SOI Fast Flux PDP May08

Last Updated: 01 September 2009
Date: 
05 August 2008

Statements of Interest
from the members of the

Fast Flux Policy Development Process (PDP) May08

Working Group

http://gnso.icann.org/announcements/announcement-30may08.htm

Greg Aaron - gTLD Registry constituency

James Bladel - Registrar constituency

Beau Brendler - ALAC

Steve Crocker - Chair, ICANN Security and Stability Advisory Committee

Christian Curtis - NCUC

Paul Diaz - Registrar constituency

Avri Doria - GNSO Council chair- Nominating Committee appointee

Kalman Feher - Registrar constituency

Chuck Gomes - GNSO Council vice-chair - gTLD Registry constituency

Minaxi Gupta - no constituency affiliation

Tony Holmes - ISPCP

Martin Hall - no constituency affiliation

Rodney Joffe - gTLD Registry constituency

George Kirikos - CBUC

Mat Larson - gTLD Registry constituency

Phil Lodico - CBUC

Zbynek Loebl - IPC

Margie Milam - Registrar constituency

Jose Nazario - no constituency affiliation

Michael O'Connor - Working group chair - CBUC - resigned from WG

Adam Palmer - gTLD Registry constituency

Marc Perkel - no constituency affiliation

Dave Piscitello - SSAC Fellow

Rod Rasmussen - no constituency affiliation

Mike Rodenbaugh - CBUC

Joe St. Sauver - no constituency affiliation

Wendy Seltzer - ALAC Liaison ICANN Board

Ihab Shraim - MarkMonitor

Randal Vaughn - no constituency affiliation

Steven Vine - Registrar constituency

Eric Brunner-Williams - Registrar constituency - resigned from WG 9 October 2008

Greg Aaron
July 7, 2008

Greg Aaron is Director, Key Account Management and Domain Security at Afilias. Afilias is the registry operator for the .INFO gTLD, and is a

member of ICANN's Registry Constituency. Greg manages registry services for .INFO, and oversees Afilias' security programs, designed to address domain name abuses such as phishing, spam, and malware in .INFO. Afilias also provides registry services and advising to other TLDs, including .ORG, .AERO, .ASIA, and .MOBI, and the cTLDs .AG, .BZ, .GI, .HN, .IN, .LC, .ME, .MN, .SC, and .VC. Greg represents Afilias on the steering committee of the Anti-Phishing Working Group (APWG).

James Bladel

July 7, 2008:

I am a full-time employee of GoDaddy.com, Inc., which is a business unit of The Go Daddy Group, Inc. family of ICANN-accredited registrars. GoDaddy.com is a member of the GNSO Registrars Constituency, and conducts business with all major gTLD and ccTLD registries.

In my position with GoDaddy.com my focus is the development and promotion of registrar-related business, products, and services.

I am not employed by, nor involved with, any other business or organization in any other ICANN Constituency, Supporting Organization, or Advisory Committee.

Beau Brendler

August 5, 2008

My name is Beau Brendler and I'm director of Consumer Reports WebWatch (http://www.consumerwebwatch.org), the online investigative arm of Consumer Reports magazine and Consumers Union, one of the world's largest consumer advocacy organizations.

I'm also one of the elected North American regional representatives to the ALAC, and it's in that capacity I have sought to join the working group. I was asked to join in order to help keep the ALAC informed and, in turn, to help the ALAC form any statements it may want to make. So for the moment, at least, I plan to do more observing than commenting, as fast flux and other domain security issues are relatively new territory for several members of the current ALAC.



Steve Crocker

July 7, 2008

Chair, ICANN Security and Stability Advisory Committee



I am the CEO of Shinkuro, Inc, a small software and consulting company in Bethesda, MD, and I chair ICANN's Security and Stability Advisory Committee (SSAC). My company has a contract with the U.S.Department of Homeland Security to facilitate the deployment of DNSSEC. We have no business interests related to fast flux. I am participating in the fast flux working group solely in my capacity as SSAC Chair.



Christian Curtis

July 2008

I'm participating as the representative of the Non-Commercial Users Constituency.

I'm a third year law student at Brooklyn Law School. I'm participating with the NCUC as a legal intern for IP Justice and as part of their international cyberlaw clinic. The NCUC is concerned that over-zealous ICANN action could stifle legitimate and anonymous speech, as well as prevent the development of socially useful technology.

I'm also currently a legal intern for the Computer & Communications Industry Association, and I'm the founder of the Brooklyn Law School chapter of Students for Free Culture--though neither of these are related to my work at the GNSO. I have no commercial interest in this area.

