REMEDI3S-TLD project

We are very happy to announce that the REMEDI3S-TLD project website is now online. It enables registries and other interested DNS service operators to compare distributions of phishing and malware content per TLDs relative to their sizes and their evolution over time.

REMEDI3S-TLD project

REMEDI3S-TLD stands for REputation MEtrics Design to Improve Intermediary Incentives for Security of Top-Level Domains. The goal of REMEDI3S-TLD is to develop security metrics for TLDs and to measure their operational values using DNS query data and other data sources, such as botnet and phishing feeds. The work is based on a model that distinguishes three types of security metrics, each at a different level of abstraction. The top level involves the security metrics of an entire TLD such as .nl, or .com. The second level of the model is a refinement of the TLD level and consists of security metrics for market players within the TLD. These are Internet infrastructure providers, such as the TLD's hosting providers, registrars, and the DNS services of ISPs. Finally, the third level is a breakdown of the second level and involves security metrics for the network resources managed by each of the players, such as autonomous systems, resolvers, and name servers.

Project partners

The REMEDI3S-TLD project is collaboration between SIDN Labs and TU Delft Economics of Cybersecurity research group and a subproject of the broader REMEDI3S project, which is collaboration between SIDN, the National Cyber Security Centre and TU Delft.

Security metrics

In our metrics, we use heterogeneous blacklists provided by StopBadware and Anti-Phishing Working Group (APWG). Here we present the three types security metrics that provide insight into the distribution of badness across TLDs./p>

  1. Unique blacklisted domains aggregated by ccTLD/gTLD,

  2. Unique blacklisted fully qualified domain names (FQDNs) aggregated by ccTLD/gTLD, and

  3. Unique blacklisted URLs (distinctive paths) aggregated by ccTLD/gTLDs.

Each of these is normalized by the size of the corresponding TLDs and aggregated monthly per 100’000 domains. Please visit our website to learn more about the methodology and the intuition behind the selection of the proposed metrics.

Brief discussion

Our analysis reveals that the reputation scores can be driven by a single phishing campaign. For example, we found 17 second-level domains under one ccTLD, presumably maliciously registered, and 32596 corresponding FQDN (third-level domains) involved in the same malicious phishing campaign in 2014.

In addition to maliciously registered and compromised domains used in malware or phishing attacks, the miscreants increasingly choose legitimate services:

  1. Free hosting and dynamic DNS (DDNS) services offering shared higher-level domains,

  2. Cloud-based file sharing services, and

  3. Other legitimate applications such as URL shortener services

In general, our analysis and experience in security reputation metrics design for TLDs and hosting providers led us to the conclusion that the measurement of the here-proposed security metrics for TLDs should be explicitly distinguished from measuring the security performance of registries or other groups of market players because they are driven by multiple factors rather than by the security practices of a single type of intermediary.

Data sharing

Although we do not publish any details about the blacklisted domains (please contact StopBadware and APWG), we do provide the aggregated data in JSON format on our website that contains scores of all TLDs considered in our analysis. Also, please let us know if you are missing any kind of information regarding the described methodology.

Maciej Korczynski, Ph.D.

Post-Doctoral Researcher

Delft University of Technology

Economics of Cybersecurity

maciej.korczynski@tudelft.nl

+31 (0)15 2784451

https://mkorczynski.com