SEI Insights


Vulnerability Insights

A ccTLD Case Study: .tv

Posted on by in

Hello, this is Leigh Metcalf and Jonathan Spring. In this post, we first examine some of the usage patterns in the .tv top-level DNS zone via passive DNS. In the second half of the post, we explore the economic importance of the .tv domain to its owner, the small South Pacific island nation of Tuvalu. Combining these two analyses, it seems that suspicious domain names could be one of Tuvalu's more valuable exports.


Every country has a top-level domain (TLD), delegated by ICANN according to the ISO country code. Such a TLD is called a ccTLD. The .tv TLD registry is operated under contract by an American company, Verisign, and there are a variety of registrars accredited to take domain submissions. Subdomains beyond the immediate second-level domains (SLDs) are out of Verisign's direct control, but Verisgn maintains the directory (zone file) about SLDs, such as

Some .tv domains sell for high prices, and there are legitimate .tv domains, such as,, and Several designer domains have reportedly sold for more than $10,000 each. However, it seems that about 35% of the total .tv domains observed and 98% of the IP addresses for .tv domains exhibit suspicious behavior.

The details are as follows:

During the first quarter of 2013, 14,406,198 unique .tv fully qualified domain names (FQDNs) were observed. Of these, 65% (9,473,049) were used by (, a streaming video company. Although the company is sometimes a purveyor of malicious software and has appeared on blacklists as recently as May 31, 2013, it is generally legitimate. Because it also encompasses 65% of the FQDNs, masking other interesting features of the zone, we removed it from the data we analyzed.

Of the remaining 4,933,140 domains in .tv, and are the largest active SLDs. These two SLDs make up 49% (2,507,886) and 45% (2,320,107) of the remaining FQDNs, respectively. In a previous post, we studied the behavior of, which is known to host malicious domains. The SLD is a free domain service, similar to Most domains resolve to only a few suspicious IP addresses, and is even worse: all of the subdomains resolve to a single IP address that is known to send spam.

The largest SLD after ustream, .co, and .eu is, although it encompasses less than 1% (348,928) of the total domains. However, it presents its own share of curious behavior. accounts for 98% (348,928) of all the observed unique IP addresses used by any FQDN in the .tv domain. The SLD provide dynamic DNS services, which are a known haven for malicious actors.

There are 12 remaining .tv domains with a thousand or more subdomains. Eleven of these have suspicious characteristics, including pointing to suspect IP addresses or appearing on blacklists.

Network security professionals should consider the risks and benefits of permitting traffic to such a TLD.


What are the incentives for Tuvalu to know and manage how .tv domains are used? Verisign pays Tuvalu for the privilege of operating the zone, and Verisign profits because people pay to register .tv domains. In most cases, Tuvalu gets paid regardless of whether abuse is occurring or not. But how important is the TLD to Tuvalu?

In July 2010 Tuvalu probably made between $2 million and $2.5 million from the lease. That's not very much money in global economic terms, but it's a lot for Tuvalu, whose population is about 10,500. In each year from 2010 to 2012, the International Monetary Fund has reported the GDP of Tuvalu at $36 million. GDP is the total market value of all the economic production in a country. So in 2010, leasing .tv to Verisign accounted for at least 6.1% of the total economic production of Tuvalu.

Tuvalu renegotiated its Verisign contract for an undisclosed amount in 2012. It seems probable that Tuvalu now makes upwards of $4 million per year off domain names. This has compensated for an apparent drop in other sectors of the GDP, as Tuvalu now may make over 11% of their GDP from leasing .tv. The Tuvaluan government does not seem to make its finances public, but this is perhaps the largest chunk of the Tuvaluan economy that is not aid from foreign governments.

Due to their importance to the country's overall economy, domain names can probably be considered a key export of Tuvalu. And given the general disorder and suspicious nature of many of the domains discussed above, it may be appropriate to consider suspicious domains a primary export. However, we have no way of determining what percentage of Tuvalu's proceeds derive from suspicious registrations.

The Tuvaluan government may listen to international concerns about such an issue. When the United States pushed for an embargo on Iranian oil in 2012, many of the Iranian oil carriers changed their ships' registration to Tuvalu to avoid the sanctions. Tuvalu eventually gave in to international pressure and revoked the registrations.

Tuvalu's support of suspicious domain names is not of comparable magnitude. However, the ship registration episode highlights one way in which small corners of our globe can become highly influential as havens for suspicious activity, especially as we become increasingly interconnected. The Tuvaluan government is ultimately responsible for the .tv zone, and thus how it is used or abused.

About the Author

Leigh Metcalf

Contact Leigh Metcalf
Visit the SEI Digital Library for other publications by Leigh
View other blog posts by Leigh Metcalf