Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Domain Abuse Activity Reporting System (DAAR)

Published byEleonora Voss Modified over 5 years ago

Similar presentations

Presentation on theme: "The Domain Abuse Activity Reporting System (DAAR)"— Presentation transcript:

1 The Domain Abuse Activity Reporting System (DAAR)
Fahd Batayneh Stakeholder Engagement Manager, Middle East ICANN Middle East Network Operators Group 2019 (MENOG19) Beirut, Lebanon Wednesday 3 April 2019

2 What is DAAR? A system for reporting on domain name registration and abuse data across Top Level Domain registries and registrars

3 How different is DAAR from other reporting systems?
Studies all gTLD registries and registrars for which we can collect zone and registration data Employs a large set of abuse feeds; i.e. blocklists Accommodates historical studies Studies multiple threats: phishing, botnet, malware, and spam Takes a scientific approach; i.e. transparent and reproducible

4 The purpose of DAAR is to provide data to support
Usage of DAAR Data Report on threat activity at TLD or registrar level Study historical security threats or domain registration activity Help operators understand or consider how to manage their reputations, their anti-abuse programs, or terms of service Study malicious registration behaviors Assist operational security communities The purpose of DAAR is to provide data to support community, academic, or sponsored research and analysis for informed policy consideration

5 >>> Let us look at each in more details <<<
DAAR Data Sources DAAR system uses data from public, open, and commercial sources DNS Zone Data WHOIS Data Open Source or Commercial Abuse Threat (RBL) data >>> Let us look at each in more details <<<

6 i. DNS Zone Data gTLD zones for gTLD domain and registry analytics
Uses publicly available methods to collect zone data such as Centralized Zone Data Service (CZDS) and zone transfer Uses domain names that appear in zone files Collect zone files from Approximately 1220 gTLDs Approximately 192 million domains i. DNS Zone Data

7 ii. WHOIS DAAR uses published registration data (WHOIS)
Uses registrar name and IANA ID Reliable, accurate registrar reporting depends on WHOIS Scaling data collection from WHOIS is a big challenge

8 DAAR uses multiple abuse Reputation Blocklist (RBL) datasets to
Generate daily counts of domains associated with phishing, malware hosting, botnet command and control (C&C), and spam Calculate daily total and cumulative abuse domains Calculate monthly/yearly newly added abuse domains Create visual analytics regarding abuse trends in gTDLs DAAR counts “unique” abuse domains A domain that appears on any abuse datasets reporting to DAAR is included in the counts once DAAR reflects how entities external to ICANN community see the domain ecosystem iii) Abuse Threat Data

9 Reputation Block Lists : Identifying Threats

10 Usages of Reputation Block Lists
Browsers Cloud and Content-Serving Systems Social Media Tools Commercial Firewalls and UTM devices Enterprise mail/messaging Systems Third-Party Service Providers DNS

11 DAAR Criteria for RBL Data
RBLs must provide threat classification that match our set of security threats RBLs have positive reputations in academic literature RBLs have positive reputations in operational and security communities for accuracy and clarity of process RBLs are broadly adopted across operational security community Feeds are incorporated into commercial security systems Used by network operators to protect users and devices Used by and messaging providers to protect users

12 Current Reputation Datasets Used by DAAR
SURBL lists (domains only) Spamhaus Domain Block List Anti-Phishing Working Group (APWG) Malware Patrol (Composite list) Phishtank Ransomware Tracker Feodotracker

13 DAAR Is Not an Abuse List Service
ICANN does not compose its own reputation blocklists DAAR presents a composite of the data that external entities use to block threats DAAR collects the same abuse data that is reported to industry and Internet users and is used by Commercial security systems Academia and industry Academic studies and industry use validate these datasets exhibit accuracy, global coverage, reliability, and low false positive rates

14 Project Status

15 DAAR and the ICANN Open Data Program
Open Data Program aims to facilitate access to data that ICANN organization or community creates or curates In cases where licensing permits, DAAR data or reports will be published and included in the Open Data Program

16 Project Next Steps Investigating publication of data into the Open Data Program Improving the system based on comments and reviews. Write to us anytime at Further developing new metrics and analytics based on current and future research based on DAAR Having discussions with registries who are interested in viewing their own data ICANN does this in the context of sharing and learning from other security professionals in the industry

17 Visualizing DAAR Data

18 Overall Abuse Distribution in DAAR Data (January 2019)

19 Distribution of Abused Domains in gTLDs

20 Distribution of Domains with Different Abuse Types in gTLDs

21 Write to us at daar@icann.org
Questions? Write to us at

Download ppt "The Domain Abuse Activity Reporting System (DAAR)"

Similar presentations

© 2003 Public Interest Registry Whois Workshop Registrant/User Classification & Current Practices Panel Presented by Bruce W. Beckwith VP, Operations October.

