×

DNS abuse discussions at ICANN81: There is hope for the multistakeholder model

Blog 25-11-2024

ICANN81 marks 7 months since the DNS abuse amendments to ICANN Registrar and Registry contracts went into effect. During these months, the ICANN Org and the wider community have been gathering data and reports to inform the ongoing discussions on how to address the “Big 5” of DNS abuse: malware, botnets, phishing, pharming, and spam when used as a delivery mechanism for the other forms of DNS abuse. Notably the ICANN81 discussions are significant for bringing in constructive feedback from communities that have been largely absent from previous discussions: Namely on assessing the risks to registrants’ human rights when taking measures to mitigate DNS at the domain name level. 

 

Data from ICANN compliance

On 5 April 2024, ICANN Contractual Compliance (ICANN Compliance) began enforcing the new DNS abuse obligations applicable to ICANN contracted parties: gTLD registry operators and registrars. These obligations require gTLD registries and registrars to take mitigation actions to stop or disrupt well-evidenced DNS abuse. As of 5 October, ICANN Compliance had completed 154 investigations, resulting in the suspension of over 2700 malicious domains and the disruption of over 350 websites. Contracted parties have had mixed reactions to ICANN Compliance’s statistics, particularly registrars who are most impacted by the contractual amendments. Registrars ask that the reported stats be treated with caution, as they do not provide the most definitive picture of the DNS abuse mitigation measures available across operators. Contracted parties also ask for actionable evidence and quality reports when DNS abuse instances are flagged to them. Some operators have reported improved quality of DNS abuse reports, following the contractual amendments. 

Feedback from Commercial stakeholders

Commercial stakeholders, including intellectual property rightsholders, see contractual amendments as a first step in addressing DNS abuse within the ICANN community. According to the FBI and the International Monetary Fund, cybercrime causes significant financial loss to businesses across the world. Commercial stakeholders are also interested in expanding the  definition of DNS abuse adopted within the ICANN community to include other forms of abuse, such as child sexual abuse material, harmful counterfeit and imposter domain names.

Expanding the definition of DNS abuse beyond the accepted five areas of malware, botnets, phishing, pharming, and spam when it serves as a delivery mechanism for the other forms of DNS abuse, makes the need for a holistic response from all corners of the community all the more urgent. The commercial stakeholders’ community includes social media platforms that are used to amplify and distribute harmful URLs and domains used for all types of abuse. The responsibility to act within their remit lies with all actors, particularly in the area of illegal content. But the question remains: is ICANN the right place to organise such a response, especially when its policy development processes are being translated into mandatory policies for registries and registrars, and not for the commercial stakeholders who have a role to play in tackling online abuse?

Widening the definition will put more pressure on ICANN’s multistakeholder model and will most likely require the change in the bylaws to allow the community to address questions related to broader illegal content. It will also raise much larger questions on de facto creating a global place for governing the internet, beyond its technical infrastructure. The various corners of the community that are calling for this expansion do not seem to be considering the real implications of such a change and what it might mean for the role of governments and the geopolitical tensions at hand. The role of the internet infrastructure actors, such as registries, was designed to be neutral. This neutrality, and the need to ensure equal access to the internet foundational infrastructure, despite competing interests, is what has made multistakeholder models of internet governance possible, and what keeps that balance intact. Slowly chipping away at it, either through disproportionate regulation or calls to open up the bylaws, is what will cause this fragile balance to collapse.

Attackers’ perspective

ICANN Org has funded an interesting project on Inferential Analysis of Maliciously Registered Domains (INFERMAL), which was presented at ICANN81. The aim of INFERMAL is to perform in-depth analysis of maliciously registered domain names in order to uncover the preferences of cyber attackers. According to the study report, retail registration discounts, the use of cryptocurrencies and the availability of APIs to register domains are being exploited by attackers. Attackers also prefer free DNS and hosting services. Validation of email addresses or phone numbers proved to be one of the barriers to deterring attackers away, according to INFERMAL’s  conclusions.

