Nameshield Blog

The 3 most common DNS attacks and how to defeat them

In October 2016, many popular websites like Amazon, Twitter, Netflix and Spotify have become unavailable to millions web users in the United Sates, during almost 10 hours, i.e. an eternity. The cause, one of the most powerful attacks of Internet history on Dyn’s DNS services, a major actor in this sector.

Other companies like Google, The New York Times and many banks have also been the victims of different kinds of attacks aiming at the DNS, the last few years, and if in many companies, the DNS stays forgotten, things are evolving towards awareness forced by these many attacks.

Attack #1: DNS cache poisoning and spoofing

The aim of DNS poisoning is to take web users towards a scam website. For example, a user enters gmail.com in their web browser with the objective to consult their mailbox. The DNS having been poisoned, it’s not the gmail.com page which is displayed but a scam page chosen by the criminal, in order, for example, to retrieve the email box accesses. The users entering the correct domain name, will not see that the website they’re visiting is not the right one but a scam one.

It creates a perfect opportunity for the cybercriminals to use phishing methods in order to steal information, either identification information or credit card information from unsuspicious victims. The attack can be destructive, depending on many factors, the attacker’s intention and the DNS poisoning impact.

How are the hackers making their strike? By exploiting the DNS cache system.

The DNS cache is used in all the web to accelerate the time charging and reduce the charges on DNS servers. The cache of a web document (web page, images) is used to reduce bandwidth consumption, the web server charge (tasks it carries out) or to improve the consultation speed of the browser use. A web cache keeps documents copies transiting through its way. Once a system requests to the DNS server and receives an answer, it records information in a local cache for a faster reference, in a given time, without having to search the information. The cache can answer to past requests based on its copies, without using the original web server.

This approach is used around the web in a regular way and in chain. The DNS server records are used to cache records on another DNS. This server is used to cache DNS records on network systems like rooters. These records are used to create caches on local machines.

DNS poisoning arrives when one of its caches is compromise.

For example, if a cache on a network rooter is compromised, then anyone who uses it can be misdirected towards a fraudulent website. The false records of DNS is branched to the DNS caches on the machine of each user.

This attack can also target the high links of the chain. For example, a major DNS server can be compromised. It can damage DNS servers’ caches managed by the Internet services providers. The “poison” can impact on the systems and peripheral networking of their customers, which allows to forward millions of persons towards fraudulent websites.

Does it seem crazy to you? In 2010, many American web users couldn’t access websites like Facebook and YouTube, because a DNS server of a high level internet services provider has accidently retrieved the records of the Chinese big firewall (Chinese Government blocked the accesses to these websites).

The antidote to this poison

The DNS cache poisoning is very difficult to detect. It can last until the TTL (time to live – validity time of a request in cache) expires on the cache data or an administrator realizes it and resolves the problem. Depending on the TTL duration, servers can take some days before resolving the problem by themselves.

The best methods to prevent an attack by DNS cache poisoning include the regular update of the program, the reduction of TTL times and the regular suppression of DNS caches of local machines and network systems.

For the registries that allow it, the implement of DNSSEC is the best solution in order to sign domain names’ zones on all the chain and make impossible a cache poisoning attack.

Attack #2: Attack by DNS amplification (of DDoS type)

Attacks by DNS amplification are not threats against DNS systems. Instead of this, they exploit the open nature of DNS services to reinforce the power of the attacks by distributed denial of services (DDoS). These attacks aren’t the lesser known, targeting for example well known websites like BBC, Microsoft, Sony…

Hold on and amplify

DDoS attacks generally occur with the help of a botnet. The attacker uses a network of computers infected by malwares to send mass traffic towards the target, like a server. The purpose is to surcharge the target and slow it or crash it.

Attacks by amplification add more power. Instead of directly sending traffic from a botnet to a victim, the botnet sends requests to other systems. These systems answer by sending more important traffic volume to the victim.

Attacks by DNS amplification are the perfect examples. The attackers use a botnet to send thousands of search requests to open DNS servers. The requests have a fake source address and are set up to maximize data quantity sent back by each DNS server.

The result: an attacker sends relatively restrained quantities of traffic from a botnet and generates traffic volumes proportionally superior or “amplified” of DNS servers. The amplified traffic is directed towards a victim which causes the system’s breakdown.

