Evidence Equals Better DNS Abuse Mitigation

Better standards = Better results

Consider the many advantages to mitigating Internet abuse: interdicting bad actors, reducing victimization to end-users, meeting regulatory and compliance requirements, limiting liability and growing profit margins.

Why then is DNS abuse so hard to stop? There are many reasons, and just as many potential solutions. One thing is sure, a standardized, evidence-based DNS abuse reporting process could streamline and accelerate the mitigation and takedown process.

By standardization we mean: "Here's the evidence. Does it match? Yes or no?" Under this scenario there are no judgment calls, and fewer grey areas. The bad actors get taken down posthaste, protecting users from cybercriminals and stakeholders from growing exposure to liability claims.

DNS abuse is out of control. Here’s how we tame abuse.

Internet abuse is persistent. Bad actors that maliciously register and compromise domain names are a constant problem for both the consumers on the Internet as well as the companies that run the infrastructure of the Internet. 

Today, virtually every reporter of domain abuse follows a different standard for reporting abuse to registries, registrars, ISPs and hosting companies. Evidentiary thresholds are so diverse that registrars and registries have different standards on the information needed to remediate an abusive domain. Each takes their own approach to the key question: “What evidence is needed  to convince the appropriate infrastructure entity to act upon an instance of Internet abuse?” The lack of standardization for reporting is an ongoing issue for those on the receiving end of the report. That’s why evidencing issues are so important.

The DNS Abuse Framework exhibits the types of abuse that should be acted upon, but does not go as far as to detail how to appropriately evidence and report abuse. There are few resources beyond the Terms of Service of various providers that offer information one should include when reporting an abusive domain.

For example, currently a party reporting abuse might say, “I want you to take this abusive domain down because they’re phishing me.” The party reporting the abuse did not provide any evidence other than the URL, and is unaware that the domain will not be acted upon unless evidence supporting the abuse is presented. The recipient of the abuse report attempts to investigate the report but is unable to validate the initial abuse claim. As there is no standard for evidence, the abuse report submitted will be disregarded due to the report having insufficient evidence. If the reporter knows this they will then attempt to generate or locate the evidence, but not knowing what standards are required by different infrastructure providers causes delays all around. The standardization of evidence in this scenario would be advantageous not only to ensure quick validation of the claims, but to take advantage of this reduced timeframe and shorten the victimization period.

Obviously, there needs to be a better method via standardization. The goal should be that when an instance of abuse is reported, all the evidence will be clearly presented to validate the abuse so that it can be remediated in a timely fashion.

Creating standards to reduce the uptime of abusive domains

What is needed is a robust evidence standard by abuse type, and a majority of the domain name industry are working towards one. Once this standard has been developed and adopted, complaints can be quickly remediated, and victimization will be reduced.

Currently, no governing body has a standard of evidencing for domain abuse that can be deployed within all jurisdictions. Regardless of regional governmental laws, the ability to clearly assign the components of an abuse type so that it can be well-evidenced is clear. Even without a governing body there are industry groups that are pushing forward on evidentiary standards.

To be effective, evidence included in reports must cover the events and substantiate the claims. Reports must be time-stamped appropriately to demonstrate when things happened, include the search bar displaying the domain or URL in question, and, in some cases, include the location and resolution of the screen when the abuse is first observed. There should be visible evidence that can be validated or verified.

When a fully evidenced report is presented, the abuse can be acted upon as soon as possible. By providing a report that checks all the boxes, the window for victimization shrinks dramatically. Which, in the end, is the objective behind standardization. Reduce the window of time abuse is allowed to exist, and you can reduce victimization.

Flexibility and vigilance are key to successful abuse monitoring

Once a standard is created, another key issue is how to adjust it for maximum effect as time marches on. As criminals and fraudsters come up with new types of abuse, an evidencing pattern for that type of abuse needs to be structured and deployed immediately – improving the responsiveness to new types of abuse dramatically.

Ideally, this can facilitate the cleaning up of the Internet for good. This will bring a measure of consistency across the board and an element of clarity for everyone involved. For registries, registrars, ISPs and hosting providers, it’s a win-win.

Gia Isabella is an experienced technical security and intelligence professional. She works with Registrars and Registries to curate abuse programs that fit organizations anti-abuse objectives. Gia earned a Master’s of Professional Studies degree in Cyber Intelligence from Georgetown University, and a Bachelor’s of Science degree in National Security from the University of New Haven.