Understanding top-level domain (TLD) abuse helps illuminate and predict domain threat trends

What are top-level domains (TLD)?

The DNS is hierarchical, easily visualized as an inverted tree starting with leaves extending from a root representing different layers. The layer below the root consists of TLDs, below that are 2nd level domains, and beyond are sub-domains.

There were initially 7 generic TLDs (gTLDs), like the familiar “.com”, in the DNS. Starting in 1985 a country, sovereign state, or dependent territory could register a country code TLD (ccTLD). In 2000 seven new gTLDs were added, and in 2005 a process began to enable a new class of gTLDs which could be purchased and operated by a sponsor, often with a commercial interest. There are now more than 300 ccTLDs and 1,200 gTLDs activated in the root zone (current list).

TLDs can impact the security landscape

Legitimate applications on the internet depend on the DNS to function and malicious actors also depend on it to activate, scale, and manage their exploits. They use the DNS because it connects everything on the internet, from virtually every network and device where an exploit might be activated. They also benefit from tools for managing domain names that enable highly dynamic, scalable, connectivity so they can change their exploits rapidly and avoid detection.

Although there are other ways hackers can use the DNS to support malicious activity, one of the main ways is to register domain names under a TLD. If a name can be registered and activated it’s available for use on the internet. With complete control over their names/zone developers can tailor the use of subdomains to suit their needs. Names can be used until malicious activity is detected and validated, and actions are taken to deregister or block them.

There are controls over name registrations and most TLD operators have formal contractual obligations with the Internet Corporation for Assigned Names and Numbers (ICANN), the organization who coordinates operation of the DNS, to take steps to deter abusive activity.  Most TLD operators also have strong business motivations to minimize registration of malicious names and to be responsive to abuse reports. TLDs who want to attract well-known brands or high-value audiences are incented to maintain their reputation.

Although controls exist to prevent malicious name registrations, variations in contractual arrangements and registration policies can create openings for attackers. ccTLDs pre-date ICANN and are largely self-regulated. They define their own registration policies, like whether there’s a requirement that a legal entity be registered in-country. They also establish their own methods and obligations to deal with abusive registrations. For instance, some ccTLDs require information that makes it easier to identify and contact registrants if it becomes necessary, but some do not.

New gTLDs under ICANN’s control serve a wide array of interests. Some, like brands .chanel, .ericsson, and .fedex are closed, and only used by their own legal entities. Others such as .travel, .law, and .realtor require registrants to have an affiliation or credentials relevant to the organization, however the formality of the affiliation varies widely. Most gTLDs are open to anyone, although that’s not to suggest they simply accept all registrations.

There are other reasons TLD abuse can occur and persist:

• Hackers invest so their work is not detected, even large, popular, or long-established TLD efforts to prevent malicious registrations can be subverted sometimes.
• The domain name industry is large and diverse and the motivations of individual players may not always coincide with the rest of the internet ecosystem.
• Another layer in the domain name ecosystem, registrars, may not fulfill their obligations to properly vet registrants and filter out miscreants.
• Lack of vigilance policing registrations, like limited verification of the identity of the registrants, is another contributing factor.
• Batch registrations make it easier to obtain names, use them briefly, and leave a minimal trail, especially if verification is inadequate.
• Cheap registrations benefit abusers because it reduces their operating costs and potentially allows them to hide abusive names amongst benign names.
• There can be delays in responding to requests to review andtakedown domains that are flagged as problematic by researchers or the broader community.

None of this is to suggest operators of TLDs don’t take measures to prevent malicious registrations – they do.  But misaligned incentives, resource constraints, deficient infrastructure or processes, and the sheer skill and determination of adversaries all get in the way.

Understanding malicious activity in TLDs is important to security

Because malware developers depend on the DNS, query data is extraordinarily useful for security research. Akamai teams use sophisticated algorithms and machine learning to analyze data gathered from resolvers (anonymized to protect user privacy). Part of the workflow measures malicious activity in each TLD to determine the relative scale of abuse. New threats can be identified using these findings, along with other kinds of data.  All these insights contribute to metrics that allow domain names to be classified based on how likely they are to be associated with malicious activity, ultimately resulting in validated threat intelligence.

It may be tempting to simply block entire TLDs that have high levels of abuse, but it inevitably causes collateral damage because legitimate names are blocked too.  A better approach is to take advantage of carefully validated domain-based threat intelligence with constantly updated lists of malicious names. It can be integrated into DNS resolvers, or potentially other infrastructure, to flag and block malicious activity.

Perspective

Recent findings of malicious activity uncovered in DNS data can be found here:

• DNS Threat Report – Q3 2022
• Insights on DNS in Q2 2022
• DNS Traffic Insights Threat Report
• A paper covering why DNS data is useful for security research, with explanations of how data can be processed to reveal malicious activity is here.
• TLD abuse findings have been publicized at industry events like this one hosted by ICANN.

Summary

The DNS is vital to the proper functioning of legitimate internet applications and services, but because it’s so powerful and easy to use, malicious actors also depend on it. This makes DNS data a rich source of security insights. TLDs are an attractive entry point for attackers and understanding TLD abuse helps illuminate broader security trends. Wholesale blocking of TLDs with high rates of abuse can be problematic, taking advantage of validated domain-based threat intelligence can improve security posture, and minimize disruption associated with blocking legitimate traffic.