Paul Diaz

July 7, 2008



I am a full-time employee of Network Solutions LLC, an ICANN-accredited registrar offering gTLD and ccTLD domain name registration and Web

presence services to our small business customers. Network Solutions also has two affiliated, ICANN-accredited registrars, NameSecure L.L.C.

and TLDS L.L.C d/b/a SRSplus. I currently serve as the Policy & Ethics Manager. My daily responsibilities include handling ICANN-related

issues, corporate advocacy at the local, state and federal levels, and administering Network Solutions' business ethics program.

Network Solutions is a member of the Registrar Constituency, a voting stakeholder on the GNSO Council. Network Solutions also is a member of

the United States Council for International Business (USCIB). The USCIB is a member of the Commercial and Business Users Constituency, also a

voting stakeholder on the GNSO Council. Our primary interest in the USCIB is the DNS and Internet Identifiers Working Group.

I have no ownership interest in Network Solutions or its affiliated registrars, nor in any current registry operator. I am not in possession of any registry sensitive or proprietary information. To the best of my knowledge, I have no ownership interest in any entity that currently has business before the GNSO or ICANN.

Avri Doria

http://gnso.icann.org/council/soi/doria-statement.htm

Kalman Feher

July 8, 2008

I am a full time employee of Melbourne IT (www.melbourneit.com.au). Melbourne IT is an ICANN accredited registrar. We offer gTLD and ccTLD domain name registration, Hosting and brand protection services.

I am a member of the Architecture group, with a focus on DNS and networks.

I have no other relationship with other organisations within this or any other ICANN constituency.

Chuck Gomes

http://gnso.icann.org/council/soi/gomes-statement.htm

Minaxi Gupta

July 2008



Minaxi Gupta is an Assistant Professor in the Computer Science Department at Indiana University (Bloomington). She joined IU after finishing her Ph.D. in Computer Science from Georgia Tech in 2004.

Gupta's research interests are in Computer Networks and Security. She is currently working on understanding Internet's vulnerabilities and how attackers are exploiting them to their advantage, especially in the context of phishing. Her other research focus is on re-architecting the Internet. Gupta has authored over 20 peer-reviewed articles and contributed chapters to two books on phishing and crimeware. She is the recipient of the prestigious Trustees Teaching Award (2008) and Outstanding Junior Faculty Award (2006) from Indiana University. More information about Gupta's research and other activities can be found

at: http://www.cs.indiana.edu/~minaxi.

Martin Hall

October 2008

I am co-founder and CEO of Karmasphere, (Karmasphere does consulting work for VeriSign) a start-up focused on improving decisions about who to interact with online by providing more insight into the identities involved. We've built a platform and set of network analytics technologies that aggregate numerous data sources, subject them to a range of mining and forensics processes and which enable us to apply the resulting intelligence to a variety of online decision contexts.

One of the components we built is a fast flux detector. It consumes various data inputs and uses configurable heuristics to determine if a domain is fluxing, monitoring it from that point forward. The output of this system is a rich seam of data about fluxing domains, their attributes and connections between them.

We are interested in collaborating with other organizations to cure and prevent the use of fast flux networks for malicious activities. I look forward to figuring out how we can best help the work of this group.

Tony Holmes



http://gnso.icann.org/council/soi/holmes-statement.htm

Rodney Joffe

July 2008

Rodney Joffe is Senior Vice-President and Senior Technologist at NeuStar, Inc (NYSE:NSR), a directory services company and the registry operator for the .biz and .us TLDs. NeuStar also operates a DNS infrastructure currently providing either primary or secondary DNS services for a number of TLDs such as .org, .info, .uk, .ca, .nz and others. It also provides DNS services for a number of commercial and government organizations.

Some of these customers include anti-spam, anti-virus, and cybersecurity companies.

Rodney is a member of the ICANN SSAC and RSTEP.

He is a holder of NeuStar common stock.

As one of the leading providers of global registry services, NeuStar believes that registries must not only aim for the highest standards of technical and operational competence, but also need to act as stewards of their TLDs in promoting the public interest. One of those public interest functions includes working towards the elimination of

fraud and identity theft that result from phishing, pharming, and email spoofing of all types involving the DNS. By taking an active role in researching and monitoring these sorts of fraudulent activities, NeuStar has developed the ability to efficiently work with various law enforcement and security communities to begin a new phase of mitigation of these types of threats. To date, NeuStar is the only gTLD registry operator that has actively implemented internal processes, testing and take-down procedures to effectively combat these issues.





