Research into the abuse of domain names in gTLDs
At the end of the summer, a joint project with TU Delft was brought to a close. Commissioned by ICANN, Statistical Analysis of DNS Abuse in gTLDs (SADAG) was the first ever comprehensive investigation of the abuse of domain names (for spam, malware and phishing) in generic top-level domains (gTLDs).
Lead researchers Maarten Wullink of SIDN Labs and Dr Maciej Korczynski of TU Delft (now working at Grenoble Alps University) focused on the period from October 2013 (when the first new gTLDs came on line) to October 2016. They revealed that, while spamming had shifted from legacy gTLDs (e.g. .com and .net) to the new gTLDs, the total volume of spam had remained largely unchanged. Abuse was also found to be unevenly distributed across the new gTLDs: a third of the 1,200-plus new gTLDs generated no abuse reports at all, while at least 10 per cent of all abused domain names were concentrated in just fifteen new gTLDs.
Along with the other SADAG team members, Maarten and Maciej analysed large volumes of historical data from the research period (2013 to 2016), including daily zone files, Whois records and eleven blacklists. They also made use of our DNS-EMAP tool (see below), e.g. to check whether domain names were parked.
ICANN's Competition, Consumer Trust and Consumer Choice Review Team is using the SADAG findings to evaluate the New gTLD Program and frame recommendations on tackling domain name-related abuse, e.g. in the context of any future round of new gTLD assignments ('subsequent procedures' in ICANN lingo).
A summarised version of the final SADAG report has been submitted as a paper for presentation at an academic conference and is currently under consideration. If accepted, it will mean that the project has contributed both to the operational security of the DNS and to scientific progress. The SADAG findings have been presented via other channels too, including several webinars for the ICANN community and the M3AAWG conference.
After attracting very positive feedback from ICANN and the ICANN community, the SADAG project has now been successfully concluded.
Protection against insecure IoT devices
At the start of 2017, we began the development of SPIN (Security and Privacy for In-home Networks), a system for protecting the internet and end users against insecure IoT devices in home networks. We see SPIN-like systems as vital for sustainably harnessing the potential of the IoT while retaining trust in the internet as a global communication medium.
SPIN protects the internet by automatically blocking IoT devices in home networks if they send or receive abnormal traffic. That prevents them being used for DDoS attacks on the core of the internet, e.g. attacks on TLD operators such as SIDN. SPIN was conceived in response to the DDoS attack on DNS operator Dyn in October 2016. That attack involved an estimated traffic flow of 1.2 Tbps, making it the biggest of its kind observed to date. The attackers made use of about 100,000 IoT devices infected by the Mirai botnet, and the incident prevented access to numerous well-known sites, including GitHub and Spotify.
SPIN also protects end users by letting them control what IoT devices on their home networks can do, e.g. what internet services they can connect to. We think that that's important, because insecure IoT devices can have serious repercussions for end users, as when a baby monitor gets hacked. We expect such issues to intensify over time as the invisible integration of IoT devices into our home environment gathers pace, creating the potential for security breaches to result in material damage and unsafe home environments.
In March, Jelte Jansen, Lead Engineer on the SPIN project, released the first version of the source code for our SPIN software. SPIN runs on the OpenWRT operating system, which is widely used on small devices, such as mini routers, including the GL.iNet mini router used for our SPIN prototype. It'll also work with other Linux variants. The SPIN software is available on GitHub, to which we now automatically upload updates from our development environment.
In the summer, we produced a tech report describing the design aims and the first version of the system architecture. Presentations were also made to various conferences, including the ONE Conference, IETF99, Holland Strikes Back (where we ran a demo session) and the ECP Annual Congress, generating a lot of positive feedback.
In 2018, we plan to modify the SPIN architecture to make it more flexible; a blog on that initiative follows shortly. We'll also be running a course on SPIN-like systems at the University of Twente and working within the IETF to promote the standardisation of new protocols required by SPIN-like systems. Meanwhile, we're on the lookout for partners interested in helping us run a pilot, maybe on a university campus.
New measurement tool on the block
Another project started in the early part of 2017 was development of the DNS-EMAP (DNS Ecosystem MAPper), a new tool that automatically looks up and checks all the domain names in a zone, e.g. to establish whether they have security certificates, are reachable using IPv6 or use e-mail security. DNS-EMAP Lead Maarten Wullink has designed the system to have the least possible impact on the servers running the domains.
DNS-EMAP is unique, because it enables us to explore and map (i.e. record in a searchable form) the DNS ecosystem behind a zone file with a single tool. The process of carrying out large-scale internet measurements is greatly simplified by not having to work with a combination of single-purpose tools, such as ZMap and the associated sub-tools. DNS-EMAP supplements the various research tools that we already use: ENTRADA (for passive DNS measurements), OpenINTEL (for active DNS measurements) and third-party systems such as RIPE ATLAS (for probing from ISP networks).
We made good use of DNS-EMAP in 2017. It was instrumental in the SADAG project, for example (see above). It was also used for the Registrar Scorecard (SIDN’s incentive programme) to test all 5.8 million .nl domain names for IPv6 support. And its capabilities helped our Support Department colleagues track down fake webshops.
In 2018, DNS-EMAP will be used in tandem with our other data analysis tools to enhance the detection of abuse in the .nl zone. We also plan to set up a pilot in partnership with another ccTLD registry to explore the scope for and potential of sharing information about domain name abuse (in line with our privacy framework, of course).
With a view to helping other researchers, we're looking to make the DNS-EMAP software available under a university licence. We may even go fully open source.
Resolver research for academic and operational purposes
Another highlight of 2017 was getting a paper accepted for the Internet Measurement Conference in London. The IMC is a prestigious conference for academic and industrial researchers, and this was the second year in a row that we've had a proposal accepted.
In the paper, Moritz Müller and Giovane Moura used data gathered using RIPE ATLAS and other systems to explain how DNS resolvers select authoritative name servers in practice. Their central conclusion was that resolvers visit all the name servers for a top-level domain (TLD) such as .nl. Consequently, it is ultimately unicast name servers that determine the maximum round-trip time for clients that are distant from the authoritatives (e.g. clients doing .nl look-ups from the US), even if the clients are close to the TLD's anycast nodes.
The study was carried out in conjunction with researchers from the University of Southern California and the University of Twente and supported by our colleagues in SIDN's DNS operations team. That team has already made good use of the findings, deciding to phase out the unicast nodes for .nl and switch entirely to anycast.
We aim to find more sweet spots in 2018, with projects such as development of a tool that helps DNS site engineers with the location of DNS anycast nodes and research into the caching practices of resolvers in the wild. We're also after a hat-trick of IMC acceptances and more satisfied 'customers' in SIDN's operations teams!
And there is more!
Finally, on behalf of everyone at SIDN Labs, let me wish you a happy end to 2017 and a successful 2018!
The SIDN Labs team,
Maarten, Giovane, Elmer, Moritz, Marco, Jelte and Cristian