• About the Institute
  • Innovation
  • Education
  • Collaboration
  • Events
  • Blog
  • Contact
  • Events
  • Contact
  • Blog
  • NetBeacon
  • DNSAI Compass
DNS Abuse Institute

ABOUT US

Discover who we are and what we do

INNOVATION

Learn about our innovative solutions to strengthen the DNS.

EDUCATION

Access our resources and discover our projects and research.

COLLABORATION

Learn how to join, contribute, and participate!

Article

  • Home
  • Blog
  • Article
  • DNSAI Compass: Six Months of Measuring Phishing and Malware

DNSAI Compass: Six Months of Measuring Phishing and Malware

  • Posted by Rowena Schoo
  • Categories Article, DNSAI Compass, News
  • Date February 16, 2023

The DNS Abuse Institute recently published our sixth monthly report for our project to measure DNS Abuse: DNSAI Compass (‘Compass’). Compass is an initiative of the DNS Abuse Institute to measure the use of the DNS for phishing and malware.

The intention is to establish a credible source of metrics for addressing DNS Abuse. We hope this will enable focused conversations, and identify opportunities for improvement. 

DNS Abuse impacts everyone. We want to use this initiative to improve the overall health of the DNS ecosystem. Fundamentally, we want to prevent or quickly mitigate harm to end users, businesses, governments, civil society organizations, public services, and the general public while preserving the benefits and principles of an open Internet.

This February 2023 report includes data from May through December 2022 and we now have eight months of data available on our interactive dashboards. Our methodology for this report is the same as all prior reports (v1.0) and we encourage feedback, questions, ideas, or suggestions to help us improve this initiative.

To ensure Compass is independent, reliable, and uses academically robust methodology we work with an experienced independent third party who designed the methodology and conducts the data gathering. The technical analysis for this project is performed by KOR Labs, led by Maciej Korczynski from Grenoble INP-UGA.

Our methodology observed an increase in domains involved in malware distribution in December 2022 when compared to the previous month of reporting. For all domains identified as related to malware in December 2022, our methodology observed high levels of mitigation (97%), and a high proportion (83%) of compromised domains. Observed numbers of domains identified as related to phishing are similar to previous months. 

This report marks six months since our first report in September 2022. During this journey we have spoken with a range of stakeholders in various corners of the world, both virtually and in person. Our discussions have included representatives of registrars, registries, law enforcement agencies, governments, trade and consumer organizations, financial and intellectual property interests, hosting providers, civil society, and the security and research community. 

This outreach has been far-reaching as we seek to include the global community interested in keeping the internet safe. We welcome opportunities to share our work with new audiences around the world and hear about others’ experience in measuring and fighting DNS Abuse. 

Throughout this experience we’ve learnt several important lessons on how we measure and communicate about DNS Abuse: 

One recurring theme we observed in our outreach is the importance of using specific language and granular measurement. Sometimes ‘DNS Abuse’ can be used as shorthand for ‘mitigation is appropriate at the DNS level’. While this is sometimes true, it isn’t always the case and to move the conversation forwards, we need to get more specific. We can do this by recognizing the need to determine whether the registration is malicious or compromised, understanding the evidence available, and considering the potential for collateral damage if the registration is removed from the DNS. 

Secondly, purpose and scope are important. Compass is intended to reliably and consistently measure the prevalence and persistence of the use of domains in phishing and malware; it is not intended to capture all harm on the Internet, or to measure the impact of this harm on end users. We measure unique domains (not URLs) because registrars and registries only have (limited) actions they can take which all apply at the domain level (not at the URL level). 

Finally, context is essential. It’s worth remembering that our project identifies evidence of phishing and malware on a small portion, less than 1%, of all domains currently registered. The vast majority of domains registered are not engaged in phishing activity or malware distribution.  

As Compass matures, we’re working towards public reporting on individual TLD and registrar performance. Our aim is to celebrate and recognize good practice, as well as shine a spotlight on potential for areas of improvement in the industry. 

We hope to understand through these reports which factors, policies, and processes are effective, and empower the industry with evidence. 

