Why Do Malicious Domains Get Registered In the First Place?
Domain name makes it easier to remember a site using human readable names rather than machine readable IP addresses, it also allows many physical IP addresses behind a single site name. So there can be many servers with different IP addresses supporting medium.com but the users don’t have to remember all those IP address and they can still access the site with just medium.com. These very features are also desired by bad actors as it allows them to establish a communication point which isn’t tied to a static IP and thus they can switch to another IP address if old one is black listed.
So the question is how do bad actors get hold of these domains? There are two main ways; They can register them through the very same process that legit businesses register their domains. Or they can hijack them. We will discuss the former case as its interesting to understand how they play the established process of domain registration. Before we can do that lets understand the main entities involved in the registration process.
Registrant: Individual, group, enterprises that register a domain name for their business.
Registrar: Registrars act a point of contact or dealer for parties interested in acquiring a domain name.
Registries: Responsible for maintaining records of domain name registrants.
ICANN: Internet Corporation for Assigned Names and Numbers is a non profit organization that accredits registrars and registries to sell domains names based on generic top-level domain (gTLD) such as .com, .net.
So how is it possible that with such a established system for accredition, malicious domains still get registered. There are several reasons behind it.
- You can’t determine the intent of an individual from the very act of registering a new domain. It’s same as a gun seller can’t determine the intent of a gun buyer and what he is going to do with it. All he can do is run background checks and if its not clear than deny the sale. Unfortunately, the system is much more relaxed in domain registration scenario.
- Registration process is automated and there aren’t sufficient processes for validating an individual in place. Some rogue registrars simply don’t care as they are interested in getting more business.
- Malicious domains are registered under phony names, using stolen or prepaid credit cards or using digital currencies that are hard to trace.
- ICANN is failing to adequately regulate or police the entities it is responsible to oversee, some argue that it is not within their scope as they aren’t a regulator authority and just a non-profit organization.
So what can we done to prevent malicious registration of domains?
I think the biggest responsibility falls on the registrars and they need to have a stricter validation process before they sell a domain. Also they need to continuously monitor the domains they have registered and take them down if an abuse is detected. ICANN can also play a big role in this by auditing the registrar and discrediting them if malpractices are found, toward this goal they have started a project called Domain Abuse Activity Reporting (DAAR). This project monitors the registered domain for abuse by collecting domain abuse data from independent security threat-reporting sources.
In summary, domain name registration process was created at a time when internet was relatively a benign place but with the complexity of the modern internet, which is seeing domain names used for crimes involving; phishing, spam, denial of service attacks, crypto mining, and crypto jacking, selling of illegal drug, a better validation process is required.
