May 14 – 15, 2017
Europe/Madrid timezone

Survey of DNS abuse types from a TLD point of view

May 15, 2017, 2:45 PM
Standard Presentation Public Workshop Public Workshop: Security and Privacy


Dr Giovane Moura (SIDN Labs)


Please see paper at[1] ,and blogpost at [2] But in short, this is a concise survey paper on the forms of DNS abuse and their relation with TLD operators. We show how we can use the datasets we have in hand to detect these sorts of abuse, and how each of them have different business models that leave distinct traces on our datasets. IMHO, I think other TLD operators may benefit from that. Please keep in mind that this is a short paper (6 pages) to be presented at the DISSEC2017 workshop, co-hosted with IEEE IM 2017. [1] [2]


Hidden behind domain names, there are lucrative (and ingenious) business models that misuse/abuse the DNS namespace and employ a diversified form of monetization. To curb some of those abuses, many research works have been proposed. However, while having a clear contribution and advancing the state-of-the-art, these works are constrained by their limited datasets and none of them present a survey on the forms of DNS abuse. In this paper, we address these limitations by presenting a case study in one top-level domain (TLD) operator .nl with diverse longitudinal datasets. We then cover eight business models that DNS abusers employ and their respective monetization form, and discuss how TLD operators can employ these datasets to detect these forms of abuse.

Talk Duration 15 Minutes

Primary author

Dr Giovane Moura (SIDN Labs)


Presentation materials