identifier technology health indicators (ithi)€¦ · alain durand, christian huitema 13 march...
TRANSCRIPT
IdentifierTechnologyHealthIndicators(ITHI)
Alain Durand, Christian Huitema13 March 2018
ITHIPrinciplesofOperation
• Technicalfocus• ProblemareasàMetricsàMeasurement• Currentvalueandtrendovertime
• Automatedprocesstocollect&analyse data
• Measurement,notinterpretation• Extractionofstatisticstoavoiddataprivacyissues• Opensourcetools&results
7MetricsandDataSourcesMetric Name DataSource
M1: inaccuracyofWhois Data ICANNcompliancedept.
M2: DomainNameAbuse ICANN’sDAARProjecthttps://www.icann.org/octo-ssr/daar
M3: DNSRootTrafficAnalysis ScansofDNSroottraffic
M4: DNSRecursiveServerAnalysis Scanofrecursiveresolverstraffic
M5: (TBD) (TBD)
M6: IANAregistriesforDNSparameters Scanofrecursiveresolverstraffic
M7: DNSSECDeployment SnapshotsofDNSrootzone
ITHITimeLine
• 2017:definitionofmetrics,prototypetoolchain.• Jan-Feb2018:initialcaptures:M1,M2,M3,andM7
• InitialresultfromsmallsetofsourcesM4andM6• Mar2018:firstdatapresentedatICANNmeeting
• Nextsteps:• Jun2018:M5• pipelineautomation,publishmetricsonICANNwebsite
M1:InaccuracyofWhois Data
M1metricname Currentvalue
M1.1=Numberof“validatedcomplaints”permillionregistrations. 5.9
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Totalnumberofregistrars:1954XAxis:Registrars,rankedbynumberof1st noticestheyreceived
6 44
Concentrationof1st Notices
6Registrarsaccountfor50%ofall1st Notices
sent
44Registrarsaccountfor90%ofall1st Notices
sent
M2.*:NumberofAbusedDomainper10,000Registrations
M2metricname GlobalAverage
M2.1=numberofPhishingDomainsper10000registereddomainnames
4.28
M2.2=numberofMalwareDomainsper10,000registereddomainnames
3.28
M2.3=numberofBotnetC&CDomainsper10,000registereddomainnames
2.89
M2.4=numberofSpamDomainsper10,000registereddomainnames
86.73
TotalnumberofgTLDs:1143,Totalnumberofregistrars:1952
Datafrom01/31/2018
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Phishing
1gTLD accountsfor>50%ofallPhishing
11gTLDs accountfor>90%ofallPhishing
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Malware
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
BotnetsC&C
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Spam
1gTLD accountsfor>50%ofallMalware
7gTLDs accountfor>90%ofallMalware
2gTLDs accountfor>50%ofallBotnets
5gTLDs accountfor>90%ofallBotnets
4gTLDs accountfor>50%ofallSpam
18gTLDs accountfor>90%ofallSpam
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Spam
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Botnet
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Malware
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Phishing
7Registrarsaccountfor>50%ofallPhishing
45Registrarsaccountfor>90%ofallPhishing
2Registrarsaccountfor>50%ofallMalware
9Registrarsaccountfor>90%ofallMalware
3Registrarsaccountfor>50%ofallBotnets
28Registrarsaccountfor>90%ofallBotnets
3Registrarsaccountfor>50%ofallSpam
18Registrarsaccountfor>90%ofallSpam
Note:theRegistrardataisgatedbyaccessibilitytowhois data
M2.*:ConcentrationofAbuse
TableshowsthenumberofTLDs/Registrarstoaccountfor>50%/90%ofallabuseofthespecifiedtype.
TotalnumberofgTLDs:1143,Totalnumberofregistrars:1952*
Abuse gTLD50 Registrar50 gTLD90 Registrar90
Phishing 1 7 11 45
Malware 1 2 7 9
Botnet 2 3 5 28
Spam 4 3 18 18
(*)Weremovedtwoparkingregistrarsfromthosestatistics
M3:RootTrafficAnalysisMetric Current AverageM3.1(%NoSuch Domainqueries) 64.44% 64.83%
M3.2(%cacheable queries) 28.94% 28.77%
Core (100%- M3.1- M3.2) 6.63% 6.40%
ComponentsofM3.1:M3.3.1(%RFC6761names) 3.44% 3.44%M3.3.2(%frequentlyleakedstrings) 9.37% 9.37%
M3.3.3(%frequentpatterns) 41.47% 40.67%
M3.3.4(%othertypesofnames) 9.80% 11.35%
M3.3.1,M3.3.2,M3.3.3alsoprovidethelistoffrequentlyseenRFC6761names,leakedstrings,orgeneratedpatterns.