Detect and defend ourselves

Some firewalls can be set up to recognize and stop the DDoS attacks as they occur by deleting artificial packages trying to flood the systems on the network.

Another way to fight against these DDoS attacks consists in hosting your architecture on many servers. This way, if a server is surcharged, another one will always be available. If the attack is weak, the IP addresses of traffic sending can be blocked. Furthermore, a rise of the server’s bandwidth can allow it to absorb an attack.

Many dedicated solutions also exist, conceived exclusively to fight against DDoS attacks.

Attack #3: DDoS attack on DNS

DDoS attacks can be used against many systems types. It includes the DNS server. A successful DDoS attack against DNS server can cause a breakdown, which makes the users unable to surf the web. (Note: users are susceptible to continue to reach websites they have recently visited, by supposing that the DNS record is registered in a local cache.)

This is what happened to Dyn’s DNS services, as described at the beginning of this article. The DDoS attack has surcharged the DNS infrastructures that prevents millions of persons to access principal websites which domain names were hosted on.

How to defend yourself against these attacks? It all depends on your DNS configuration.

For example, do you host your DNS server? In this case, there exist measures that you can take to protect it, by updating the last patches and by only allowing local computers to access it.

Are you perhaps trying to reach the attacked DNS server? In this case, it will probably be hard for you to connect. That’s why, it’s wise to set up your systems to rely on more than one DNS server. This way, if the principal server doesn’t answer anymore, a backup server will be available.

Predict and reduce the attacks

DNS server attacks are a major risk of security for the network and have to be taken seriously. Companies, hosts and Internet services providers, implement backup measures to prevent and reduce the effects of this kind of attacks when they are the victims.

Following these attacks, ICANN has highlighted more strongly than ever the necessity to use the DNSSEC protocol to sign each DNS request with a certified signature, by ensuring that way the authenticity. This technology’s disadvantage is that it has to be implemented at every stages of DNS protocol in order to operate properly – which arrives slowly but surely.

Opt for hosted infrastructures and maintained by DNS experts. Make sure that the network is anycast (multiple points of presence distributed around the world or at least on your influence zones), beneficiates of anti-DDoS filter and offers you supplementary security solutions like DNSSEC but also failover, to integrate the DNS in your PCA and PRA.

Nameshield has its own DNS Premium infrastructure to answer to their customers’ needs. This infrastructure answers in particular to (even exceeds) all ANSSI prerequisites. The DNS Premium solution is integrated in the scope of our ISO 27001 certification.

Don’t hesitate to contact us for all questions regarding cyberattacks.

DNS – the big forgotten of Internet

“DNS continues to be one of the most targeted Internet services, and it remains the Achilles heel of global Internet infrastructure. DNS was not only the most heavily abused protocol for reflection/amplification DDoS attacks this year, but an attack targeting a specific DNS provider was also the cause of the most widespread Internet outage of 2016 (Note: attack on the provider Dyn, which caused for about ten hours, the inaccessibility of a big part of Internet in the USA, particularly impacting Twitter, Ebay, Netflix, Amazon, Paypal… in October 2016).”

Arbor Network Infrastructure Security Report – June 2017

But what is the DNS?

DNS – the big forgotten of Internet

Because the human being is more apt to remember a name than a number, and because this is even more true for going on a website, between a domain name and an IP address, the human being, in order to simplify their life, have created the DNS: Domain Name System (or service).

For example: “I want to go on Google.com, my browser will ask the DNS what the IP address of the web server hosting google.com is, it will obtain it, then go on it and download the page.”

The DNS is a public database, decentralized and distributed, which associates domain names to IP addresses. It exists since 1985. It’s a part we can qualify as Internet infrastructure, essential to operate… and yet the DNS is invisible to the user.

The DNS has been massively adopted because it’s practical. It simplifies the user’s life and allows them to easily identify, differentiate, locate, memorize and transmit the domain name of a website associated to a brand. It has also been adopted on the other side of the mirror by its networks administrators to identify and differentiate servers, it is even more true with IPv6, with hosts multiplication and the arrival of the all connected. The DNS allows them, last but not least, to have the possibility to change servers and IP addresses in all transparency for the web user.

