Reputation Blocklists Need Improvement, ICANN Hears
Reputation blocklists help fight domain name system abuse but raise questions of accuracy and transparency, panelists said Thursday at a virtual ICANN meeting. RBLs blacklist IP addresses or domain names generally regarded as malicious, untrustworthy or of bad repute, said Samaneh Tajalizadehkhoob of ICANN's chief technology office. They're important to, and must be better understood by, ICANN, registries/registrars, hosting companies and other service providers and end-users, said iQ Chief Technology Officer LG Forsberg.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
RBLs have several drawbacks, Tajalizadehkhoob said: They're overspecialized, with each list geared toward specific purposes, and have limited coverage and overlaps, limited transparency and no unified methodology. ICANN uses RBLs for domain abuse activity reporting and contract compliance, she said. It plans to move toward a more comprehensive method to evaluate an RBL in terms of, among other characteristics, its purity (false positive/negative analysis), coverage, responsiveness and accuracy.
Spamhaus assigns scores to domain names: The higher the score, the more confident it is that the names are being misused, said Chief Data Officer Carel Bitter. The list is the company's view of why particular domains have a bad reputation, and its primary use is for people looking to make decisions based on that reputation. Spamhaus, like other RBL providers, uses a mix of machine and human investigation to vet domains and URLs, Bitter said.
False positives are a problem for RBL providers and registries/registrars, they said. False positives will always occur, but the point is to keep their number as small as possible, said Bitter. Registrar Tucows doesn't pay for commercial RBLs but is working with providers to see if it's possible to get wrongfully blacklisted names de-listed as quickly as possible, said Compliance Head Reg Levy. Enterprise security services are less concerned with false positives than about protecting users, said Verisign Distinguished Engineer Matt Thomas. RBLs are well-positioned in the domain name ecosystem to gather telemetry data showing how effective contracted parties are in dismantling platforms that support DNS abuse, he said.
The core question for end-users is what they can do when they're wrongfully listed, said ICANN At-Large Advisory Committee Chair Joanna Kulesza. Users need a better understanding of how the system works, including what criteria are used to blacklist certain websites, and must be included in any discussions on the issues, she said: The more open RBLs are about the criteria they apply, the more comfortable users will feel. One question is whether there should be a harmonized feedback mechanism for de-listing requests, and, if so, whether ICANN or industry should develop it, said Abuse.ch founder Roman Huessy.
Blocklist management "has always been a decentralized industry function" that relies on cooperation between blocklists and ISPs, emailed Brenden Kuerbis, Georgia Institute of Technology School of Public Policy research scientist. There have long been questions about the effectiveness of blocklisting, including lots of false positives and negatives, that they don't cover all malware, and the significant challenges in using existing threat intelligence data like RBLs for their purported goals, he told us. Registries and registrars might be trying to cut their costs for reinstating domains, he said. Whether they're successful in creating a harmonized de-listing process depends on there being mutual benefits for all concerned, he said. "These types of voluntary cooperation between parties are a common feature of cybersecurity."