of DNS community discussion on the topic of DNS Abuse is focused on defining what is or is not DNS Abuse. The definition adopted by ICANN contracted parties, as well as the DNS Abuse Institute, is straightforward: DNS Abuse is malware, botnets, pharming, phishing, and spam where it’s a vehicle for the preceding harms.  There is of course some fuzziness on the margins, where technical harms are also using content. 

The reasons for the definitional discussion are straightforward—most Registrars and Registries want a narrow definition of technical harms that they can understand and have the capability to address, and which also limits the impacts of an imprecise and often disproportionate approach. Whereas other interests are typically interested in an expanded definition in the hopes that the harms impacting them can be addressed at the only centralized and globally regulated component of the Internet’s infrastructure, the DNS.

This post is a thought experiment intended to provide a new alternative method for defining DNS Abuse – and the criteria to most effectively mitigate it.  Our current definition of DNS Abuse was arrived at by identifying and categorizing online harms based on how the harm is executed. Instead, we propose that a definition could be derived by considering the attributes of how a harm can be mitigated.  Through this approach, DNS Abuse is not a list of harms selected by their category, but instead consists of harms that are appropriately mitigated by the DNS.  The rest of this post is an elaboration of what appropriate means in this context.

Online Harms

Online harms are often fit into three broad categories:

Content Harms: Transgressive content such as hate speech, intellectual property infringements like copyright and trademark, and financial or commercial harms like fraud. 

Technical Harms: Botnet Command and Control Infrastructure, the distribution of malware, and DNS poisoning attacks like pharming. 

Hybrid Harms: Phishing and pharming will often have both deceptive content and domain names.

While the categories are useful, it’s important to recognize that online harms may employ combinations of content and technical methods.  This categorization is not intended to be definitive, but is helpful to recognize that there are a diverse array of harms and that they employ different techniques.

It’s also worth noting that all online harms (with the exception of spam) involve resolution to (translating an address to the physical file location) a hosted resource. That resolved resource could be a tweet, a web page used for phishing, or the management tools for controlling a botnet. In some sense, these are all types of “content” in that they are files on a server, and that they are distinct from the domain name.

Internet Infrastructure and Online Harms

There are quite a few layers of Internet infrastructure between an end user and a piece of content or harmful file.  A simplified map looks like this:

The relevant features of this basic map are that entities in red boxes are likely to have the ability to alter content, and the boxes with fine dotted lines (CDN, Platform, Domain Reseller) may not be present in all scenarios. Blue boxes will usually have control over the resolution of a domain name.

Now that we have a sense of what harms exist, and a rough map of Internet infrastructure, we can begin to consider what pieces of this infrastructure are integral to different categories of online harm.

A clear content harm— for example a threatening post on Twitter—may only have the platform as integral. All the rest of the infrastructure is involved in making the tweet available, but it should be reasonably obvious that only the platform is the appropriate place to mitigate the harm.

On the opposite end of the online harm spectrum are harms that are entirely (or almost entirely) technical, like Botnet Command and Control infrastructure.  In these circumstances, the domains associated with a botnet are identified, often before registration, and can be best addressed by the registry or registries.  The host(s) are also critical but are easily changed by the perpetrator.

The point of these examples is to highlight that different harms rely on different layers of internet infrastructure. Given these patterns, it follows that the methods employed to mitigate harms should employ approaches appropriate to the integral components on which specific harms rely.

Assessing Mitigation

With that background, we can discuss the key piece of this puzzle, and the point of this post, which is that it is simpler to assess mitigation approaches than it is to attempt to categorize and define each type of harm.  

So how do we assess mitigation approaches, and what are the attributes that mitigation should have? 

Mitigation techniques ought to be:

  • Effective – the harm is mitigated
  • Quick – the mitigation can be implemented with due speed
  • Simple – the harm can be mitigated without involving multiple layers, players, or technologies
  • Precise – there is a minimum of collateral damage
  • Proportional – the effort and scope of the mitigation is commensurate with the harm
  • Cost effective – the cost of mitigation should be commensurate with the the harm
  • Necessary – other mechanisms for mitigation are not available

There is of course some subjectivity to these attributes, especially in proportionality, but there is little need for belabouring them in a good faith discussion of online harms.  Further, by employing the full set of attributes, we’re able to determine exactly where disagreements about harm mitigation lie. Having collective clarity on where there’s alignment,  and where there is not is valuable, and currently missing.

Registrar and Registry Abuse Mitigation Tools

It should be noted that a key consideration for registrars and registries when mitigating abuse is the simplicity of the tools or techniques available to them. The Internet and Jurisdiction Policy Network provides a thorough explanation of available responses in their domain toolkit available here: https://www.internetjurisdiction.net/domains/toolkit. However, the only real tool a registrar or registry has is to prevent a domain name, and consequently any services that rely on it, from resolving.

It is for this reason that resolving a harm via registrars and registries is often neither precise nor proportional. Further, a registrar or registry may have no way to determine if a domain name is providing other services making proportionality assessments difficult if not impossible.

Bringing it Together

We’ve established that different online harms use different infrastructure, and that mitigation techniques have a reasonably defined set of desirable attributes.  The next step is to put these two pieces together to determine if mitigating harm at a particular layer is appropriate.

To do so, we return to our initial two examples, this time in the form of a matrix where we assess each layer of internet infrastructure by the above attributes.