George Kirikos

August 7, 2008

I am the president of Leap of Faith Financial Services Inc., which is a member of the Business Constituency of the GNSO (although, we do not speak for the BC in this workgroup). My company owns and develops a number of domain names and websites used by millions of users from all over the world every year. My personal background is in economics and finance.



We are also a Registration Service Provider (i.e. reseller) for Tucows/OpenSRS for a small number of clients, although that forms a very tiny part of our overall business.

As per Wendy Seltzer's statement of interest, who said it so well, "I am particularly concerned that measures to combat abuse not have the unintended consequences of inhibiting legitimate use of network resources or burdening neutral provision of service."

I hope that we can use economics a potential tool to develop a signature and/or a signal to differentiate between good actors and bad actors, and thereby continue to permit high availability services that are positive to flourish.

www.LEAP.com

www.LOFFS.com

Mat Larson

July 2008

I am Director of DNS Research for VeriSign, Inc. VeriSign is the registry operator for the .com and the .net gTLDs and also provides backend registry services in support of Global Name Registry for the .name gTLD and Employ Media for the .jobs gTLD. VeriSign is also the registry operator for two ccTLDs, .cc for the Cocos and Keelings Islands and .tv for Tuvalu.

As an employee who supports VeriSign's naming services business, I sometimes have access to Registry Sensitive information including information about registrars. With regard to both our gTLD and ccTLD registration services businesses as well as other VeriSign businesses, our customers and business associates have interests in various ICANN policy issues and may be members of other GNSO constituencies and/or supporting organizations.

In addition to registry agreements with ICANN for .com and .net, VeriSign also has obligations to the U.S. Department of Commerce through a cooperative agreement that was initiated in 1993 and has been amended many times since then. Those obligations include operating the A and J root servers as well as support to the IANA function in implementing changes in the root zone file. As such, VeriSign is a member of the DNS Root Server System Advisory Committee and also works closely with IANA staff in the processing of root zone changes.

As an operator of critical Internet infrastructure that must be operated at high availability levels and withstand attacks, VeriSign has an interest in the threats represented by fast flux networks.

Also, for the good of the Internet community, VeriSign is interested in developing means to detect fast flux networks and develop mitigations.

I own shares of VeriSign stock and hold options to purchase additional shares, but the amount of shares I currently own plus the potential shares I could possibly own if I exercised all options is a miniscule number relative to the total number of VeriSign shares.

Phil Lodico

July 2008

I represent FairWinds Partners, a leading Internet strategy consulting company providing services and solutions to premier global brand owners. My interests are in domain policy as it relates to brand promotion and Internet security. I am a member of the business constituency.

Zbynek Loebl

July 2008

I manage the implementation of UDRP on behalf of the Czech Arbitration Court (CAC). CAC was appointed as a new UDRP provider in January of this year. I was nominated to the FF WG by the IP Constituency. I have been a technology lawyer for almost 20 years so my interest in the FF WG relates not only to IP/UDRP aspects but also technology and security aspects of this issue. Nevertheless, I have no clients with any direct or indirect relationship to FF apart of the CAC.



Margie Milam

July 2008

I am the Vice President, General Counsel and Corporate Secretary of MarkMonitor, Inc., a global enterprise brand protection company, offering Anti-Phishing Solutions, Corporate Domain Registration Services, and Online Trademark Protection Solutions. MarkMonitor specializes in detecting, monitoring and shutting-down phishing attacks against the world's largest brands. MarkMonitor is also an ICANN accredited registrar. At MarkMonitor, I am responsible for ICANN policy and compliance matters, as well as its legal matters.

MarkMonitor is an active contributor to the APWG and is a member of the Registrar's Constituency and the Intellectual Property Constituency.

MarkMonitor is interested in participating in this group to share its experience and insight in tackling phishing attacks involving fast-flux networks.

Jose Nazario

October 2008

I am the Manager of Security Research at Arbor Networks. Arbor Networks is a supplier of networking and security products to many of the largest ISPs, critical infrastructure operators, and hosting providers on the Internet.

Arbor products are used by our customers to protect their own networks as well as their customers from threats such as denial of service and botnets.

As the Manager of Security Research at Arbor Networks my responsibilities are to develop new detection tools and products to support our products and our customers. We have been targeting the botnet problem for several years, and developed fast flux botnet detection and enumeration tools earlier this year for integration into our ATLAS product and data feeds.

