4 of 29

Are We Losing the Domain Wars?

“Broadening the scope of our investigation, we found that there were 444,898 NRDs belonging to the same actor.”

“Since 2022, the actor has registered over 500,000 domains on the .bond Top-Level-Domain (TLD), spending more than $1 million in domain registration fee,”

https://unit42.paloaltonetworks.com/typo-domain-generation-algorithms/

https://www.centripetal.ai/threat-research/revolver-rabbit-and-the-rise-of-rdgas�https://www.icann.org/en/system/files/files/daar-monthly-report-30sep24-en.pdf

The rise of RDGAs:

5 of 29

Outline

Motivation
Background
Prior Work
Discussion

6 of 29

Structure of a Domain Name

Generic TLD (gTLD): com, biz, xyz, zip, …
Country Code TLD (ccTLD): us, hu, uk, fr, …

www.example.com

TLD: Top-Level Domain

Registered/Root Domain

FQDN: Fully Qualified Domain Name

7 of 29

Domain Registration Ecosystem

ICANN

Verisign

.com

.edu

CNNIC

.cn

Registries

TLDs

Registrars

Registrants

.cc

ISZT

.hu

Radix

.web

.space

Hungary

China

GoDaddy

1 & 1

NameCheap

Countries

And ICANN

Resellers

Reseller A

Reseller Z

Cocos

Registrars are usually connected to many Registries

https://janos.szurdi.com/content/academicpapers/weis2018domainPolicy.pdf

8 of 29

ICANN Multistakeholder Model

https://www.icann.org/resources/pages/nomcom2018-guidelines-2017-12-15-en

9 of 29

SSAC: Security and Stability Advisory Committee

“The SSAC advises the ICANN community and the ICANN Board on matters relating to the security and integrity of the naming and address allocation systems of the Internet”

https://www.icann.org/en/ssac

10 of 29

Tokelau, Palau, Samoa, and Others

Highest Malicious Rate TLDs:

.zw, .bd, .ke, .am
Zimbabwe, Bangladesh, Kenya, Armenia

https://unit42.paloaltonetworks.com/top-level-domains-cybercrime/�https://edition.cnn.com/2012/06/13/tech/web/tokelau-domain-name-holder/index.html

“Domain registrations contributed at one point one-sixth of Tokelau’s income.”

11 of 29

Outline

Motivation
Background
Prior Work
Discussion

12 of 29

Intervention by CNNIC in China 2009

Originally

Cost of a domain: ~0.15 USD
Identity verification: ~none
Became popular among spammers to register throw away domains

After domain registration policy change

Cost of a domain: ~10 USD
Identity verification: formal paper documentation and validation
Limitations on customers of non-Chinese registrars
Limitations on individual registration

Result of policy change

Spammers stopped using .cn
Immediately switched over to use .ru

https://www.usenix.org/legacy/event/leet11/tech/full_papers/Liu.pdf

13 of 29

Prepaid SIM Cards in Hungary

Someone bought 200k SIM card using a fake identity.
Some of the prepaid SIM cards were used by ISIS related terrorists
New Legislation to counter abuse of prepaid SIM cards
Limited number of prepaid SIM cards per identity

Max 10 per individual
Max 50 per business

Strict identity verification

Foreign nationals are required in-person
Hungarian nationals can do it electronically

Retroactive identity verification is required

https://444.hu/2016/11/22/modositotta-a-parlament-a-sim-kartyakra-vonatkozo-torvenyeket�https://english.nmhh.hu/article/187728/Data_reconciliation_for_prepaid_SIMcard_based_subscription_contracts

14 of 29

Takedown vs Blacklisting

“Ground truth sales data for over 40K unlicensed prescription pharmaceuticals site”
Domains abused by affiliate spammers
87% of their revenue after being blacklisted

Blacklisting speed was not the most important

Blacklisting: Registration Price > $100
Takedown: Registration Price > $2.28
Stop Online Piracy Act (SOPA) and Personal Information Protection Act (PIPA) would have required all ISPs to filter DNS requests to domains identified by brand holders as infringing on their copyright or trademark

Pushback on Foreign Anti-Digital Piracy Act (FADPA) from EFF
Not effective
“These bills are an unequivocal and serious threat to a free and open internet”

https://cseweb.ucsd.edu/~voelker/pubs/namevalue-weis14.pdf

15 of 29

New TLD Reputation

“The results indicate that there is an inverse correlation between abuse and stricter registration policies. Our findings suggest that cybercriminals increasingly prefer to register, rather than hack, domain names and some new gTLDs have become a magnet for malicious actor”

https://mkorczynski.com/asiaccs2018Korczynski.pdf

“Our regression and descriptive analysis suggest that unrestrictive registration practices, low registration pricing, and the possibility of bulk domain name registration lower barriers to abuse.”

16 of 29

Outline

Motivation
Background
Prior Work
Discussion

17 of 29

Policy Framework

Effect on the number of malicious registrations

Effect on the profitability of the illegal activity itself

Cost to benign registrants

Sensitive Registrants!