M3.3.1(%RFC6761names)3.44%/3.44%RFC6761name Currentvalue AveragevalueLOCAL 2.77% 2.78%LOCALHOST 0.35% 0.34%INVALID 0.31% 0.30%TEST 0.01% 0.01%EXAMPLE 0.01% 0.01%ONION 0.00% 0.01%
M3.3.2(FrequentlyLeakedStrings)9.37%/9.37%
Frequentlyusedstring Currentvalue AveragevalueHOME 3.54% 3.67%DHCPHOST 0.85% 0.88%DHCP 0.75% 0.68%LAN 0.49% 0.64%INTERNAL 0.45% 0.46%LOCALDOMAIN 0.43% 0.44%IP 0.43% 0.64%OPENSTACKLOCAL 0.34% 0.40%DLINK 0.34% 0.31%CORP 0.23% 0.22%DAVOLINK 0.20% 0.19%
M3.3.3(%FrequentPatterns)41.47%/40.67%
“Patterns”definedas“lengthofTLDstring”Chartshows%of“nosuchdomain”queriesforspecificTLDlengthsLength21to63omitted– verysmall,accountforlessthan1%ofqueriesManystringsoflength7..15looklike“DomainGenerationAlgorithms”
0.00%
1.00%
2.00%
3.00%
4.00%
5.00%
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
M4:DNSRecursiveServerAnalysis
Metric Current AverageM4.1 %delegatedTLDs. 98.75% 99.03%M4.2 %RFC6761names 0.07% 0.07%M4.3 %frequentlyusedstrings. 0.87% 0.58%M4.4 Allothertraffic 0.32% 0.31%
M4.1,M4.2,M4.3alsoprovidethelistoffrequentlyseenRFC6761names,leakedstrings,orgeneratedpatterns.M4presents“whattheDNSclientsaresending”M3presents“whattherootisreceiving,afterfiltersbyDNSresolvers
ResultsforJanuaryandFebruaryfromsinglepointofmeasurement!
M4.2:QueriestoRFC6761Names0.07%/0.07%
RFC6761name Currentvalue AveragevalueLOCALHOST 0.06% 0.07%LOCAL 0.01% 0.00%INVALID 0.00% 0.00%
M4.3:QueriestoFrequentlyUsedStrings0.87%/0.58%
Frequentlyusedstring Currentvalue Averagevalue(localhostnames) 0.79% 0.47%UNIFI 0.04% 0.07%DNS 0.03% 0.02%INTERNAL 0.01% 0.01%HOME 0.00% 0.00%DOMAIN 0.00% 0.01%LAN 0.00% 0.00%
M6:IANARegistriesforDNSParameters
Metric Registrytablename Current AverageM6.DNS.01.1 DNSCLASSes 33.33% 33.85%M6.DNS.02.1 ResourceRecord(RR)TYPEs 19.77% 19.77%M6.DNS.08.1 DNSEDNS0OptionCodes(OPT) 40.00% 40.00%M6.DNSSEC.3.3DNSSecurityAlgorithmNumbers 70.59% 70.59%M6.DANE.1.1 TLSACertificateUsages 0.00% 0.00%
Metric Registrytablename Current AverageM6.DNS.01.2 DNSCLASSes 0.00% 0.00%M6.DNS.02.2 ResourceRecord(RR)TYPEs 0.00% 0.00%M6.DNS.08.2 DNSEDNS0OptionCodes(OPT) 0.11% 0.60%M6.DNSSEC.3.3DNSSecurityAlgorithmNumbers 0.00% 0.00%M6.DANE.1.2 TLSACertificateUsages 0.00% 0.00%
M6.<r>.<n>.1:Usage.Nb valuesseen/valuesregistered
M6.<r>.<n>.2:Squatting.Nb nonregistered/totalusage
TheDNSEDNS0optionscode0is“reserved”andoptioncode65001is“reservedforlocal/experimentaluse”.
ListofDNSParameterRegistriesTrackedinM6
Group Parameters MetricIndex
DANETLSACertificateUsages M6.DANE.1TLSASelectors M6.DANE.2TLSAMatchingTypes M6.DANE.3
DNS
DNSCLASSes M6.DNS.1ResourceRecord(RR)
TYPEs M6.DNS.2
DNSOpCodes M6.DNS.3DNSRCODEs M6.DNS.4AFSDBRRSubtype M6.DNS.5DHCIDRRIdentifierTypeCodes M6.DNS.6
DNSLabelTypes M6.DNS.7
Group Parameters MetricIndex
DNS
DNSEDNS0OptionCodes(OPT) M6.DNS.8DNSHeaderFlags M6.DNS.9EDNSHeaderFlags(16bits) M6.DNS.10EDNSversionNumber(8bits) M6.DNS.11ChildSynchronization(CSYNC)Flags M6.DNS.12
DNSSEC
DNSSecurityAlgorithmNumbers M6.DNSSEC.1
DNSKEYRecordDiffie-HellmanPrimeLengths M6.DNSSEC.2
DNSKEYRecordDiffie-HellmanWell-KnownPrime/GeneratorPairs
M6.DNSSEC.3
M7:DNSSECDeployment
Metric Current AverageM7.1 numberofsignedTLD/totalnumberof
TLD 90.6% 90.6%
M7.2 %DNSQueriesrequestingDNSSEC TBD TBD
M7.1Measuredbyparsingtherootzone,lookingforDSrecordsforeachTLD.
M7.2MeasuredbyparsingDNSqueriesatparticipatingDNSrecursiveresolvers• ClientssetDOoptionflagtorequestDNSresponses
M7.1:NumberofSignedTLDs
M7.1:numberofsignedTLD/totalnumberofTLD
Measuredbyparsingtherootzone,lookingforDSrecordsforeachTLD.
Currentvalue:90.6%
Engage with ICANN
@icann
facebook.com/icannorg
youtube.com/icannnews
flickr.com/icann
linkedin/company/icann
slideshare/ icannpresentations
soundcloud/icann
Thank You and QuestionsVisit us at icann.orgEmail: email