The DNS is omnipresent within the Internet. Everyone should be able to have access to it, if not, the Web would not operate anymore. This is what has happened in 2016 to our American compatriots, who had to do without Twitter or frenetically buying during almost 10 hours. The lost profit regarding revenue and impact on the brand image of the impacted companies have been significant.

But as it is invisible, everyone tends to forget it… and to realize it when it’s too late.

Strategic services relying on the DNS and the associated risks

Websites and email are two major services which systematically rely on DNS. Imagine that your website is unavailable for 1 minute, 10 minutes, 1 hour… and the consequences for your company, revenue, service discontinuity, image of the brand, customer’s loss. And what the consequences are for the absence of emails on this same period…

If these two services are the most potentially impacted, others can systematically rely on DNS:

VPN, VOIP, instant messenger… with the consequences smaller but equally regrettable for the operating of the company.

Attacks on DNS

Sadly, DNS servers are exposed to many potential attacks:

– Cache poisoning: make the DNS servers believe they receive a valid answer to their request while it is fraudulent. Once the DNS poisoned, the information in cache makes all the users vulnerable (send to a fake website).

– Man in the middle: The attacker alters the DNS server(s) of the parts in order to redirect their communication to them without the parts realizing it.

– DNS spoofing: redirect the web users without them knowing, towards hacked websites.

– DDoS: DNS are more and more targeted by DDoS attacks, in order to saturate them and prevent them to ensure the resolution of the company’s key services.

And all these attacks have the same consequences: hijack or stop the companies ‘traffic.

The big forgotten

From the user’s point of view, the DNS doesn’t exist, they use the naming system of domain names to navigate and send emails, they have only one need: that it works.

From the company’s side, the problem is different, it is usually a lack of information, a lack of conscience of the DNS importance and the consequences of a service breakdown.

In most of the cases, companies do not really pay attention. They will use an important budget to register and manage domain names, to rise their visibility and protect their brands, but will not linger on DNS servers’ strength at their disposal from their provider.

The good practices to implement: having first rate DNS infrastructure

First of all, consider whether your strategic domain names already beneficiate from a particular attention from the DNS infrastructure. Are called strategic, all domain names on which rely the key services traffic of the company: web sites, email, VPN, instant messenger…

To gain its own DNS infrastructure is a solution which presents advantages of flexibility and control, but the acquisition cost, management and maintaining on one side, complexity and necessary knowledge on the other, are often crippling or badly evaluated. It’s usually easier to go for an extern DNS infrastructure, managed by a registrar, host or specialized provider. It is then appropriate to check which availability annual rate is ensured and how it relies on the good practice for a maximum availability.

To ensure a high availability to your Internet services, it’s essential to choose a DNS solution highly available which offers:

– Necessarily functionalities to a DNS intensive use;

– A network of anycast type to reduce the DNS resolution time and ensure an optimal access time to your websites.

– A DNS infrastructure secured and staying available even in case of attack.

– Key functionalities like : GeoIP, Failover, Registry lock, DNSSEC, anti-DDoS smart filter

Conclusion

The DNS is not visible but is everywhere, it ensures the access to our key services thanks to the resolution of your strategic domain names, it is potentially exposed to many attacks with disastrous consequences and it lacks too often attention from companies. So.. Don’t forget about it and if necessary, talk about it with your Nameshield partner.

Referendum in Catalonia

Context:

Spain, divided in 17 autonomous communities can’t be compared to the administrative division of the regions. Indeed, these Spanish communities don’t have the same autonomy and Catalonia, located in the North East, benefits from an autonomous status, in effect since 2006.

Issue of October 1^st

Last Sunday, the Catalan independent regional government organized a referendum concerning Catalonia independence among 7.5 million residents. This initiative has been quite badly perceived by the Spanish conservative government, which searches by any means to slow down if not stop the movement. For many media, this is one of the worst political crisis of the last 40 years.

Like many territories or regions, Catalonia benefits from its own TLD: .CAT.

In France, Brittany, Corsica, Alsace and Paris also benefit from a dedicated extension, i.e. respectively .BZH, .CORSICA, .ALSACE and .PARIS.

Beside France, we can find .SCOT for Scotland, .EUS for Basque culture, .FRL for Friesland, etc.

June, 9^th 2017

The referendum on Catalonia’s independence is announced. It will take place on October 1^st. The question that the voters will have to respond to is the following: “Do you want Catalonia to be an independent state in the form of a Republic?”

