ICANN’s DNS Abuse Mitigation Program: Key Updates from 2024Mukesh ChulaniRuss Weinstein

Throughout 2024, the Internet Corporation for Assigned Names and Numbers (ICANN) has made notable strides in its approach supporting efforts that combat Domain Name System (DNS) Abuse.

By contributing data and expertise to fact-based discussions, providing tools to the ICANN community, and enforcing the contractual obligations with registries and registrars, ICANN supports the community in addressing malware, phishing, pharming, botnets, and spam (when used to propagate the other four named forms of DNS Abuse). These efforts also help ICANN achieve its strategic objective to strengthen the security of the DNS, which is a cornerstone of the current ICANN Strategic Plan.

Expanded DNS Abuse Contractual Requirements

Following extensive discussions on enhancing ICANN's efforts to combat DNS Abuse, the Contracted Parties House (CPH) and the ICANN organization successfully negotiated targeted amendments to the Registry Agreement (RA) and Registrar Accreditation Agreement (RAA), regarding DNS Abuse mitigation obligations. The amendments, which received broad support from generic top-level domain (gTLD) registries and ICANN-accredited registrars, became effective on 5 April 2024. They introduce new requirements that require gTLD registry operators and registrars to take action to stop or disrupt well-evidenced cases of DNS Abuse. These amendments represent a significant first step forward in ICANN's efforts to help combat DNS Abuse and highlights the community's ability to collaborate on practical solutions to ensure a secure and stable DNS.

ICANN's Enforcement Actions on DNS Abuse Mitigation Requirements

During the first six months of enforcement of the DNS Abuse mitigation requirements, from 5 April 2024 through 5 October 2024, ICANN's Contractual Compliance team launched 192 investigations into potential violations. ICANN's enforcement actions resulted in the suspension of over 2,700 abusive domain names and the takedown of more than 350 phishing websites while additional compliance cases involving hundreds of domain names are ongoing or were closed after 5 October 2024. The six-month report published in November 2024 highlights these actions and underscores ICANN's commitment to transparency in enforcement. Additionally, an audit of registry operators' compliance with DNS Abuse mitigation obligations is currently underway.

Well-Attended Sessions at ICANN Meetings

ICANN's efforts to raise awareness and engage the community on DNS Abuse mitigation efforts were clearly reflected in the strong attendance at key sessions during ICANN79 (San Juan, Puerto Rico) in March 2024, ICANN81 (Istanbul, Republic of Türkiye) in November 2024, and a special session during the Contracted Parties Summit (Paris, France) in May 2024. These gatherings brought together stakeholders from across the DNS ecosystem to discuss good practices, challenges, and ongoing efforts in combating domain abuse. These sessions also fostered collaboration among registries, registrars, and other stakeholders involved in the fight against DNS Abuse.

Launch of ICANN Domain Metrica

One of the most significant developments in DNS Abuse mitigation is the phased launch of ICANN Domain Metrica, a new platform designed to provide essential metrics and insights. Managed by ICANN's Security, Stability, and Resilience (SSR) Research team, Domain Metrica aggregates a variety of datasets to produce metadata on Internet identifiers, enabling registries, registrars, and the broader ICANN community to track and address DNS Abuse more effectively.

Domain Metrica is planned to be modular. The platform's first module focuses on reporting abuse concentrations across generic top-level domain (gTLD) registries and registrars. It allows users to access metrics on abuse reports, compare data across multiple registrars or gTLDs, and explore trends in domain name misuse. The initial release of Domain Metrica occurred in late October 2024 for contracted parties, with a broader rollout planned for January 2025, making the platform accessible to all ICANN account holders. This tool will continue to evolve, with plans to add more advanced features and modules, including abuse risk scores and categorization of maliciousness.

INFERMAL Project: Analyzing Malicious Registration Patterns

Another important initiative is the Inferential Analysis of Maliciously Registered Domains (INFERMAL) Project, funded by ICANN and conducted by KOR Labs. This project examines factors that contribute to why certain domain registrars and top-level domains (TLDs) are particularly attractive to cybercriminals engaged in phishing domains. By analyzing factors such as registration attributes (e.g., pricing and payment methods), proactive verification practices (e.g., contact validation), and reactive security measures (e.g., abuse mitigation), the INFERMAL project aims to uncover patterns that can help registrars and registries reduce the risk of malicious registrations. The final report provides deeper insights into how malicious actors exploit domain registration systems.

Looking Ahead

ICANN's evolving approach to DNS Abuse mitigation, underpinned by collaboration, data-driven insights, and proactive enforcement, marks a significant advancement in addressing this complex issue. With the introduction of tools like ICANN Domain Metrica and INFERMAL, the community is better equipped to respond to DNS Abuse in a more coordinated and effective manner.

Recognizing the complexity of the issue, ICANN continues to trust the wider community to provide valuable input on future potential policy recommendations.

For more information on ICANN's ongoing efforts, visit ICANN's DNS Abuse Mitigation Program page.