Identifier Technology Health Indicators (ITHI)€¦ · Alain Durand, Christian Huitema 13 March...

IdentifierTechnologyHealthIndicators(ITHI)

Alain Durand, Christian Huitema13 March 2018

ITHIPrinciplesofOperation

• Technicalfocus• ProblemareasàMetricsàMeasurement• Currentvalueandtrendovertime

• Automatedprocesstocollect&analyse data

• Measurement,notinterpretation• Extractionofstatisticstoavoiddataprivacyissues• Opensourcetools&results

7MetricsandDataSourcesMetric Name DataSource

M1: inaccuracyofWhois Data ICANNcompliancedept.

M2: DomainNameAbuse ICANN’sDAARProjecthttps://www.icann.org/octo-ssr/daar

M3: DNSRootTrafficAnalysis ScansofDNSroottraffic

M4: DNSRecursiveServerAnalysis Scanofrecursiveresolverstraffic

M5: (TBD) (TBD)

M6: IANAregistriesforDNSparameters Scanofrecursiveresolverstraffic

M7: DNSSECDeployment SnapshotsofDNSrootzone

ITHITimeLine

• 2017:definitionofmetrics,prototypetoolchain.• Jan-Feb2018:initialcaptures:M1,M2,M3,andM7

• InitialresultfromsmallsetofsourcesM4andM6• Mar2018:firstdatapresentedatICANNmeeting

• Nextsteps:• Jun2018:M5• pipelineautomation,publishmetricsonICANNwebsite

M1:InaccuracyofWhois Data

M1metricname Currentvalue

M1.1=Numberof“validatedcomplaints”permillionregistrations. 5.9

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Totalnumberofregistrars:1954XAxis:Registrars,rankedbynumberof1st noticestheyreceived

6 44

Concentrationof1st Notices

6Registrarsaccountfor50%ofall1st Notices

sent

44Registrarsaccountfor90%ofall1st Notices

sent

M2.*:NumberofAbusedDomainper10,000Registrations

M2metricname GlobalAverage

M2.1=numberofPhishingDomainsper10000registereddomainnames

4.28

M2.2=numberofMalwareDomainsper10,000registereddomainnames

3.28

M2.3=numberofBotnetC&CDomainsper10,000registereddomainnames

2.89

M2.4=numberofSpamDomainsper10,000registereddomainnames

86.73

TotalnumberofgTLDs:1143,Totalnumberofregistrars:1952

Datafrom01/31/2018

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Phishing

1gTLD accountsfor>50%ofallPhishing

11gTLDs accountfor>90%ofallPhishing

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Malware

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

BotnetsC&C

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Spam

1gTLD accountsfor>50%ofallMalware

7gTLDs accountfor>90%ofallMalware

2gTLDs accountfor>50%ofallBotnets

5gTLDs accountfor>90%ofallBotnets

4gTLDs accountfor>50%ofallSpam

18gTLDs accountfor>90%ofallSpam

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Spam

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Botnet

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Malware

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Phishing

7Registrarsaccountfor>50%ofallPhishing

45Registrarsaccountfor>90%ofallPhishing

2Registrarsaccountfor>50%ofallMalware

9Registrarsaccountfor>90%ofallMalware

3Registrarsaccountfor>50%ofallBotnets

28Registrarsaccountfor>90%ofallBotnets

3Registrarsaccountfor>50%ofallSpam

18Registrarsaccountfor>90%ofallSpam

Note:theRegistrardataisgatedbyaccessibilitytowhois data

M2.*:ConcentrationofAbuse

TableshowsthenumberofTLDs/Registrarstoaccountfor>50%/90%ofallabuseofthespecifiedtype.

TotalnumberofgTLDs:1143,Totalnumberofregistrars:1952*

Abuse gTLD50 Registrar50 gTLD90 Registrar90

Phishing 1 7 11 45

Malware 1 2 7 9

Botnet 2 3 5 28

Spam 4 3 18 18

(*)Weremovedtwoparkingregistrarsfromthosestatistics

M3:RootTrafficAnalysisMetric Current AverageM3.1(%NoSuch Domainqueries) 64.44% 64.83%

M3.2(%cacheable queries) 28.94% 28.77%

Core (100%- M3.1- M3.2) 6.63% 6.40%

ComponentsofM3.1:M3.3.1(%RFC6761names) 3.44% 3.44%M3.3.2(%frequentlyleakedstrings) 9.37% 9.37%

M3.3.3(%frequentpatterns) 41.47% 40.67%

M3.3.4(%othertypesofnames) 9.80% 11.35%

M3.3.1,M3.3.2,M3.3.3alsoprovidethelistoffrequentlyseenRFC6761names,leakedstrings,orgeneratedpatterns.