© 2003 Public Interest Registry Whois Workshop Registrant/User Classification & Current Practices Panel Presented by Bruce W. Beckwith VP, Operations October.
ICANN Strategic planning process Draft key priorities for the July 2006 – June 2009 Plan for community comment November 2005.

ICANN Strategic planning process Draft key priorities for the July 2006 – June 2009 Plan for community comment November 2005.
Whois Task Force GNSO Public Forum Wellington March 28, 2006.

Whois Task Force GNSO Public Forum Wellington March 28, 2006.
ICANN Plan for Enhancing Internet Security, Stability and Resiliency.

ICANN Plan for Enhancing Internet Security, Stability and Resiliency.
ICANN SSAC, Cairo Nov 2008 Page 1 Summary of Fast Flux Dave Piscitello ICANN SSAC.

ICANN SSAC, Cairo Nov 2008 Page 1 Summary of Fast Flux Dave Piscitello ICANN SSAC.
Governmental Advisory Committee New gTLD Program Briefing 19 June 2010.

Governmental Advisory Committee New gTLD Program Briefing 19 June 2010.
© 2003 Public Interest Registry Whois Workshop Introduction to Registry/Registrar Issues Presented by Bruce W. Beckwith VP, Operations June 23, 2003 Serving.

© 2003 Public Interest Registry Whois Workshop Introduction to Registry/Registrar Issues Presented by Bruce W. Beckwith VP, Operations June 23, 2003 Serving.
Registrar experiences with WHOIS Bruce Tonkin Melbourne IT Ltd.

Registrar experiences with WHOIS Bruce Tonkin Melbourne IT Ltd.
Text Competition, Consumer Choice and Trust Metrics IAG-CCT Call 18 June 2014 I. Update on metric evaluation II. Baselines collected to date III. New metrics.

Text Competition, Consumer Choice and Trust Metrics IAG-CCT Call 18 June 2014 I. Update on metric evaluation II. Baselines collected to date III. New metrics.
Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.

Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.
Registrars and Security Greg Rattray Chief Internet Security Advisor.

Registrars and Security Greg Rattray Chief Internet Security Advisor.
Introduction to ICANN’s new gTLD program. A practical example: the Dot Deloitte case. Jan Corstens, Partner, Deloitte WIPO Moscow, 9 Dec 2011.

Introduction to ICANN’s new gTLD program. A practical example: the Dot Deloitte case. Jan Corstens, Partner, Deloitte WIPO Moscow, 9 Dec 2011.
Implementation Recommendation Team (IRT) Proposal Comments Sue Todd, Director, Product Management Monday 11 May 2009, San Francisco.

Implementation Recommendation Team (IRT) Proposal Comments Sue Todd, Director, Product Management Monday 11 May 2009, San Francisco.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Text #ICANN51. Text #ICANN51 15 October 2014 At-large policy round table Holly Raiche Panel 1: Privacy and Proxy 1000 – 1045 Hrs.

Text #ICANN51. Text #ICANN51 15 October 2014 At-large policy round table Holly Raiche Panel 1: Privacy and Proxy 1000 – 1045 Hrs.
Blacklists aggregator: New service by TCI Dmitry Belyavsky, TCI ENOG 9 Kazan, Russia, 9-10 June 2015.

Blacklists aggregator: New service by TCI Dmitry Belyavsky, TCI ENOG 9 Kazan, Russia, 9-10 June 2015.
Text Competition, Consumer Choice and Trust Metrics IAG-CCT Call 18 April 2014 I. Possible overlapping metrics II. Metrics for discussion.

Text Competition, Consumer Choice and Trust Metrics IAG-CCT Call 18 April 2014 I. Possible overlapping metrics II. Metrics for discussion.
1 Updated as of 1 July 2014 Issues of the day at ICANN WHOIS KISA-ICANN Language Localisation Project Module 2.3.

1 Updated as of 1 July 2014 Issues of the day at ICANN WHOIS KISA-ICANN Language Localisation Project Module 2.3.
Supporting a Healthy, Stable, Resilient Internet.

Supporting a Healthy, Stable, Resilient Internet.
In Dec-2010 ICANN Board requested advice from ALAC, GAC, GNSO and ccNSO on definition, measures, and 3- year targets, for competition, consumer trust,

In Dec-2010 ICANN Board requested advice from ALAC, GAC, GNSO and ccNSO on definition, measures, and 3- year targets, for competition, consumer trust,

Similar presentations

Ads by Google