New ICANN Project Explores the Drivers of Malicious Domain Name Registrations

Apr 25, 2023 · Maciej Korczyński and Samaneh Tajalizadehkhoob

The Internet Corporation for Assigned Names and Numbers (ICANN) is funding a new project that aims to systematically analyze the preferences of cyberattackers and possible measures to mitigate malicious activities across top-level domains (TLDs). This new project is called Inferential Analysis of Maliciously Registered Domains (INFERMAL), and will be supervised by ICANN's Office of the Chief Technology Officer Security, Stability, and Resiliency team.

This project is funded as a part of ICANN's Domain Name System (DNS) Security Threat Mitigation Program, which strives to make the Internet a safer place for end users by reducing the prevalence of DNS security threats across the Internet. When it comes to DNS security threats, one method cybercriminals use is to actively register domains to launch Internet-scale attacks, such as phishing, malware, and spam campaigns.

There are many theoretical reasons why malicious actors may prefer to use the domain names of certain registrars over others. Some evidence suggests, for example, that malicious actors may prefer registrars that provide low registration prices or that accept specific payment methods. They also may look for registrars that offer free application programming interfaces (APIs) for bulk registrations or avoid registrars that require certain information in the purchasing process. Nonetheless, no study has systematically examined the preferences of attackers. This new project, INFERMAL, aims to expand the knowledge in this area.

ICANN is uniquely positioned to investigate this topic and has looked at the problem before. This investigation may also yield policy implications for ICANN.

The findings could help registrars and registries identify relevant DNS anti-abuse practices. Reducing DNS abuse via domain names is good for the DNS industry and all Internet users. Such findings could strengthen the self-regulation of the overall domain name industry and could reduce the costs associated with domain regulations. The project would also help increase the security levels of domain names and, thus, the trust of end-users.

The timing of the study should not be underappreciated. ICANN is launching this project as it is preparing for the next round of new generic TLDs and increasing efforts to promote Universal Acceptance (UA), having just celebrated the first-ever UA Day. ICANN's mission is to coordinate the global Internet's systems of unique identifiers, including the DNS. Our aim is to ensure a stable, secure, and unified global Internet.

Dr. Maciej Korczyński will serve as the scientific consultant of the INFERMAL project. He is an Associate Professor of computer networks and cybersecurity at the Grenoble Institute of Technology in France. His main interests revolve around large-scale passive and active measurements and analysis of cybersecurity, with a focus on the DNS. Since 2015, he has co-authored over 30 scientific articles about domain name and DNS infrastructure abuse, DNS vulnerabilities, security metrics, Internet Protocol address spoofing, distributed denial-of-service attacks, botnets, and vulnerability notifications.

So how will the project work? The project team plans to collect and analyze a comprehensive list of domain name registration policies pertinent to would-be attackers. This includes registration features such as an API registration panel, an ability to register in bulk, accepted payment methods (credit card, Bitcoin, or WebMoney), and retail pricing, among many other potential registry features. Using statistical modeling, the team plans to identify the registration factors preferred by attackers.

We expect that the project will result in highly impactful scientific publications and industry presentations at the most relevant security, Internet stability, and policy conferences hosted by ICANN; the Messaging, Malware and Mobile Anti-Abuse Working Group; the DNS Operations, Analysis, and Research Center; and the Council of European National Country Code Top-Level Domain Registries.

Another blog post will follow with a detailed timeline, information on the project website, and project deliverables. Stay tuned for our updates, and do not hesitate to contact us at octo@icann.org.