Unveiling the Blind Spots: Enhancing DNS Abuse and Online Harm Mitigation Through Regionally Specific Data

Regionally-specific data is crucial in the battle against DNS abuse. Understanding each region’s unique characteristics and threats allows for targeted mitigation efforts, timely detection, and compliance with local regulations. Reputation blocklists (RBLs) contain domain names, and/or IP addresses engaging in abusive practices. These lists are great for blocking bad traffic but need more robust data from the Asia Pacific, Middle East, and Africa regions that can be used for mitigation of online harms. 

CleanDNS noticed their data appears centralized in North, Central, South America, and Europe¹. These RBLs have made significant contributions to combatting DNS abuse via blocking. They can further enhance their data sets by gathering and including region-specific information via collaboration with local authorities and organizations.

As the digital landscape continues to evolve, it’s essential we adapt our strategies to stay ahead in the fight against DNS abuse and protect the integrity of the Internet for users worldwide. This is also extremely important for abuse mitigation for the ccTLD community. In speaking with ccTLD Registry operators, it is very clear that much of the abuses occurring in their zones go unnoticed due to lack of detection, which leads to underreporting. If online harms aren’t detected, the abuse is often overlooked. Realizing the coverage gap, CleanDNS reaches out to providers in the underreported regions and receives unique data sets previously in the blind spots for typical blocklists. We were able to unlock new phishing campaigns with the victimized entities never being witnessed in the Western Hemisphere.    

To effectively combat these abuses, it is imperative to recognize the need for country and regional-specific evidence-based data sets and sources. Online abuse is not uniform globally; it varies in intensity and form based on geographic locations. Bad actors often tailor their attacks to exploit regional vulnerabilities, making it essential to consider geographical nuances when devising defense strategies.

Industry-wide projects like DAAR and DNSAI Compass Report incorporate data from blocklists. Both projects do a fantastic job of illustrating the threat environment but are at the mercy of the RBLs. Over-reliance on RBLs risks constraining the effectiveness of online abuse mitigation and research. In this context, it is essential to diversify data sources, recognizing that RBLs, while foundational, are not exhaustive. The Internet’s vastness demands a diverse array of data sources to comprehensively combat abuse; DNS abuse, online harm mitigation, and threat hunting are imperfect processes.

It is crucial to emphasize that this perspective does not diminish the valuable contributions of RBLs; they have been instrumental in mitigating victimization and setting essential precedents in the industry. As vast as the Internet spans, the industry should be innovative to seek novel sources. According to Domain Name Stat, 697 million domain names are currently registered. In the first half of 2023, RBLs reported 3.7 million domain names², which equates to about .53% of domain names engaging in abuse. Optimistic thinking aside, it’s hard to believe that only 0.53% of the Internet engages in abuse. Many cybersecurity firms boast about their ability to threat hunt, but where does that data end up?   

The fight against DNS abuse necessitates a comprehensive, regionally specific, and multifaceted approach that acknowledges the evolving threat landscape. Collaboration, diversification of data sources, and context-aware strategies are vital components of a more effective and adaptable defense against online harms. As the Internet continues to evolve, so must our strategies to protect it. The foundation RBLs provide allows CleanDNS to be proactive in detecting abuse, drastically limiting victimization, and helping eliminate client risk. Cleaning up the Internet for good should be a collaborative effort, not a monopoly.

Gia Isabella is an experienced technical security and intelligence professional. She works with clients to curate abuse programs that fit organizations anti-abuse objectives, data providers to facilitate partnerships, and completes analyses of CleanDNS’s data. Gia earned a Master’s degree in Cyber Intelligence from Georgetown University, and a Bachelor’s degree in National Security from the University of New Haven.