New gTLDs Account for 51% of Domains Considered Security Threats, But Only 12% of Total gTLD Registrations

Security threats in all gTLDs are roughly split 50/50 between new gTLDs and legacy gTLDs, however new gTLDs only account for 12% of domain names registered across all generic top level domains according to the first monthly report published by ICANN that provides statistics and insight into security threats to gTLDs.

The Domain Abuse Activity Reporting (DAAR) System reported at least one security threat in 357 of the 1153 gTLDs on 31 January in comparison to 376 of the 1210 gTLDs identified on 31 December 2018. As a result, their report provides an analysis for only the 192,582,923 domains within the 357 gTLDs with at least one security threat. The report doesn’t identify individual gTLDs.

The report [pdf] shows approximately 88% of the resolving domain names were in gTLDs launched before 2010 (or legacy gTLDs). Of the 1,506,617 domains identified as security threats, 724,822 (48.11%) were in legacy gTLDs. The other 781,795 (51.89%) were in the new gTLDs.

In the December 2018 report, of 1,556,116 total domains identified as security threats, 694,467 domains (44.63%) were in legacy gTLDs and 861,649 domains (55.37%) were in new gTLDs. This represents an approximate increase of 3% in the number of security threat domains identified in legacy gTLDs.

Domains identified as security threats in gTLDs are not uniformly distributed, either in the legacy or new gTLDs. Of the 781,795 domains identified as security threats reported in 341 new gTLDs, 35% were in the 5 most-exploited new gTLDs, 52% in the 10 most-exploited and 88% in the 25 most-exploited while 98% were in the 50 most-exploited.

For legacy gTLDs, one alone is responsible for 66% of domains identified as security threats and in total 4 legacy gTLDs account for more than 94% of all domains identified as security threats.

Spam domain names account for 89.1% of all security threats, phishing domains for 7.3%, malware domains (3.2%) and Botnet C&C (0.4%). When looking at the distribution across legacy and new gTLDs, legacy domains accounted for around 60% of all phishing threats, 65% of all malware domains, 45% of all spam domains and over 90% of all Botnet C&C domains.

This first report from ICANN provides a snapshot on 31 January 2019 only. The DAAR system studies domain name registration and security threat behaviour across top level domain (TLD) registries and ICANN-accredited registrars.

This report of the Domain Abuse Activity Reporting (DAAR) System provides the first in an ongoing series of domain name security threat reports which will be released on a monthly basis. There is also a context document [pdf] explaining the methodology behind the DAAR System. Monthly reports from previous months (January 2018 through Dec 2018) will be published before the end of February 2019.

DAAR was created in response to community requests for neutral, reliable, persistent, and reproducible data from which security threat and abuse analyses could be performed. The DAAR project has produced a system using a published and community-vetted methodology for studying and reporting domain name registration and security threat behaviour across TLD registries and registrars. The overarching purpose of DAAR ICANN notes is to aggregate and analyse security threats as monitored by the publicly-available domain reputation providers and report findings to the ICANN community. This data can be used to facilitate informed policy decisions.

DAAR provides only gTLD registry reports at the moment. More detailed registrar portfolio reporting would require identifiable domain name registration data. A system that will collect and analyse the necessary registrar data remains under development. ICANN’s Security, Stability, and Resiliency (SSR) team expects to add registrar reporting in the future. Inclusion of country code TLD (ccTLD) registries, where the ccTLD registry information is voluntarily provided by the ccTLD administrator, is also planned for future releases.

For more information on ICANN’s Domain Abuse Activity Reporting (DAAR) project including this monthly report for more detail, go to:
https://www.icann.org/octo-ssr/daar