Article

The Evolution of DNS Abuse and Online Harm Mitigation: Emphasizing Evidence Over Inference

The Evolution of DNS Abuse and Online Harm Mitigation: Emphasizing Evidence Over Inference

Article publication date: 7 November 2024.

Since its inception, CleanDNS been centered on the critical point of the evidence-based escalation in DNS abuse management and online harm mitigation. In addition this and our familiar motto of “Cleaning Up the Internet for Good”, CleanDNS also emphasizes the pillar of the appropriate action taken, by the appropriate party, at the appropriate time. As online harms and abuse schemes continue to evolve, so too mu our abuse management and mitigation tactics for detecting and evidencing those harms.

The domain name industry has fought for many years to ensure that when considering the scope of DNS abuse management, the right action is taken by the appropriate party. For example, in many cases just because a registry or registrar can intervene and take action, does not mean that they should, or even that they are the right party to do so at that time. Central to this is the idea that no action taken can be deemed arbitrary; all actions taken must be explainable and reasonable within that circumstance. For the most part, the suspension of a domain (serverhold, clienthold, deletion, or CleanDNS sinkhole) must be the proportional action and have the appropriate effect, with the least unintended impact. In fact, this idea was the very reasoning that drove the new gTLD amendments on DNS abuse as part of the ICANN contracts earlier this year.

Evidence is and remains key. More specifically, the necessary evidence must show that the domain in question is registered for an apparent abusive purpose. The party who takes action is not assessing whether a crime is being committed beyond a reasonable doubt, but that judging from the evidence available, a breach of their terms of service is likely to be occurring. A domain is not considered “bad” or at least “bad enough” to take action unless the evidence supports that action. Sources (such as reputation listings) often rely purely on inference over available evidence and tend to not explain why any such domain listed is considered to be “bad” at all.

CleanDNS escalations are backed by evidence, meaning that if and when an action is taken it is fully supported by that evidence. Through the work of our cutting-edge technology, the CleanDNS platform automatically seeks and validates clear-cut evidence upon receiving an abuse report. With the use of this technology, the majority of abuse reports can result in evidence-based actions within 90 minutes of initial registration.

Throughout the years of our work in abuse management and online harm mitigation, CleanDNS has gathered data for every action we have taken, on every domain we have escalated, while observing and recording those statistically significant elements that tie these actions and escalations together. Take, for example, a nonsense domain such as [random001.TLD]. Post registration, we receive reports and screenshots to verify the domain is associated with a phish. This domain is actioned. Now consider we receive a report for another domain [random002.TLD]. This domain does not resolve, and we have no other evidence from the report aside from the similarity of the URL to a previously actioned domain. In the second case, taking an action on the domain solely due to the similarity of a previously actioned domains alone would be arbitrary, and based on inference alone. Furthermore, the escalation of that domain, for example to a registrar, without evidence, simply clogs the system and creates frustration.

Example 1

Taking the scenario a step further, let’s add another layer. Assume a series of such domains are registered in close proximity: [random003.TLD, random004.TLD, random005.TLD], and again each one of these has been reported to CleanDNS, evidenced as being associated with a phish, escalated, and actioned by the appropriate party. Now, if [random006.TLD] is registered in the same URL pattern and manner but does not resolve to a phish, has enough evidence been observed to conclude that domain is now a candidate for escalation and action? We don’t have screenshot evidence of what [random006.TLD] resolves to, but we do have evidence as to why we believe it to be connected to other domains verified as resolving to a phish. The question we now need to ponder is whether that evidence is enough to confirm, by the preponderance of evidence1, that the domain can be actioned.

Example 2

A screenshot of the reported domain is the most expected piece of evidence and is widely considered the most acceptable across the industry, although it is not always the only piece of evidence available. While CleanDNS will always provide screenshot evidence where it is available and applicable, other factors as pieces of the puzzle must also be considered. When CleanDNS observes repeated individual data elements in patterns (creating a “fingerprint” of the attack), there comes a point where we believe this to be indicative of an abusive campaign. Now, let’s consider our scenario one more time and ask ourselves the following questions:

  • What if the domains in question all had the same A record?
  • What if the domains in question all used the same hosting provider?
  • What if said hosting provider is, with evidence, considered a “bulletproof host2”?
  • What if the subdomain uses terms such as “[company]-login” or “secure-payment-[company]”?
  • What if the registration and delegation of these domains occurred within a recent sub-15-day period?

Considered on their own, none of these elements are enough to tip the scales of the preponderance of evidence. However, when considered as independent pieces of the larger puzzle, the picture becomes clear.

Example 3

This view is distinctly different from the “reputation based” listing because as we know and as is shown in Example 1, we can verify and trace why such data elements are individually considered a flag, and together point to a large abusive campaign. Additionally, we can provide the data, audit trail, and the underlying reasoning to our clients to support their escalation.

All of this emphasizes that CleanDNS does not look for a single indicator of abuse, but multiple points of evidence to compile a clear picture. Taken on their own as individual pieces of the puzzle, these pieces of evidence cannot tip the balance of verifying a domain as abuse. However, when placed together, the pieces can complete the picture to confirm abuse. Considering where multiple evidence-based indicators are found and reported, the weight of these flags combined is sufficient to tip the scale into a preponderance of evidence. Such actions are not arbitrary but are based on the preponderance of evidence.

Cybercriminals are smart – we, as Disruptors, must be smarter. As the tactics of cybercrime continues to shift and evolve, so too must online harm evidencing and mitigation techniques. While the escalations and actions taken will not change, we know we can achieve a better and broader impact by pushing these means of evidencing to be equally justifiable. In order to do this, we must be comfortable with evidence that is a little more technical than the good old screenshot, while also maintaining the capability to demonstrate additional means to evidence abuse in a manner that is consistently reliable.

We at CleanDNS pride ourselves on continuous evolution, optimization, and disruption, and thus also seek to challenge the status quo and encourage new approaches in online harm mitigation. The consideration of broader evidence types will in turn have great effect on the mitigation of online harms, and thus continue to make the Internet a better, safer place.

CleanDNS continues to emphasize the pillars of evidence-based escalations, and the appropriate action taken, by the appropriate party, at the appropriate time. We’re Cleaning Up the Internet for Good, and causing a little disruption along the way.

###

1Preponderance of evidence: legal term meaning an amount of evidence that is sufficient in showing that one side of said argument is more likely than not to be true.

2Bulletproof hosting: i.e. those hosting entities who, by policy, ignore all escalations, regardless of clear evidence submitted.

For questions about CleanDNS’ actionable, affordable, streamlined solution for abuse management and online harm mitigation, contact our team to learn more.