M3.3.1(%RFC6761names)3.44%/3.44%RFC6761name Currentvalue AveragevalueLOCAL 2.77% 2.78%LOCALHOST 0.35% 0.34%INVALID 0.31% 0.30%TEST 0.01% 0.01%EXAMPLE 0.01% 0.01%ONION 0.00% 0.01%

M3.3.2(FrequentlyLeakedStrings)9.37%/9.37%

Frequentlyusedstring Currentvalue AveragevalueHOME 3.54% 3.67%DHCPHOST 0.85% 0.88%DHCP 0.75% 0.68%LAN 0.49% 0.64%INTERNAL 0.45% 0.46%LOCALDOMAIN 0.43% 0.44%IP 0.43% 0.64%OPENSTACKLOCAL 0.34% 0.40%DLINK 0.34% 0.31%CORP 0.23% 0.22%DAVOLINK 0.20% 0.19%

M3.3.3(%FrequentPatterns)41.47%/40.67%

“Patterns”definedas“lengthofTLDstring”Chartshows%of“nosuchdomain”queriesforspecificTLDlengthsLength21to63omitted– verysmall,accountforlessthan1%ofqueriesManystringsoflength7..15looklike“DomainGenerationAlgorithms”

0.00%

1.00%

2.00%

3.00%

4.00%

5.00%

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

M4:DNSRecursiveServerAnalysis

Metric Current AverageM4.1 %delegatedTLDs. 98.75% 99.03%M4.2 %RFC6761names 0.07% 0.07%M4.3 %frequentlyusedstrings. 0.87% 0.58%M4.4 Allothertraffic 0.32% 0.31%

M4.1,M4.2,M4.3alsoprovidethelistoffrequentlyseenRFC6761names,leakedstrings,orgeneratedpatterns.M4presents“whattheDNSclientsaresending”M3presents“whattherootisreceiving,afterfiltersbyDNSresolvers

ResultsforJanuaryandFebruaryfromsinglepointofmeasurement!

M4.2:QueriestoRFC6761Names0.07%/0.07%

RFC6761name Currentvalue AveragevalueLOCALHOST 0.06% 0.07%LOCAL 0.01% 0.00%INVALID 0.00% 0.00%

M4.3:QueriestoFrequentlyUsedStrings0.87%/0.58%

Frequentlyusedstring Currentvalue Averagevalue(localhostnames) 0.79% 0.47%UNIFI 0.04% 0.07%DNS 0.03% 0.02%INTERNAL 0.01% 0.01%HOME 0.00% 0.00%DOMAIN 0.00% 0.01%LAN 0.00% 0.00%

M6:IANARegistriesforDNSParameters

Metric Registrytablename Current AverageM6.DNS.01.1 DNSCLASSes 33.33% 33.85%M6.DNS.02.1 ResourceRecord(RR)TYPEs 19.77% 19.77%M6.DNS.08.1 DNSEDNS0OptionCodes(OPT) 40.00% 40.00%M6.DNSSEC.3.3DNSSecurityAlgorithmNumbers 70.59% 70.59%M6.DANE.1.1 TLSACertificateUsages 0.00% 0.00%

Metric Registrytablename Current AverageM6.DNS.01.2 DNSCLASSes 0.00% 0.00%M6.DNS.02.2 ResourceRecord(RR)TYPEs 0.00% 0.00%M6.DNS.08.2 DNSEDNS0OptionCodes(OPT) 0.11% 0.60%M6.DNSSEC.3.3DNSSecurityAlgorithmNumbers 0.00% 0.00%M6.DANE.1.2 TLSACertificateUsages 0.00% 0.00%

M6.<r>.<n>.1:Usage.Nb valuesseen/valuesregistered

M6.<r>.<n>.2:Squatting.Nb nonregistered/totalusage

TheDNSEDNS0optionscode0is“reserved”andoptioncode65001is“reservedforlocal/experimentaluse”.

ListofDNSParameterRegistriesTrackedinM6

Group Parameters MetricIndex

DANETLSACertificateUsages M6.DANE.1TLSASelectors M6.DANE.2TLSAMatchingTypes M6.DANE.3

DNS

DNSCLASSes M6.DNS.1ResourceRecord(RR)

TYPEs M6.DNS.2

DNSOpCodes M6.DNS.3DNSRCODEs M6.DNS.4AFSDBRRSubtype M6.DNS.5DHCIDRRIdentifierTypeCodes M6.DNS.6

DNSLabelTypes M6.DNS.7

Group Parameters MetricIndex

DNS

DNSEDNS0OptionCodes(OPT) M6.DNS.8DNSHeaderFlags M6.DNS.9EDNSHeaderFlags(16bits) M6.DNS.10EDNSversionNumber(8bits) M6.DNS.11ChildSynchronization(CSYNC)Flags M6.DNS.12

DNSSEC

DNSSecurityAlgorithmNumbers M6.DNSSEC.1

DNSKEYRecordDiffie-HellmanPrimeLengths M6.DNSSEC.2

DNSKEYRecordDiffie-HellmanWell-KnownPrime/GeneratorPairs

M6.DNSSEC.3

M7:DNSSECDeployment

Metric Current AverageM7.1 numberofsignedTLD/totalnumberof

TLD 90.6% 90.6%

M7.2 %DNSQueriesrequestingDNSSEC TBD TBD

M7.1Measuredbyparsingtherootzone,lookingforDSrecordsforeachTLD.

M7.2MeasuredbyparsingDNSqueriesatparticipatingDNSrecursiveresolvers• ClientssetDOoptionflagtorequestDNSresponses

M7.1:NumberofSignedTLDs

M7.1:numberofsignedTLD/totalnumberofTLD

Measuredbyparsingtherootzone,lookingforDSrecordsforeachTLD.

Currentvalue:90.6%

Engage with ICANN

@icann

facebook.com/icannorg

youtube.com/icannnews

flickr.com/icann

linkedin/company/icann

slideshare/ icannpresentations

soundcloud/icann

Thank You and QuestionsVisit us at icann.orgEmail: email