We are currently considering how best to achieve individualized performance reporting while recognizing nuance and context, and incentivizing behaviors that reduce and prevent DNS Abuse with minimal unintended consequences. We look forward to gradually expanding the granularity of our data with future iterations of public reports. As we do this, we’ll be reaching out to individual registries and registrars prior to publication.  

We have considerably more data than we have currently published. We encourage all registrars and registries to get in contact with us and take the opportunity to view the data associated with their registrar or registry. These meetings typically yield insights for both the registry or registrar and the DNSAI. 

These meetings can take place virtually, or for those headed to ICANN76 in Cancun, you may like to take this opportunity to meet with us in person. 

Tag:Abuse Reporting, DNS Abuse, DNS Abuse Institute, DNSAI Compass

  • Share:
author avatar
Rowena Schoo

Previous post

Best Practice: Making Phishing Reports Useful
February 16, 2023

Next post

DNSAI Newsletter March 2023
March 9, 2023

You may also like

注册商和注册机构的《通用滥用政策》
30 August, 2023

最近,一位注册商联系我,他们真切关注采取更多措施来解决 DNS 滥用的问题,但不确定应该从哪里开始着手。DNS 滥用是一个复杂的问题,没有明确的切入点来着手解决。不止这一家注册商,许多注册机构和注册商越来越担心滥用行为,并需要帮助来着手解决这一问题。 本文是三部分系列文章的第一篇,该系列文章旨在为制定反滥用实践的关键组成部分提供合理、简明的介绍。第一篇文章致力于提供合理的法律依据,或者说基本的 DNS 滥用政策,以解决滥用问题。接下来的两篇文章将讨论管理 DNS 滥用的有效手段以及实际缓解程序。 本政策是与互联网和司法管辖区政策网络 (I&J) 共同制定的,我们对他们的贡献和支持表示感谢。I&J 在这一领域有很多非常好的内容,其中包括他们的 Toolkit: DNS Level Action to Address Abuses(工具包:DNS 层面应对滥用的行动),我建议任何对减少滥用感兴趣的人士都要读一下。DNS 滥用研究所也是 I&J 域名联络小组的积极参与者。  DNS 滥用具体政策 大多数注册商都会在其网站上发布某种形式的“服务条款”或“可接受的使用政策”。这些政策条款通常赋予注册商出于多种原因而终止服务的自由裁量权。 发布和采用特定的滥用政策提供了几个优势,主要是在于明确性和保护性方面。明确的滥用政策以及对其执行的声誉,可以对不良行为者使用该服务构成威慑。如果注册商或注册机构的相关政策涵盖了滥用行为,那么在对滥用行为采取行动时也会得到更有力的法律保护。  在我们详细介绍通用政策如何发挥作用之前,我想先说明一下它是如何制定的。首先,我们专门制定了这一通用政策,这样所有注册商或注册机构都可以根据具体情况来使用/修改/实施此政策。这就是为什么该政策采用创意共享许可,特别是 CC By 4.0 license(CC By 4.0 许可)的原因,这些许可允许任何人在注明 DNSAI 的情况下分享和调整材料。其次,我们正在将其转换为 Markdown 格式并将存放在 …

dnsaicompassinset
A New Phase of Measuring DNS Abuse
9 June, 2023
2022 DNSAI Annual Report Image
DNSAI Releases 2022 Annual Report
11 April, 2023

Search

Categories

  • Article
  • Best Practice
  • Bulletin
  • DNSAI Compass
  • News
  • Newsletter
  • Report
  • Research
  • Resources
logo-public-interest-registry-dns-abuse-institute

The DNS Abuse Institute

Providing innovative solutions and information that ensure the DNS is safe and secure worldwide.

Institute

  • About the Institute
  • Innovation
  • Education
  • Collaboration

Quick Links

  • Blog
  • Contact
  • Privacy Policy
  • NetBeacon
  • DNSAI Compass

Connect With Us

Newsletter

Get the latest DNS Abuse Institute news delivered to your inbox.


PIR will only use the personal data you submit via this form to contact you regarding the DNS Abuse Institute Newsletter. The information will not be used for any other purpose.

Please be aware that if you do not consent to the use of your email for this purpose we will not be able to fulfill your request.

Opt-In *

* indicates required

© 2022 Public Interest Registry. All rights reserved.