CERT-SEI
CERT/CC Blog

A ccTLD Case Study: .tv

By Leigh Metcalf on 07/12/2013 | Permalink

Hello, this is Leigh Metcalf and Jonathan Spring. In this post, we first examine some of the usage patterns in the .tv top-level DNS zone via passive DNS. In the second half of the post, we explore the economic importance of the .tv domain to its owner, the small South Pacific island nation of Tuvalu. Combining these two analyses, it seems that suspicious domain names could be one of Tuvalu's more valuable exports.

Domains

Every country has a top-level domain (TLD), delegated by ICANN according to the ISO country code. Such a TLD is called a ccTLD. The .tv TLD registry is operated under contract by an American company, Verisign, and there are a variety of registrars accredited to take domain submissions. Subdomains beyond the immediate second-level domains (SLDs) are out of Verisign's direct control, but Verisgn maintains the directory (zone file) about SLDs, such as example.tv.

Some .tv domains sell for high prices, and there are legitimate .tv domains, such as tnt.tv, historychannel.tv, and sportscanada.tv. Several designer domains have reportedly sold for more than $10,000 each. However, it seems that about 35% of the total .tv domains observed and 98% of the IP addresses for .tv domains exhibit suspicious behavior.

The details are as follows:

During the first quarter of 2013, 14,406,198 unique .tv fully qualified domain names (FQDNs) were observed. Of these, 65% (9,473,049) were used by ustream.tv (www.ustream.tv), a streaming video company. Although the company is sometimes a purveyor of malicious software and has appeared on blacklists as recently as May 31, 2013, it is generally legitimate. Because it also encompasses 65% of the FQDNs, masking other interesting features of the zone, we removed it from the data we analyzed.

Of the remaining 4,933,140 domains in .tv, .co.tv and .eu.tv are the largest active SLDs. These two SLDs make up 49% (2,507,886) and 45% (2,320,107) of the remaining FQDNs, respectively. In a previous post, we studied the behavior of .co.tv, which is known to host malicious domains. The SLD eu.tv is a free domain service, similar to .co.tv. Most .co.tv domains resolve to only a few suspicious IP addresses, and .eu.tv is even worse: all of the subdomains resolve to a single IP address that is known to send spam.

The largest SLD after ustream, .co, and .eu is dyndns.tv, although it encompasses less than 1% (348,928) of the total domains. However, it presents its own share of curious behavior. Dyndns.tv accounts for 98% (348,928) of all the observed unique IP addresses used by any FQDN in the .tv domain. The SLD provide dynamic DNS services, which are a known haven for malicious actors.

There are 12 remaining .tv domains with a thousand or more subdomains. Eleven of these have suspicious characteristics, including pointing to suspect IP addresses or appearing on blacklists.

Network security professionals should consider the risks and benefits of permitting traffic to such a TLD.

Money

What are the incentives for Tuvalu to know and manage how .tv domains are used? Verisign pays Tuvalu for the privilege of operating the zone, and Verisign profits because people pay to register .tv domains. In most cases, Tuvalu gets paid regardless of whether abuse is occurring or not. But how important is the TLD to Tuvalu?

In July 2010 Tuvalu probably made between $2 million and $2.5 million from the lease. That's not very much money in global economic terms, but it's a lot for Tuvalu, whose population is about 10,500. In each year from 2010 to 2012, the International Monetary Fund has reported the GDP of Tuvalu at $36 million. GDP is the total market value of all the economic production in a country. So in 2010, leasing .tv to Verisign accounted for at least 6.1% of the total economic production of Tuvalu.

Tuvalu renegotiated its Verisign contract for an undisclosed amount in 2012. It seems probable that Tuvalu now makes upwards of $4 million per year off domain names. This has compensated for an apparent drop in other sectors of the GDP, as Tuvalu now may make over 11% of their GDP from leasing .tv. The Tuvaluan government does not seem to make its finances public, but this is perhaps the largest chunk of the Tuvaluan economy that is not aid from foreign governments.

Due to their importance to the country's overall economy, domain names can probably be considered a key export of Tuvalu. And given the general disorder and suspicious nature of many of the domains discussed above, it may be appropriate to consider suspicious domains a primary export. However, we have no way of determining what percentage of Tuvalu's proceeds derive from suspicious registrations.

The Tuvaluan government may listen to international concerns about such an issue. When the United States pushed for an embargo on Iranian oil in 2012, many of the Iranian oil carriers changed their ships' registration to Tuvalu to avoid the sanctions. Tuvalu eventually gave in to international pressure and revoked the registrations.

Tuvalu's support of suspicious domain names is not of comparable magnitude. However, the ship registration episode highlights one way in which small corners of our globe can become highly influential as havens for suspicious activity, especially as we become increasingly interconnected. The Tuvaluan government is ultimately responsible for the .tv zone, and thus how it is used or abused.

Topics: Network Situational Awareness