September 13^th 2017

Spanish law enforcement officers seize the electoral equipment.

September 15^th2017

Madrid, judging Catalan referendum illegal, raided the registry managing .CAT, PunCat in order to make unavailable the access to websites in favor of independence, the hosting of these latter being abroad. The registries of the other countries expressed dissatisfaction for this situation: .EUS and .SCOT have thus communicated on this subject. To this day, if we can note the reactions of EFF and ISOC, neither the GeoTLD Group nor ICANN have communicated yet on this matter. The issue having been covered beyond borders, we can note an article of NYT on this subject, it would seem natural that a first release from ICANN would soon be published.

PuntCat, .CAT registry, communicated with words on this incident and asked help from ICANN: « The show that we have experienced in our offices this morning has been shameful and degrading, unworthy of a civilized country. We feel helpless in the face of these immensely disproportionate facts».

September 20^th, 2017

“Anubis operation” launch, aiming to prevent the referendum.

September 24^th, 2017

Catalonia’s secretariat of telecommunications complains to the European Commission about the blocking of some websites in .CAT and the raid of the Catalan registry.

September 25^th, 2017

With the impossibility to cut pro-independence websites, Spanish government blocks them.

October 1^st, 2017

The vote takes place. 90% of YES for independence, 42% of participation rate.

October 4^th, 2017

Day of this article’s publication, Catalan government should announce the Catalonia independence.

Acquisition of Rightside by Donuts: What are the consequences on DPML Programs?

At the Internet new extensions launch, Donuts operator, the biggest extensions applicant (.services, .legal, .photos, .vin etc.) has launched a specific protection program in addition to the TMCH.

The Donuts Protected Mark List (DPML) allows to block the registration by a third party of a domain name similar to the brand under all the extensions managed by the registry.

For example, if the brand “iPhone” is registered in the TMCH (prerequisite) then in the DPML, no one can register <iphone.photos> or <iphone.services>, as well as the other hundred Donuts extensions.

Other registries have also created protection programs, in common with Donuts’ DPML, on more restricted perimeters. It was the case of Rightside which managed the following 40 extensions:

.ACTOR

.AIRFORCE

.ARMY

.ATTORNEY

.AUCTION

.BAND

.CONSULTING

.DANCE

.DEGREE

.DEMOCRAT

.DENTIST

.ENGINEER

.FAMILY

.FORSALE

.FUTBOL

.GAMES

.GIVES

.HAUS

.IMMOBILIEN

.KAUFEN

.LAWYER

.LIVE

.MARKET

.MODA

.MORTGAGE

.NAVY

.NEWS

.NINJA

.PUB

.REHAB

.REPUBLICAN

.REVIEWS

.RIP

.ROCKS

.SALE

.SOCIAL

.SOFTWARE

.STUDIO

.VET

.VIDEO

At the end of July, Donuts announced the acquisition of Rightside.

What are the impacts of this acquisition on the holders of these two protection programs?

The DPML now integrates the extensions of Rightside, without supplementary cost.
It’s not possible to only subscribe to Rightside’s program anymore, you will have to necessarily turn to Donuts’ DPML.
It will not protect the names previously registered by third parties.
It excludes premium domain names.

If you want to register your brand in the TMCH and/or in the DPML, don’t hesitate to contact your interlocutor at Nameshield.

Irma storm and its unexpected consequences on the domain names industry

.TV means television, .FM, FM radio, .IO tech companies…

Actually no. In fact, yes but no. These codes do not designate sectors of activity but territories according to ISO 3166-1 alpha 2:

TV is for Tuvalu, a Polynesian state;
FM is for Federated States of Micronesia ;
IO for British Indian Ocean Territory.

Why such a mix of genres? In fact, domain names and geopolitics make a whole.

When you communicate with a .COM domain name, you trust Verisign, an American company. With a .FR, it’s the AFNIC! For the .TV, nothing to fear, this extension is technically delegated to Verisign. And for the .IO, it will be said that the infrastructure is fairly resilient. Why mention this reality?

Simply because geopolitics are moving, political events have frequently cut off domain name extensions. This is the case of .LY, which corresponds to Libya. For example, South-West professionals communicating in .SO met some technical problems when Somalia has cut its DNS infrastructure for some time.

