A Reexamination of Internationalized Domain Names: The Good, the Bad and the Ugly

  title={A Reexamination of Internationalized Domain Names: The Good, the Bad and the Ugly},
  author={Baojun Liu and Chaoyi Lu and Zhou Li and Ying Liu and Haixin Duan and Shuang Hao and Zaifeng Zhang},
  journal={2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)},
  • Baojun LiuChaoyi Lu Zaifeng Zhang
  • Published 1 June 2018
  • Computer Science
  • 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
Internationalized Domain Names (IDNs) are domain names containing non-ASCII characters. Despite its installation in DNS for more than 15 years, little has been done to understand how this initiative was developed and its security implications. In this work, we aim to fill this gap by studying the IDN ecosystem and cyber-attacks abusing IDN. In particular, we performed by far the most comprehensive measurement study using IDNs discovered from 56 TLD zone files. Through correlating data from… 

Funny Accents: Exploring Genuine Interest in Internationalized Domain Names

This paper explores IDNs that hold genuine interest, i.e. that owners of brands with diacritical marks may want to register and use, and sees that application behavior toward these IDNs remains inconsistent, hindering user experience and therefore widespread uptake of IDNs.

A Case of Identity: Detection of Suspicious IDN Homograph Domains Using Active DNS Measurements

This paper proposes a structured approach to identify suspicious homograph domain names based not on use, but on characteristics of the domain name itself and its associated DNS records, and first extends the existing Unicode homoglyph tables (confusion tables).

DomainScouter: Analyzing the Risks of Deceptive Internationalized Domain Names

This work proposes a new system called DomainScouter to detect various deceptive IDNs and calculates a deceptive IDN score, a new metric indicating the number of users that are likely to be misled by a deceive IDN.

ShamFinder: An Automated Framework for Detecting IDN Homographs

This work developed a framework named "ShamFinder," which is an automated scheme to detect IDN homographs, and develops an automatic construction of a homoglyph database, which can be used for direct countermeasures against the attack and to inform users about the context of an IDNhomograph.

Assessing Browser-level Defense against IDN-based Phishing

An empirical analysis of browser IDN policies, and a user study to understand user perception of homograph IDNs are presented, which suggest the need to improve the current defense against IDN homograph.

Digging Deeper: An Analysis of Domain Impersonation in the Lower DNS Hierarchy

This paper presents an in-depth, empirical measurement study of low-level domain impersonations to understand their prevalence and provide a basis for the development of corresponding countermeasures, and finds that low- level domain impersonation is among the most popular squatting techniques in the wild.

It's Not what It Looks Like: Measuring Attacks and Defensive Registrations of Homograph Domains

This paper proposes two measurement setups to detect homograph domains and monitors the activity of these domains daily for more than five months, and identifies multiple instances of scamming and phishing.

A Deep Dive into DNS Query Failures

This paper performs the largest ever study into DNS activity, covering 3B queries, and finds that 13.5% of DNS queries fail, and this leads them to explore the root causes.

DNSWeight: Quantifying Country-Wise Importance of Domain Name System

The study shows that DNS reliability needs to be reconsidered at the country’s level by applying DNSWeight on large-scale DNS and BGP datasets jointly and shows the importance among different countries is divided.

Unravelling Ariadne’s Thread: Exploring the Threats of Decentralised DNS

This work presents the emerging threat landscape of blockchain-based DNS and empirically validate the threats with real-world data, and explores a part of the blockchain DNS ecosystem in terms of the browser extensions using such technologies, the chain itself, the domains, and users who have been registered in these platforms.



Detecting algorithmically generated malicious domain names

This paper develops a methodology to detect domain fluxing as used by Conficker botnet with minimal false positives and applies it to packet traces collected at a Tier-1 ISP.

Domain-Z: 28 Registrations Later Measuring the Exploitation of Residual Trust in Domains

This study sheds light on the seemingly unnoticed problem of residual domain trust by measuring the scope and growth of this abuse over the past six years and develops Alembic, a lightweight algorithm that uses only passive observations from the Domain Name System (DNS) to flag potential domain ownership changes.

Internationalizing Domain Names in Applications (IDNA)

This document defines internationalized domain names (IDNs) and a mechanism called Internationalizing Domain Names in Applications (IDNA) for handling them in a standard fashion and allows the non-ASCII characters to be represented using only the ASCII characters already allowed in so- called host names today.

Understanding the domain registration behavior of spammers

It is discovered that spammers employ bulk registration, that they often re-use domains previously registered by others, and that they tend to register and host their domains over a small set of registrars.

The Long "Taile" of Typosquatting Domain Names

A comprehensive study of typosquatting domain registrations within the .com TLD finds that about half of the possible typo domains identified by lexical analysis are truly typo domains, and their number is increasing with the expansion of the ".com domain space.

Assessment of Internationalised Domain Name Homograph Attack Mitigation

Should an attacker take advantage of such oversights a victim would likely not be able to spot a fraudulent site or email and thus provide a perfect platform for subsequent attack.

The 2010 IDN Homograph Attack Mitigation Survey

The research found that in the current versions of most internet browsers and email clients, some form of homograph identification or blocking exists, however, some notable and popular applications include either flawed implementations or miss key features and thus allow for IDN based attacks.

The Ever-Changing Labyrinth: A Large-Scale Analysis of Wildcard DNS Powered Blackhat SEO

A new type of blackhat SEO infrastructure (called “spider pool”) which seeks a different operational model and could inspire new mitigation methods and improve the ranking or indexing metrics from search engines is revealed.

Extending Black Domain Name List by Using Co-occurrence Relation between DNS Queries

This work uses the co-occurrence relation of two different domain names to find unknown black domain names and extend the blacklist by using DNS query data and an existing blacklist of known blackdomain names.

Detecting Malware Domains at the Upper DNS Hierarchy

Kopis passively monitors DNS traffic at the upper levels of the DNS hierarchy, and is able to accurately detect malware domains by analyzing global DNS query resolution patterns.