Blog
DNS Abuse— a Domain Trust-Based Appetizer
1. Background
Internet domains are a major vector for cyberattacks. Every day, thousands of domains are registered with the sole intent of conducting criminal activity, such as phishing, or distributing malware. They are used by criminals and state-sponsored actors to conduct attacks that deliver malware, defraud people, and conduct other illicit activity. Domains can be registered quickly, cheaply, and in bulk, allowing cybercriminals to move quickly to keep ahead of detection.
In November 2020, the Global Cyber Alliance (GCA), taking advantage of its independence as a neutral, convening party, launched Domain Trust, a data-driven community effort to prevent criminal domain abuse.
A number of organizations with the capacity to provide actionable intelligence and/or take effective action against malicious domains, joined the program. Since its inception, GCA and its partners have built an information-exchange platform that currently holds almost five million suspect domains and created a community of key players working towards the common goal of fighting domain abuse.
An important component of the actions collectively taken by the Domain Trust community is having meaningful, data-driven conversations with registrars responsible for large volumes of malicious domain registrations.
2. Objective
As the number of registrars of domains suspected to be malicious was expected to be very large, a way to prioritize conversations with registrars was needed. Our GCA team sought to identify the top registrars of suspect domains using the information available in the Domain Trust platform.
3. Methodology
The idea behind the identification of the top registrars by volume of suspect domain registrations is simple— find the registrars of domains submitted to the Domain Trust platform, then rank the registrars based on the number of suspect domains.
There are two issues with this approach. The first challenge is that the Domain Trust taxonomy does not provide for the capture of registrar information, so a domain-lookup was introduced to the analysis. Secondly, as the number of domain registrations varies considerably by registrar —from a few thousands to tens of millions—, a way to normalize suspect-domain counts is needed. We chose to use total domain registration as the normalization factor.
The resulting list of registrars ranked by the relative volume of suspect-domain registrations was anonymized to prevent naming-and-shaming, an approach we do not consider particularly constructive. Conversations with registrars are expected to share relative ranking information while preserving the anonymity of others (i.e., “you are registrar number n on the list”).
3.1. Domain Lookups
WHOIS information was used to find the registrars of domains submitted to the Domain Trust platform.
A dedicated Ubuntu server was provisioned to run the whois command non-stop. As the WHOIS service often includes limitations, multiple passes of the whois command were required to identify registrar information on the maximum number of domains. In particular, the following scenarios forced whois re-runs:
- Query limit exceeded— this category included things like maximum number of queries in a given period exceeded and too-short-of-a-period between queries
- Busy or down WHOIS server
- No information on server— some TLDs (e.g., .es) do not have a dedicated WHOIS server and force the redirection of WHOIS queries to a separate web service
The multiple WHOIS lookup strategy yielded optimal results— registrar information was eventually found in 98.4% of domains queried. Among the remaining 1.6% were domains that had already been taken down by the time of the WHOIS query and domains that had been submitted in error.
3.2. Domain Registrations
To obtain the total number of domains registered by each identified registrar, a figure that was utilized as the normalization factor, we used the information available at the Domain Name Stat website.
3.3. Limitations
The WHOIS lookups were slow, as they often required multiple passes and adding delays between queries to work around the rate-limiting restrictions.
Getting registrar information on all domains in Domain Trust —almost five million altogether— would have been time prohibitive. Instead, we settled on a smaller statistically significant sample. Specifically, we performed the analysis on one-months’ worth of Domain Trust submissions. We chose the most recent month at the time of the analysis, April 2022. Conducting all WHOIS lookups took eight days of consecutive execution on the dedicated Ubuntu server.
While the number of suspect domains was limited to those submitted in one month, the normalization factor was not comparably restricted. Instead, we chose to use total registration counts for each identified registrar.
We believe that, even with the limitations outlined above, our analysis is sound enough to meet the goal of being able to provide a list of registrars ranked by their relative volume of suspect domain registrations to guide registrar conversations.
3.4. Sources
- All suspect domains submitted to the Domain Trust platform in April 2022
- WHOIS database information —obtained through the whois command— to identify the registrars of the suspect domains
- Registration counts per registrar provided by Domain Name Stat
3.5. Methodology Summary
Fig. 1 provides a graphical depiction of the methodology employed.
Fig.1: Methodology flow
4. Findings
The chosen data sample (i.e., all Domain Trust submissions in the month of April 2002) yielded 161,734 domains.
The domain lookup strategy outlined above was able to identify registrars for 159,096 (98.4%) of those domains. In all, 1,701 unique registrars were identified. The top 12 registrars accounted for 69% of all suspect domain submissions, with the top 3 accounting for 26%, 11%, and 8%, respectively. Total domain registration counts were obtained for those top 12 registrars.
Domain Trust’s share and global share for each of the top 12 registrars are plotted on Fig. 2, with registrar names replaced by identifiers to preserve anonymity.
R01, a registrar based in the US, was the highest contributor of suspect domains in April 2022 (tallest orange column). R03 is the registrar with the highest share of domain registrations in our data set (tallest blue column).
Fig. 3 is a simplified view of the data where the Domain Trust share is normalized by the global registration share. The tallest column corresponds to R04, a registrar operating out of Hong Kong, which, in April 2022, had a relative contribution of suspect domains of 113.7. That means that its share of suspect domains was 113.7 times higher than its share of registrations.
It is worth pointing out that R03, the top registrar in terms of registrations, was the only registrar with a normalized share less than 1.0. In other words, its share of suspect domains was 60% of —or 40% lower than— its share of global registrations.
Fig. 2
Fig. 3
The author, Rufo de Francisco, is the Director of Software Engineering and Development at the Global Cyber Alliance. You can connect with him on LinkedIn and follow him on Twitter.