Latest news of the domain name industry

Recent Posts

Registrars to get more domain takedown powers

Kevin Murphy, August 4, 2021, Domain Registrars

ICANN will soon grant its accredited registrars the ability to unilaterally take down domains involved in ongoing security incidents, according to chair Maarten Botterman.

Responding to the news that registries have come up with a voluntary framework for tackling botnets that auto-generate domain registrations for use in command and control activities, Botterman said ICANN will extend a process currently restricted to registries into the registrar community.

That policy is the Expedited Registry Security Request Process, which allows registries to quickly obtain a retroactive waiver of its contractual obligations — such as the obligation to pay ICANN fees — if it has to urgently respond to a major incident.

The process was invoked four times last year, covering six gTLDs and roughly 1,600 domains. ICANN granted all four requests, though it seems to have on average missed its target of responding within three business days.

“As part of ICANN’s efforts to support the mitigation of DNS security threats, ICANN org will soon enable registrars to also request such waivers,” Botterman recently told the Registries Stakeholder Group.

He was responding to the news that several registries have signed up to a voluntary “Framework on Domain Generating Algorithms (DGAs) Associated with Malware and Botnets”.

That framework would allow registries to preemptively register or block domains likely to be auto-generated by botnet code, thereby cutting the head off the snake before it can wreak more havoc.

.com and NameSilo fingered as “most-abused” after numbers rocket

SpamHaus has revealed the most-abused TLDs and registrars in its second-quarter report on botnets.

The data shows huge growth in abuse at Verisign’s .com and the fast-growing NameSilo, which overtook Namecheap to top the registrar list for the first time.

Botnet command-and-control domains using .com grew by 166%, from 1,549 to 4,113, during the quarter, SpamHaus said.

At number two, .xyz saw 739 C&C domains, up 114%.

In the registrar league table, NameSilo topped the list for the first time, unseating Namecheap for the first time in years.

NameSilo had 1,797 C&C domains on its books, an “enormous” 594% increase. Namecheap’s number was 955 domains, up 52%.

Botnets are one type of “DNS abuse” that even registrars agree should be acted on at the registrar level.

The most-abused lists and lots of other botnet-related data can be found here.

SpamHaus ranks most-botted TLDs and registrars

Kevin Murphy, January 9, 2018, Domain Registrars

Namecheap and Uniregistry have emerged as two of the most-abused domain name companies, using statistics on botnet command and control centers released by SpamHaus this week.

SpamHaus data shows that over a quarter of all botnet C&Cs found during the year were using NameCheap as their registrar.

It also shows that almost 1% of domains registered in Uniregistry’s .click are used as C&Cs.

The spam-fighting outfit said it discovered “almost 50,000” domains in 2017 that were registered for the purpose of controlling botnets.

Comparable data for 2016 was not published a year ago, but if you go back a few years, SpamHaus reported that there were just 3,793 such domains in 2014.

Neither number includes compromised domains or free subdomains.

The TLD with the most botnet abuse was of course .com, with 14,218 domains used as C&C servers. It was followed by Directi’s .pw (8,587) and Afilias’ .info (3,707).

When taking into account the relative size of the TLDs, SpamHaus fingered Russian ccTLD .ru as the “most heavily abused” TLD, but its numbers don’t ring true to me.

With 1,370 botnet controllers and about five and a half million domains, .ru’s abused domains would be around 0.03%.

But if you look at .click, with 1,256 botnet C&Cs and 131,000 domains (as of September), that number is very close to 1%. When it comes to botnets, that’s a high number.

In fact, using SpamHaus numbers and September registry reports of total domains under management, it seems that .work, .space, .website, .top, .pro, .biz, .info, .xyz, .bid and .online all have higher levels of botnet abuse than .ru, though in absolute numbers some have fewer abused domains.

In terms of registrars, Namecheap was the runaway loser, with a whopping 11,878 domains used to control botnets.

While SpamHaus acknowledges that the size of the registrar has a bearing on abuse levels, it’s worth noting that GoDaddy — by far the biggest registrar, but well-staffed with over-zealous abuse guys — does not even feature on the top 20 list here.

SpamHaus wrote:

While the total numbers of botnet domains at the registrar might appear large, the registrar does not necessarily support cybercriminals. Registrars simply can’t detect all fraudulent registrations or registrations of domains for criminal use before those domains go live. The “life span” of criminal domains on legitimate, well-run, registrars tends to be quite short.

However, other much smaller registrars that you might never have heard of (like Shinjiru or WebNic) appear on this same list. Several of these registrars have an extremely high proportion of cybercrime domains registered through them. Like ISPs with high numbers of botnet controllers, these registrars usually have no or limited abuse staff, poor abuse detection processes, and some either do not or cannot accept takedown requests except by a legal order from the local government or a local court.

The SpamHaus report, which you can read here, concludes with a call for registries and registrars to take more action to shut down repeat offenders, saying it is “embarrassing” that some registrars allow perpetrators to register domains for abuse over and over and over again.