ICANN’s analysis suggests that DNS abuse might not be spiraling out of control after all.
ICANN published a report today summarizing DNS abuse in recent years. Given all of the focus on DNS abuse recently (including multiple new organizations created to tackle it), the report draws a surprising conclusion: DNS abuse appears to be going down.
CEO Göran Marby previewed this data at the recent ICANN meeting when he showed one of the charts, and Internet Commerce Association General Counsel Zak Muscovitch and I discuss it on next week’s podcast.
ICANN’s report points out that many snapshots of DNS abuse are just that: snapshots. When you take a longer-term look at recorded DNS abuse based on blocklists, the numbers are heading down. This includes both the raw number of domains and normalized data based on the number of registered domains.
A significant part of the drop is due to Spamhaus reporting fewer spam domains.
Of course, you can slice and dice the data any way you’d like to show what you want. Restrict the time period or limit your data providers. Or use a different definition of DNS abuse.
At the same time, I wonder if the mantra for tackling DNS abuse should be “It’s bad, but getting better.”
The rift in the divergent narratives comes from how one performs the representation of the actual data. In the context of DNS Abuse ICANN is presenting the data correctly.
A unique and distinct domain looks like this:
Example.com
A reported distinct URL can look like any of these variations and combinations of subdomains and subpaths, and protocols:
http://example.com/
http://www.example.com/
https://www.example.com/
https://subdomain.example.com/
https://subdomain.subdomain.example.com/
https://othersub.subdomain.example.com/
https://example.com/path/pageorscript?parameters
https://example.com/path/pageorscript?differentparameters
https://example.com/differentpath/pageorscript?parameters
https://subdomain.example.com/differentpath/pageorscript?parameters
Despite all those variations (and I was brief in how many variations that actually occur in the wild), the latter appears as 10 entries.
The former, the actual base domain name (which is the only actionable component for a registry or registrar aka “DNS Abuse”) is the single domain name. All ten collapse down into a single domain name. ICANN deals with Domain Names, not URLs. Full stop.
For those who benefit somehow from expanding the alacrity over the matter, presenting the 10 different URLs aids them in getting the alacrity gasps from those unfamiliar with the matter.
So, ICANN is presenting the numbers accurately with respect to the count of domains, and where there is dissenting reports, hopefully my comment helps expliain why.
We see the same trend on our DNS Abuse Insight monitoring program. However, we see a sharp increase over the last 18 months when it comes to compromised websites.
Our abuse levels taken everything into account are at 0.02% If we break that number down.
10% malicious registered domain names vs 90% compromised URLS & hostnames.
The issue with the 90% is, that it is on a hosting level and not on a registrar level. Regardless, policy makers within ICANN should get a better understanding of what is DNS abuse and where it takes place within the DNS.
Plus a good question would be, why are criminals shifting?