Precisely, that’s what happens with the .AI. AI for Artificial Intelligence? Not at all, it is the country code of Anguilla, a territory heavily affected by Irma Hurricane. Thus, many companies using .AI domain names have encountered difficulties in registering, managing or renewing their domain names.

But then, how do we do? This is precisely what is exciting in this intangible industry: if no guide is available to track real-time geopolitical movements and the consequences on registries’ DNS availability, Nameshield informs you in real time.

Do not hesitate to contact us if you have any questions.

.BRAND : 4 episodes, for this summer

Photo : CC BY-SA 3.0 Nick Youngson – source : http://nyphotographic.com/

Act 4: Reconstruction

While a myriad of new extensions were open for recording, the time was to select .COM, .CM, .OM, .CO or .CAM records? .FR or .FRL?

The decision to make registrations in all new extensions of course has a high cost and is no longer necessarily wise.

This is also why, some brands have chosen a .BRAND: its own TLD, its own sovereignty, its own management rules! Many brands have opted for this configuration and we can see now the blooming of .BNPPARIBAS, .ALSTOM, .SNCF, .LECLERC, .GOOGLE …

This reflection on .BRAND has sometimes been badly conducted: some brands have now abandoned their own TLDs, such as McDonald’s. ICANN has a list of these TLDs, along with the very formal letters from the companies asking to remove the area of confidence, historically so costly. It reminds me of The Fallen Astronaut. We can say that the abandonment of these TLDs will be used for others to build themselves up. A good general uses the strength of the enemy as Sun Tzu said!

These discontinuations show that the companies concerned have not seen today the benefits they could make from the costs associated with the creation and management of a .BRAND. Others, more daring, have discovered the interest and / or imagine discovering new service opportunities allowing them to have an increased or even total control over their infrastructure to come with high stakes, Internet of Things, Industry 4.0 …

Let’s wait for the first connected objects and the deployment of a real infrastructure around a resilient .BRAND and we’ll see!

Read act 1: Denial (and Anger)

Read act 2: Expression

Read act 3: Depression

How horse names resemble trademarks

Trademarks identify a particular product or service and enable consumers to quickly identify the source of a given good. In order to meet this function they must be distinctive. Trademark law protects the owner’s right to use the trademark exclusively and prevent others using a mark that is confusingly similar. Use of an identical mark on the same product would be considered confusing and could clearly constitute infringement.

So far so good. But are you aware that the same standards exist for naming pedigree horses?

WorldFengur is the Icelandic committee in charge of the official register of the Icelandic horses breed. They have recently passed a rule stating that names must be of Icelandic heritage for them to be included in the official database. There are more than 400,000 horses registered across Europe and the USA. The two-person Horse Naming Committee has been set up to stop people giving obscene names to their horses but mainly to ensure that the names respect Icelandic tradition and grammar rules. It seems that purchasers don’t want their Icelandic horses to have foreign names.

Other countries have naming rules for horses too. The British Horseracing Authority (BHA) controls the appropriateness of names when horses are added to their database. In addition to being available – like trademarks – there is a long list of criteria that applicants need to meet. Here are some of the restrictions on name availability:

Names of more than 18 characters, including signs or spaces
Names followed by one or more numbers or which start with a sign other than a letter
Names made up entirely of initials, or which include figures, hyphens, full-stops, commas, signs, exclamation marks, inverted commas, forward or back slash, colon and semi-colon
The name of a public person or names of commercial significance without the appropriate permission
Names considered in poor taste or which may cause offence.

Further, when applying to the BHA for your name approval you need to supply two proposed names in order of preference with an explanation of the origin or meaning of the name. This all sounds familiar – a bit like applying for a drug marketing authorisation. One fun difference is that there is a Horse Name Availability Search tool that will not only tell you if the name is free but will provide some great alternatives if not.

How horse names resemble trademarks — British Horseracing Authority website

Trademark bullying? The Glencoe story

Glencoe is an “unforgettable place of dramatic mountains, rare beauty and haunting history” in the Scottish Highlands.