For our hateful tweet example:

From this analysis we can determine that mitigation on the platform itself is the most desirable approach. Mitigating a hateful tweet by having the registrar suspend twitter.com will be quick and can prevent the tweet from being seen, but it’s neither precise, nor proportionate. Having ISPs around the world block a specific tweet might work, but it is not going to be quick, simple, cost effective, or proportionate. 

Applying the same analysis to Botnet Command and Control Infrastructure:

Here we can see that while mitigating a botnet at the host level may be reasonably simple and precise, it’s likely not effective because the hosting infrastructure can be rapidly changed. The primary benefit of resolving botnets at the registry rather than registrar is that domains may be blocked at the registry with minimal cost, and potentially prior to registration which saves fees and reduces harm.

Summary

While the DNS Abuse Institute is not about to embark on a campaign to redefine DNS Abuse, we are interested in approaches that increase our understanding of the problem and bring 

greater sophistication to community discussions about DNS Abuse.  

When someone suggests a problem should be resolved at the DNS layer, this alternative DNS Abuse approach allows us to ask why mitigation at this level is appropriate and provides us with a framework for assessing the response.  We can also have discussions about the relative weights of each mitigation attribute, and whether they change based on the specific type of harm. As well, in this approach, new online harms are relatively easily assessed, and a new definition need not be discussed and adopted.

We also gain clarity on which parts of the Internet ecosystem require more attention, and even potential regulation. An abundance of scenarios exist where the host is the appropriate place to mitigate a harm, and an unfortunate lack of mechanisms to address abuse at this level of infrastructure.

Lastly, by recognizing the strengths and weaknesses of various approaches to mitigation we are better able to understand where the DNS Abuse Institute can assist Registrars and Registries to take action.

Tag:DNS Abuse, DNS Abuse Institute, online harms

  • Share:
author avatar
Graeme Bunton

Previous post

The DNS Abuse Institute Roadmap
August 24, 2021

Next post

The Current State of DNS Abuse Reporting
November 18, 2021

You may also like

Challenges in Measuring DNS Abuse
2 November, 2023

From the creation of DNSAI Compass (“Compass”), we knew that measuring DNS Abuse* would be difficult and that it would be beneficial to anticipate the challenges we would encounter. With more than a year of published reports, we are sharing …

Introducing Compass Dashboards
24 October, 2023

Compass Dashboards empower registries and registrars with data to understand phishing and malware trends in their zone, over time, and compared against peers. The DNS Abuse Institute (“DNSAI” or the “Institute”) is pleased to announce the general availability of DNSAI …

注册商和注册机构的《通用滥用政策》
30 August, 2023

最近,一位注册商联系我,他们真切关注采取更多措施来解决 DNS 滥用的问题,但不确定应该从哪里开始着手。DNS 滥用是一个复杂的问题,没有明确的切入点来着手解决。不止这一家注册商,许多注册机构和注册商越来越担心滥用行为,并需要帮助来着手解决这一问题。 本文是三部分系列文章的第一篇,该系列文章旨在为制定反滥用实践的关键组成部分提供合理、简明的介绍。第一篇文章致力于提供合理的法律依据,或者说基本的 DNS 滥用政策,以解决滥用问题。接下来的两篇文章将讨论管理 DNS 滥用的有效手段以及实际缓解程序。 本政策是与互联网和司法管辖区政策网络 (I&J) 共同制定的,我们对他们的贡献和支持表示感谢。I&J 在这一领域有很多非常好的内容,其中包括他们的 Toolkit: DNS Level Action to Address Abuses(工具包:DNS 层面应对滥用的行动),我建议任何对减少滥用感兴趣的人士都要读一下。DNS 滥用研究所也是 I&J 域名联络小组的积极参与者。  DNS 滥用具体政策 大多数注册商都会在其网站上发布某种形式的“服务条款”或“可接受的使用政策”。这些政策条款通常赋予注册商出于多种原因而终止服务的自由裁量权。 发布和采用特定的滥用政策提供了几个优势,主要是在于明确性和保护性方面。明确的滥用政策以及对其执行的声誉,可以对不良行为者使用该服务构成威慑。如果注册商或注册机构的相关政策涵盖了滥用行为,那么在对滥用行为采取行动时也会得到更有力的法律保护。  在我们详细介绍通用政策如何发挥作用之前,我想先说明一下它是如何制定的。首先,我们专门制定了这一通用政策,这样所有注册商或注册机构都可以根据具体情况来使用/修改/实施此政策。这就是为什么该政策采用创意共享许可,特别是 CC By 4.0 license(CC By 4.0 许可)的原因,这些许可允许任何人在注明 DNSAI 的情况下分享和调整材料。其次,我们正在将其转换为 Markdown 格式并将存放在 …

Search

Categories

  • Article
  • Best Practice
  • Bulletin
  • DNSAI Compass
  • News
  • Newsletter
  • Report
  • Research
  • Resources
logo-public-interest-registry-dns-abuse-institute

The DNS Abuse Institute

Providing innovative solutions and information that ensure the DNS is safe and secure worldwide.

Institute

  • About the Institute
  • Innovation
  • Education
  • Collaboration

Quick Links

  • Blog
  • Contact
  • Privacy Policy
  • NetBeacon
  • DNSAI Compass

Connect With Us

Newsletter

Get the latest DNS Abuse Institute news delivered to your inbox.


PIR will only use the personal data you submit via this form to contact you regarding the DNS Abuse Institute Newsletter. The information will not be used for any other purpose.

Please be aware that if you do not consent to the use of your email for this purpose we will not be able to fulfill your request.

Opt-In *

* indicates required

© 2022 Public Interest Registry. All rights reserved.