DNSAI Intelligence is an initiative of the DNS Abuse Institute to measure DNS Abuse. The technical analysis for this project is performed by KOR Labs.

Read our blog for a short introduction.

Download our first report for further context, and a detailed methodology. We encourage all readers to read the report and methodology in full, and contact us with questions, ideas, or suggestions to help us improve this initiative.

The interactive charts show high level aggregate data from May, June, July 2022.

They focus on phishing and malware:

Phishing is an attempt to trick people into sharing important personal information— banking information, logins, passwords, credit card numbers.

Malware is malicious software designed to compromise a device on which it is installed.

CHART 1: Overall Aggregate Abuse Trends

This chart provides a high level view on how much DNS Abuse has been identified by our methodology, and how it’s changing over time.

It shows the absolute volume of unique domains our methodology has identified are engaged in phishing and malware, broken out by category.

CHART 2: Mitigation

This chart is intended to demonstrate how much DNS Abuse we observe as being mitigated on a monthly basis.

The methodology includes a process to determine whether any mitigation has been observed. This involves taking an initial measurement of various factors related to the URL and repeating these measurements for one month. Further details are set out in the methodology.

This results in four labels:

Mitigated: We believe a mitigating action has occurred. This action could be taken by a registrar, registry, a hosting provider, or another relevant actor.

Not Mitigated: We did not detect any indication of mitigation.

Uncategorized: We were unable to determine whether or not mitigation occurred.

Unprocessed: The domains were not processed due to network connectivity or server problems.

CHART 3: Time to Mitigation

This chart is intended to show how the observed time taken to mitigate phishing and malware is changing over time.

For the domains that our methodology determined were mitigated, this chart shows how many registrars had a median time to mitigation in each category.

After an initial measurement, KOR Labs repeats measurements for one month to determine if mitigation has occurred. The intervals used are (starting at the time of acquiring the URL from the blocklist): 5m, 15m, 30m, 1hr, 2hr, 3hr, 4hr, 5hr, 6hr, 12hr, 24hr, 36hr, 48hr, and then once every 12 hours for one month.

While we are describing this information as a “median registrar mitigation time” it should be noted that we do not know definitively that it was the registrar that took action. This data could include mitigation taken by the registry, the host, or any other relevant party. The reference to a registrar is indicative that the domain is under their management.

CHART 4: Malicious vs. Compromised

This chart is intended to show how any trends in malicious vs. compromised domains are changing over time. A compromised domain is a benign domain name that has been compromised at the website, hosting, or DNS level. The ‘uncategorized’ label refers to domains that our methodology was unable to categorize for a number of reasons, including problems in collecting the metadata necessary to classify domain names accurately.