It is also a UK trademark, registered by several companies including The National Trust for Scotland. NTS’s 2016 trademark is registered for goods including beauty products, jewellery and clothing. A prior UK Glencoe mark protecting articles of clothing was registered in 1996 by Glenmuir Limited, a “family-run business dedicated to producing the finest golf wear” but it does not currently appear to be used on any articles of their clothing.

It is similarly the name that Hilltrek Outdoor Clothing gives to one of their hand crafted outdoor jackets.

The company, based in Aboyne, on the edge of the Highlands, has a 30 year history of manufacturing quality outdoor clothing. They have a long standing policy to name their jackets after some of their favourite places in Scotland. On the website you can find a link to a glossary providing information about the names and places used for their clothing.

Earlier this month Hilltrek owner Mr Shand received a cease & desist letter from NTS demanding they stop selling the Glencoe jacket. Mr Shand was surprised that a place name could be registered as a trademark. The Hilltrek website respects trademark rights, displaying the ® symbol next to several marks but not Glencoe.

The letter instructed Hilltrek to stop selling any goods bearing the name Glencoe immediately and refrain from using the name on any future products. Mr Shand published the letter that he found “bullying and threatening” on social media, saying that he would have understood and preferred a polite letter explaining the situation and asking for a dialogue.

This case raises serval interesting points for consideration.

Is it correct to register a place name to thereby blocking others from using it? NTS says that their aim is to protect the properties in their care and stop them being exploited. They encourage and support local business but have contacted a number of companies using trademarked names which are not local, including businesses based in France.

It is important to show tact when defending your IP rights in cases such as this. Reacting too harshly can result in this case with negative media attention for the complainant and great advertising opportunity for the “infringer”.

Which both underline the necessity of obtaining professional advice from an experienced IP Counsel whether you are defending a trademark or using one, even if you are not yet aware of it.

.BRAND: The importance of the digital strategy, or the McDonald’s case

McDonald’s! The symbol of globalization: from the invention of the express service by the eponymous brothers to its successful franchise by Ray Kroc (I recommend the film ‘The Funder’), McDonald’s is an example of post-war entrepreneurial success. The BigMac, the Filet o’Fish? These are the inventions of franchisees that headquarters have agreed to develop throughout the world. A model of innovation.

What about their digital strategy? When Internet arrives and everyone talks about it, a Wired reporter contacted McDonald’s to explain that Burger King could record mcdonalds.com. McDonald’s will not register it. Then the reporter does, the US firm tries to recover it and will donate 3500USD to a school in order to buy computer equipment.

Once bitten, twice shy. As a result, McDonald’s is creating a preventive policy of registration of domain names: goldenarches.com, mcd.com, bigmac.com, …

If RayKroc.com and mcdo.com are already cybersquatted, the implementation of a defensive registration policy has begun.

Thus, when the new gTLD program is launched in 2012, McDonald’s is a candidate and wins the .MCD and the .MCDONALDS (MCD is used internally for e-mail).

McDonald's Illustration: Home page of NIC.MCD — Illustration 1: Home page of NIC.MCD

We note the weak development on the home page of the .MCD, which is limited to ICANN’s obligations regarding the presentation of the TLD.

McDonald's Illustration : WHOIS of .MCDONALDS — Illustration 2: WHOIS of .MCDONALDS

The Whois service of the .MCDONALDS allows the identification of the owner, although, as presented in the file for ICANN, the .MCDONALDS is not intended to be an open extension.

What is interesting in the Whois is the joint management of different departments:

First contact: IP Division, Eric William Gallender, Senior Intellectual Property Counsel
Second Contact: Marketing Division, Anja Morrison Carroll, ‘Senior Director, Marketing’

In the motivations of the company to benefit from a .MCD and a .MCDONALDS coming from a public document, we can find the will to recreate confidence. McDonald’s highlights its gTLD, ccTLD and preventive registrations (.XXX, among others).

McDonald’s has many commitments:

provide an easy and intuitive reference and access point for internet users;
represent authenticity thus promoting user confidence;
direct internet users to locally relevant information and products;
use appropriate geographic names to connect with internet users in the relevant regions ;
potentially use IDNs to enable customers to interact in their native language;
enhance security and minimise security risks by implementing necessary technical and policy measures;
strengthen brand reputation and user confidence by eliminating user confusion; and
prevent potential abuses in the registration process reducing overall costs to businesses and users.

