A day in the life of the Covid DNS

2020-06-24 Blog

By Monika Ermert, eLance Journalist - In the last RIPE session, while the DNS operators dug into DNS lockdown data from Europe and around the world, an analyst from Europol warned of rising numbers of phishing, general domain abuse and child sexual exploitation in particular. Two narratives are emerging.

Europol quoted a spike in the number of public notifications to the National Center for Missing and Exploited Children (NCMEC) in March as proof of the negative effects of the crisis with regards to cybercrime. During the virtual RIPE meeting, Europol representative Nicole van der Meulen, analyst at Europol, reported a growth in phishing, scams (like the sale of face masks that are substandard or never delivered) and malicious uses of domain names, but did not present figures on this perceived trend.

Contradictory narratives of how Covid shaped the net

Since people are more dependent on information, van der Meulen claimed, criminals have been able to exploit disinformation. Hydroxycloriquin sales were boosted after being endorsed by seemingly trustworthy sources – such as the US president. Asked for statistics, however, van der Meulen had to pass. Europol has produced more than half a dozen recommendations and reports (find the latest here) that describe the Covid effects.

But DNS operators say the figures of Covid-related domains registered for criminal intent is negligible (and in fact, CENTR has previously published blogposts on this here and here). DNS infrastructure providers and researchers have instead started to analyse traffic data sets to model the effects of the lockdown wave that rolled through China, Europe and the US.

There is also more traffic to apps like Zoom (up 250 percent) and streaming services. People have also clearly turned to residential networks during the spring - which among other things implies a sudden boost in DNS queries over IPv6. But this leads to interesting questions. Why did the US show a flat rate of DNS traffic in March while Europe experienced a lockdown spike? Research on DNS traffic data has just begun and during the RIPE DNS WG, analyses of data from Neustar’s UltraDNS and PowerDNS were presented. RIPE Labs has also received more figures from APNIC.

Push for more liability for domain name providers?

The perception of how DNS registrations and requests have impacted European communities diverge.But registrars and experts worry that policy responses will lead to a high number of false positives, creating extra hassle for internet users and reducing business opportunities. One example is the EURid initiative to block malicious registrations during the health crisis, which has potentially caused some registrations to be wrongly classified as harmful, even though the registrations were not. EURid used a blanket procedure for all registrations that included "corona" or "covid", but also more general terms like "virus" or "mask" in the EU languages, which included not immediately delegating them in the zone. Even domains like "" had been flagged, one registrar reported.

Thymen Wabeke from SIDN presented a different domain name abuse handling strategy: to make sure that .nl was a trusted zone, SIDN initiated work as far back as 2016 to develop a mechanism to detect sites offering counterfeit goods – BrandCounter and FakeDetector.

By 2018, BrandCounter had helped to take down over 4,000 domains selling counterfeit goods. FakeDetector went one step further and trained an algorithm with a number of features found in scams, like short lifetimes or spelling errors in the domains, as well as data contributed by financial services on 231 scam operators. Out of 30,000 checked .nl domains, 1,407 were declared suspicious and 894 were verified to be true positives and sent on to registrars for a further check and take-down. Given the false positive rate of over 20 percent, these machine learning experts show the machines still have to learn, though SIDN considers the initiative a success.

Mechanisms like the FakeDetector and BrandCounter might, on the other hand, result in a push from the authorities for registries and registars to use pro-active checks. What’s certain, according to Wabeke, is that the hunt for scams and counterfitters will be a whack-a-mole game that will go on for ever.

Yet for the next editions of the RIPE DNS WG, interested parties will have to turn to remote sessions for the foreseeable future. The next RIPE DNS WG meeting is set for 8 July 2020. The upcoming RIPE 81 meeting in October will also be held as a virtual meeting.