Effect on the income of ICANN, registries, and registrars

And how they are motivated to adopt

Effectiveness of policy depending on the rate of adoption

https://janos.szurdi.com/content/academicpapers/weis2018domainPolicy.pdf

18 of 29

Policy 1: Increase Domain Registration Price

Policy: Increase the cost of domain names

Set a minimum mandatory price

Pros: It will be more expensive to abuse domains in malicious campaigns

Cons: It significantly effects low-income registrants and potentially registries/registrars

Some criminals are more successful than others!

19 of 29

Policy 2: Require Strict Identity Verification

Policy: Require in-person or electronic identity verification

Pros: Increases operational risk and cost of domain abuse

Cons:

Global Adoption
Freedom of speech
Easy to game by itself?

20 of 29

Policy 3: Registrant Restrictions

Policy: Limit the number of domains a registrant can buy

Complementary to strict verification

Pros: Further increases cost and risk

Cons:

Negative effect on some benign users
Defensive registrations?

21 of 29

Policy 4: WHOIS / RDAP Availability

Policy:

Make registration data accessible to verified security researchers and companies
Make anonymous ID of registrants available

Pros: Improve detection capabilities

Cons:

Potential privacy issues
Misuse of registration data for cyberattacks: spam, phishing, scam or account takeover

https://www.andrew.cmu.edu/user/nicolasc/publications/LC-ESORICS14.pdf

22 of 29

Policy 5.a: Fining Registries and Registrars

Policy: Fine registries/registrars

Pros: Incentivizes registries/registrars to stop malicious registrations

Challenges:

What is malicious?
Not all malicious domains are equally harmful
What should be the amount of fine?
Can be gamed to bankrupt Registrars/Registries

23 of 29

Policy 5.b: Incentivizing Registries and Registrars

Policy:

Increase fee for registries and registrars with high abuse ratio
Decrease fee for low abuse ratio

Pros:

Only affects bad registrars and malicious registrants
DNSSEC example: registrars get discount if domains are signed

Challenges:

Same as 4.a, except it might be harder to game

https://mkorczynski.com/asiaccs2018Korczynski.pdf�https://janos.szurdi.com/content/academicpapers/weis2018domainPolicy.pdf

24 of 29

Policy 6: Progressive Pricing (like tax)

Policy: Progressive exponential pricing + strict identity verification

Pros:

Bulk malicious registration is more expensive
Operational cost for criminals increased
Effect on benign registrants minimized

Cons:

Still limits some benign registrants
Hard to achieve

https://janos.szurdi.com/content/academicpapers/weis2018domainPolicy.pdf

25 of 29

Policy 6: Effects on Typosquatting

Typosquatting

Domain Count

26 of 29

Policy 6: Effects of Fraudulent Identity Costs

27 of 29

Conclusion

Both policies and detection capabilities are vital in the domain wars

Public policy could help decrease the number of malicious registrations and
Aid law enforcement agencies and security researchers

All policies to combat malicious registrations will have negative side effects

It is important to take into consideration and minimize these side effects

28 of 29

Contact

Janos Szurdi

https://www.linkedin.com/in/szurdi/
szurdi.janos@gmail.com

Nicolas Christin

nicolasc@cmu.edu

29 of 29

References

[1] Tristan Halvorson, Janos Szurdi, Gregor Maier, Mark Felegyhazi, Christian Kreibich, Nicholas Weaver, Kirill Levchenko, and Vern Paxson. The biz top-level domain: ten years later. In International Conference on Passive and Active Network Measurement, pages 221–230. Springer, 2012.

[2] Tristan Halvorson, Matthew F Der, Ian Foster, Stefan Savage, Lawrence K Saul, and Geoffrey M Voelker. From. academy to. zone: An analysis of the new tld land rush. In Proceedings of the 2015 Internet Measurement Conference, pages 381–394.ACM, 2015.

[3] He Liu, Kirill Levchenko, Márk Félegyházi, Christian Kreibich, Gregor Maier, Geoffrey M Voelker, and Stefan Savage. On the effects of registrar-level intervention. In LEET, 2011.

[4] Neha Chachra, Damon McCoy, Stefan Savage, and Geoffrey M Voelker. Empirically characterizing domain abuse and the revenue impact of blacklisting. In Proceedings of the Workshop on the Economics of Information Security (WEIS), page 4, 2014.

[5] Maciej Korczynski, Samaneh Tajalizadehkhoob, Arman Noroozian, Maarten Wullink, Cristian Hesselman, and Michel van Eeten. Reputation metrics design to improve intermediary incentives for security of tlds. In Security and Privacy (EuroS&P), 2017 IEEE European Symposium on, pages 579–594. IEEE, 2017.

[6] Korczynski, Maciej, Maarten Wullink, Samaneh Tajalizadehkhoob, Giovane CM Moura, Arman Noroozian, Drew Bagley, and Cristian Hesselman. "Cybercrime after the sunrise: A statistical analysis of dns abuse in new gtlds." In Proceedings of the 2018 on Asia Conference on Computer and Communications Security, pp. 609-623. 2018.

[7] Szurdi, Janos, and Nicolas Christin. "Domain registration policy strategies and the fight against online crime." WEIS, June (2018).

[8] Nektarios Leontiadis and Nicolas Christin. Empirically measuring whois misuse. In European Symposium on Research in Computer Security, pages 19–36. Springer, 2014.