Most importantly, the authors of INFERMAL stressed the limitations of the study and that the results should be interpreted with caution and should not automatically lead to concrete actions or policy changes for registrars or registries at a face value. In order to consider policy changes, it is important to consider the economic implications, the impact on legitimate users and the likely response of attackers to any adjustments. This recognition of the project's limitations, and the call for more careful interpretation of its results, is one of the key differences between INFERMAL and the European Commission’s DNS Abuse study from 2022.  

Governments and ccTLDs in the spotlight

The Governmental Advisory Committee (GAC) continues to prioritise the topic of DNS abuse. Previously, the GAC has called for an exchange of information on good practices from other regions (e.g., Africa) and ccTLDs. The GAC is also looking at future discussions on “what can be done with the extended community or the ecosystem” on the topic of abuse, as presented at the ICANN81 meeting.

During the GAC meeting in Istanbul, .tr ccTLD for Türkiye was in the spotlight, presenting on its prevention, detection and mitigation activities to keep abuse out of the national TLD zone. .tr has developed an in-house tool, the AZAD project, based on machine learning and AI technologies to detect malicious activity. AZAD project aims to block phishing domains before or as soon as they become active, also in cooperation with ISPs and using national CERT threat intelligence (as both .tr registry and TR-CERT are under the same organisational structure). tr also maintains a public list of URLs used for malware as a public service to the community. The response to the detected abuse depends on the capabilities of the operator: access to domains can be blocked by ISPs and assessed by .tr experts to determine whether domain-level action is warranted.

Sharing experiences and tools and treating abuse as a collective responsibility of different operators, together with the authoritative voice of CERTs, remains the best way forward for a constructive dialogue on improving the security online. All stakeholders have a role to play in enabling the technical community to do more. For example, national governments can consider removing barriers to sharing threat intelligence between different actors by providing a similar service for the benefit of the global internet community, such as a public list of malicious URLs. Not all operators have the financial or technical capacity to develop AI tools in-house, while everyone on the internet has an interest in staying safe. Governments can encourage a culture of sharing tools by opening up software developed under their auspices or with taxpayers' money as free and open source software, so that more operators can reuse existing solutions and contribute to their continuous improvement. These more pragmatic steps can increase online security exponentially. 

Domain holders and end-users

Finally, in the true spirit of multistakeholder discussions, a session was held at ICANN81 on the human rights implications of DNS abuse mitigation measures. The impact of DNS abuse actions on a domain name holder or end-user is an area largely absent from discussions on DNS abuse. Domain-level actions, such as suspension or deletion of a domain name, can have a significant impact on domain name holders and end-users (both corporate and individuals). The right to privacy, freedom of expression, the right to non-discrimination, the right to freedom of association, and the right to a fair trial can be compromised by disproportionate responses to abusive behaviour. Registries have only one response in their abuse-response arsenal: to take down a domain name, which has an irreversible impact on the accessibility of all other services associated with a domain (e.g. email and websites), as well as disrupting any ongoing law enforcement investigations. The conclusion of the session was that "swift" action in response to abusive behaviour by a registry or registrar is not always the best course of action.

Hopefully the wider impact of domain name level actions on end users and domain name holders will be given greater consideration in discussions on DNS abuse, as it is also part of a wider public interest debate.

To conclude…

ICANN81 was rich in reported data and underrepresented perspectives received more attention. Constructive dialogue, careful handling of data and identification of gaps in analysis made the ICANN81 meeting one to remember.

As the global internet governance community is in the midst of a rocky period of reaffirming the viability of the multistakeholder model for the coming years (WSIS+20), this would be the perfect time for the ICANN community to recommit itself to the core principles of that same model. 

Published By Polina Malaja
Polina Malaja is the Policy Director at CENTR, leading its policy work and liaising with governments, institutions and other organisations in the internet ecosystem.