However, on May 2nd, 2017, a signed letter from VP Global Brand Marketing, Colin Mitchell announces the end for both TLDs.

There is no reason mentioned to justify this request and McDonald’s IP has not responded to the requests for communication.

McDonald's illustration: The letter of McDonald’s — Illustration 3: The letter of McDonald’s

McDonalds has failed to do with these two TLDs more than a trusted place for the websites: a .BRAND, yes, but it’s necessary to have a real strategy of deployment and use.

Creating a .BRAND with the only purpose of defending the intellectual property doesn’t seem, in that light, to be a successful tactic. The success of a .BRAND is mainly conditioned by an effective strategy, and its development has to anticipate far ahead, its use, as well as its implications regarding the digital and commercial communication.

A much awaited first report on DNS abuse in the new extensions

While the fate of 25 not yet delegated new extensions remains to seal, which represents approximately 2 % of all the accepted extensions during the current opening round, ICANN has just published a study on the proportion of DNS abuse in the new extensions launched after 2012.

The study was requested by the Competition, Consumer Trust and Consumer Choice Review Team ( CCTRT), which is mandated by ICANN to examine the extent to which the introduction or expansion of generic extensions has promoted competition, consumer trust and consumer choice. By defining the parameters of the study, the CCTRT tried to measure the rates of the common forms of unfair activities in the system of domain names, such as spamming, phishing and distribution of malware.

As a reminder, phishing is a technique used by swindlers to obtain personal information with the aim of committing identity thefts.

What is the report based on?

The study was led by SIDN, the registry of the extension of the Netherlands, as well as the University of Technology of Delft also located in the Netherlands. It was realized over a period going from 2014 to 2016, thanks to an access to the zone files granted by ICANN to these two entities.

More than 40 million names were analyzed, among which 24 million names registered in the new extensions and 16 million in the historic generic extensions: .com, .net, .org, .biz and .info. For the new extensions, it targeted the extensions which proposed a Sunrise phase for brand owners. Thus, this study ultimately concerned few .BRAND registries, since they are not required to make Sunrise phases.

Both entities made their own measures to detect abuse and the data were cross-checked with eleven heterogeneous lists referencing domains and URLS identified as hostile, which were supplied by five specialized organizations.

What are the study’s conclusions?

Regarding phishing and malware distribution, the study shows a convergence of the proportions observed within the new extensions and those in the historic generic extensions. However, in the historic generic extensions, the rates tend to remain stable while those of the new extensions increase.

On the other hand, a strong disparity appears on the spamming. At the end of 2016, the proportions of affected domains are almost ten times higher on the new generic extensions: 526 on 10000 names against 56 on 10000 names. Trends show a shift of the cybercriminals towards the new extensions.

The analysis also shows that near half of the deposits identified in activities of spamming on the three most concerned new extensions, come from known cybercriminals and from blacklisted users by Spamhaus. Spamhaus is a non-governmental international organization, its purpose is to trace spammers.

However, these phenomena do not concern all the new extensions because 36% did not encounter any abuses during the last quarter of 2016.

The study also shows that the operators which compete by lowering their prices in order to sell volume, are the ones which are the most used by the cybercriminals. Besides competitive registration prices, not restrictive registration requirements, a variety of other registration options such as the wide range of the available methods of payment, inclusive services such as DNS hosting or services of WHOIS masks, are so many other factors looked for by the cybercriminals.

What is the impact of the DNSSEC on abuses?

While the DNSSEC protocol is rapidly expanding, the entities appointed by ICANN to conduct this study also analyzed how the structural properties and the security measures implemented by the operators of new extensions influence domain abuses. As expected, the DNSSEC plays a statistically significant role and thus incites to deploy more widely the protocol on more extensions. The extensions supporting DNSSEC are indeed less of a target of such practices.

What’s happening next?

The study is now open to public comments until September the 19th. The entities which led it, also intend to analyze more in detail the possible correlations between the registration policies and abuses.

The CCTRT is then going to make recommendations to ICANN to stem the increase of DNS abuse that ICANN can then transform into new obligations for the registry operators. This time, however, all the registry operators may be concerned, thus also the .BRAND registries. NAMESHIELD is going to follow this subject closely.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_25904574_14	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
ppwp_wp_session	30 minutes	No description
visit	30 minutes	No description