We conduct ongoing research into the scope and impact of fast flux botnets to identify infected hosts and malicious activities. Some of these findings have been shared with groups such as MAAWG and FIRST, as well as the ICANN SSAC. We share this data with customers and the Internet security community.

We also share this data with several registrars, and actively seek to share our daily findings with more registrars.

Our interests at Arbor are in stopping the botnet problem at the root, and this includes shutting down fast flux networks. We hope to facilitate this resolution by working with the GNSO fast flux working group.



My current work on fast flux is visible here, in a research paper just released and an ongoing report in our ATLAS system:

http://honeyblog.org/junkyard/paper/fastflux-malware08.pdf

http://atlas.arbor.net/summary/fastflux

I look forward to working with the group here in addressing this problem.

Mike O'Connor - resigned from the working group 27 September 2008

http://forum.icann.org/lists/gnso-ff-pdp-may08/msg00655.html

July 2008



I am the proprietor of The O'Connor Company of St Paul (a sole proprietorship located in St Paul, MN USA) and am a member of the GNSO Commercial and Business Users Constituency (CBUC).

My company owns a number of generic domain names (eg. bar.com, grill.com, pub.com, place.com, corp.com, shelter.com, cafes.com) and I have a business-owner and domain-registrant's interests in ICANN activities.

I do not conduct any form of fast-flux hosting and have no commercial or business interest in the outcomes of the May08 Fast Flux Hosting Working Group effort.

Adam Palmer

July 2008

I am a full-time employee of .ORG, The Public Interest Registry an ICANN-accredited Registry. .ORG is a US based non-profit corporation located in Washington DC. I currently serve as Law & Policy Counsel for .ORG. My daily responsibilities include handling ICANN-related issues, corporate law matters for .ORG and managing registry policy matters.

.ORG is a member of the Registry Constituency. I have been selected by the Registry Constituency to serve as a constituency representative in the Fast Flux working Group. .ORG has a chartered interest in ensuring the safety and stability of the .ORG registry and Internet. The Registry Constituency which I represent is a voting stakeholder on the GNSO council. I have no ownership interest in .ORG and I have no ownership interest in any entity that currently has business before the GNSO or ICANN.



Marc Perkel

July 7, 2008

I am an individual and owner of a spam filtering company Junk Email Filter (http://www.junkemailfilter.com).

Junk Email Filter is a spam fighting company. We act as a front end filtering service with some email hosting. Mostly customers set their MX records to point to our servers. The email comes in to us - we filter it

- and forward the good email on to the customer's existing email server.

Our mission is to deliver all the good email and block as much spam as possible.

As an individual my background is software engineering. I am also a former employee (sys admin) of the Electronic Frontier Foundation

(eff.org) with a strong interest in civil liberties and individual freedom.

I am also the founder of the Church of Reality, a religion based on believing in everything that's real. We see the Internet as a significant step in the evolution of humanity and the most important advance in information sharing since the invention of the printing press.

I also have some background in law, all self taught.

I tend to look for solutions that impose the least restrictions and burden on the majority law abiding community who is using the Internet for legal productive purposes. I have some theories that part of the solution might lie in registrars providing more information about domains that spam filtering companies like us can use to help determine good email from spam. In the case of fast flux, if I could read the age of a domain and the number of recent changes to the nameserver record I can combine that with information from spam and determine what email to block. I could also public a DNS blacklist of fast fluxing domains that other spam blocking companies can use to block spam.

Additionally I would like to see DNS based contact information so I can turn an IP address into an abuse email address of who to contact to stop abuse at the source. That way if I've spotted a spambot I can send an automated message to someone who can fix the problem at the source.

I am currently tracking 1,624,019 virus infected computers who tried to send spam through our system in the last 5 days. If I had a way of sending automated abuse complaints to the right people I could shut down over 1.5 million spambots.

I believe that the war against the spam bot armies is something that is winnable and that is can be done without compromising the privacy and liberties of ordinary people. I am hoping that after some hard work and using good reasoning that we can come to a consensus on the right solution, implement it, and win. Quite frankly I would like to put myself out of business because the problem I am solving has gone away.

Dave Piscitello

July 2008

My interest is to see that policies emerge from the WG that assure (to the extent possible) that the DNS and registration services are not used to abet malicious or criminal activities. If policy recommendations emerge from the group, I am also interested in assuring that they preserve the

protocol integrity and operational stability of the DNS. I do not believe that recommendations from the group should impose constraints that would interfere with legitimate uses of DNS protocol.




