Reputation Metrics Design to Improve Intermediary Incentives for Security of TLDs
In this presentation, we describe security metrics for Top-Level Domains (TLDs) and we measure their operational values using DNS query data and other data sources such as botnet and phishing feeds. They can serve as publicly available signals to different classes intermediaries such as registries, registrars, or hosting providers and can offer the option to benchmark themselves against their market. There currently exists very little empirical information about the security performance of TLDs and of the overall DNS ecosystem.
We distinguish three types of security metrics, each at a different layer of ab- straction. The top-layer involves the security metrics of an entire TLD such as .nl, .com, or .amsterdam. The second layer of abstraction consists of security metrics for market players under TLDs. These are Internet infrastructure providers, registries, registrars, and hosting providers. Examples of security metrics at this layer include concentration of malicious domains across players and their up-times. The third layer is a break-down of the second layer and involves security metrics for network resources managed by each of the players, such as DNS resolvers, or authoritative name servers. In this presentation, we pay a special attention to the second layer and we develop reputation metrics for registries, registrars, and hosting providers with the respect to the TLD layer.
In our future work, we plan to correlate the abuse rate reflected in the here-proposed reputation metrics with registry policy, such as pricing, the correctness of the whois data, security monitoring of the DNS infrastructure, etc.