Investigating DNS Abuse / Misuse

for Information Security Professionals /
Law Enforcement Agents

Offered by ICANN SSR Team


Date: 9:00-15:00, Friday, 11 May 2018
Venue: Budapest University of Technology and Economics (BME), Building Q, Room QBF08, Budapest, Hungary



This workshop exposes agents to strategies, techniques and tools that information security professionals use to identify abuses of the Domain Name System (DNS), malicious registrations of domain names, addresses or hosting. Through a combination of lecture, demonstration, and hands-on exercises, attendees will learn how to collect information that will be needed to further investigate criminal activity.

Trainer - David Piscitello

The course will be delivered by David Piscitello. Dave has been involved in Internet technology for over 39 years. He serves as Vice President, Security and ICT Coordination at ICANN, where he collaborates with the information security, DNS, and law enforcement communities on a diverse range of security issues related to the Domain Name System and domain name registration processes, including phishing, pharming, DDoS attacks, domain hijacking and other registration abuses. His research includes proxy and private domain registration abuse, REST-based Internet directory services and domain seizures. Dave has authored books on internet protocols, remote access and Voice over Internet Protocol Security (April 2006). He publishes articles regularly on Internet security, DNS, antiphishing, malware, Internet policy and privacy.

Who should attend

This is a capability program that aimed at officers/agents who are familiar with Internet applications but relatively new to "protocols", and who will be investigating cybercrime. Some of the topics covered will be useful to more senior technical officers/agents but it is not a host forensics or deep traffic analysis course.

Nature of program

We look at a methodology for gathering information related to Internet crimes that is particular to domain names and Internet addressing. This is delivered with live demonstrations and hands on training over a 4-5 hour time span. The goal is to share a methodology for collecting information that is needed to investigate a crime and that is also commonly needed for the preparation of court orders. This program is not deeply technical - we don't look at bits and bytes - but we cover a lot of concepts in one day.


(- An additional "level setting" module covering name and addressing basics.) TBC

  • Enumeration of Attacks
  • Challenges of distinguishing criminal from legitimate use of DNS
  • Accessing DNS, domain registration, and IP addressing related information
  • Dealing with domain seizures
  • Tools to collect DNS and registration data
  • Tools to locate and look at hosting sites and hosted data,
  • Reputation tools
  • Examples, use cases, and case studies

What to bring

For hands on, attendees should have a Windows OS computer with access to cmd.exe or Linux OS with access to terminal. Many resources that will be used are accessible using a web browser.
Snacks and drinks will be provided before/after the training and during breaks (2 x 15-30 mins).


Upon completion of the training attendees will receive a certificate.


The training is open to anyone. However, due to limited seating, registration is required. As seats will fill in quickly, we recommend you to register in due time. The Registration Desk will be located in front of the workshop room "QBF08". All attendees must register and receive a badge in order to participate in workshop activities. 

Registration closed.


  9.00 -   9.30   coffee break, registration
  9.30 - 10.00   technical part (level setting module)
10.00 - 11.00   technical part
11.00 - 11.15   coffee break
11.15 - 13.00   technical part
13.00 - 13.45   lunch break
13.45 - 15.00   technical part





Investigating DNS Abuse/Misuse

offered by


organized by