Rod Rasmussen

July 2008

President and CTO, Internet Identity

Co-Chair, Anti-Phishing Working Group: Internet Policy Committee (APWG IPC)

Neither myself or my company have any ICANN/GNSO constituency membership at this time - we're trying not to "pick sides" on these abuse issues that affect all constituencies!

Both my company and the various industry organizations I am a leader and/or active within (APWG, MAAWG, Digital Phish-net, AOTA) are very concerned with the rapid rise in DNS manipulation techniques being used by phishers and e-criminals to perpetuate fraud, crime, and wide abuse across the Internet. Fast Flux, and various other types of DNS "flux" techniques are being used by the largest proliferators of spam, phishing, and other net abuse, and are tied to organized crime elements throughout the world. The nature of these attacks makes mitigation and prevention nearly impossible without the close involvement of the domain registration community, and their use is growing rapidly, with thousands of fraudulently registered domains in- use daily utilizing them. We wish to engage this community to work on policies to address these types of abuse in a manner that will be highly effective, sustainable, and flexible enough to work as the criminals change their tactics. At the same time, we realize that there are drawbacks and costs associated with any new policy and those need to be balanced to come up with solutions that work for all.

I am one of the principal partners of Internet Identity with a very large (but non-majority) portion of its ownership, and am thus materially impacted by the company's financial performance. Our clients are primarily in the financial services and e-commerce sectors and they and their customers are the victims of phishing and other online crime attacks. A large percentage of these clients are directly impacted by fast-flux based phishing attacks and part of the work we are paid to perform on their behalf is mitigating the actual attacks and working towards long-term solutions for these problems. Successfully addressing these issues from a policy perspective is both a potential financial gain and loss, as the benefits of our long-term role would be to some extent offset by lost revenue "opportunities" individual fast flux attacks present to our company's mitigation service. Due to the nature of our work, many of our clients fall into the Business and/or IP constituency area of the GNSO umbrella (and several companies who employ us are members), but we also perform substantial work for domain registrars, domain registries, and ISPs, all of whom have membership within their respective GNSO constituencies.

Mike Rodenbaugh

http://gnso.icann.org/council/soi/rodenbaugh-soi-09jul08.shtml

Joe St. Sauver

July 7, 2008



I'm participating in the ICANN fastflux group solely in an individual capacity and not representing any ICANN constituency, and any/all opinions I express while doing so are strictly my own and not necessarily those of any other organization I may be involved with.

As a matter of professional identification, I am security programs manager, Internet2, work which is done through the University of Oregon.

As such I have an intrinsic interest in improving system and network security.

I am also a senior technical advisor for the Messaging Anti-Abuse Working Group (MAAWG). In that capacity, I have a interest in combating spam and other messaging abuse, including fastflux and domain name-related abuse.

For additional background on the perspective I bring to this issue, some talks I've previously given are available at http://www.uoregon.edu/~joe/



Wendy Seltzer

July 9, 2008

I participate in this working group as an individual interested in the effective functioning of the Internet as an end-to-end neutral platform on which a variety of speech and services can be deployed. I am particularly concerned that measures to combat abuse not have the unintended consequences of inhibiting legitimate use of network resources or burdening neutral provision of service.

I serve as ALAC's liaison to the ICANN Board, but have not yet been asked by ALAC to participate on its behalf. I have no commercial interests in this area.



Ihab Shraim

July 2008

I am the Chief Security Officer, Vice President of Network & System Engineering of MarkMonitor, Inc., a global enterprise Brand protection company, offering an integrates suite of products to include Anti-Phishing Solutions, Corporate Domain Registration Services, and Online Trademark Protection Solutions. I am responsible for the Engineering and Operations of the Anti-fraud product line where at the core the Security Operation Center detect, monitor and shutdown all types of phishing attacks against the world’s largest brands. Furthermore, the SOC hazels on a daily basis large volumes of Phish attacks such as Rock Phish and Malware centric attacks which utilizes Flux Networks.

MarkMonitor is also an ICANN accredited registrar. MarkMonitor is an active contributor to the APWG and is a member of the Registrar’s Constituency and the Intellectual Property Constituency. MarkMonitor is interested in participating in this group to share its experience and insight in tackling phishing attacks involving fast-flux networks.

Randal Vaughn

July 9, 2008

I am a professor of Information Systems at Baylor University. I conduct research in counter eCrime with a specialization in identifying, demographically mapping and reporting malicious Internet domains and activities. My interests are motivated by the recognition of the dependence of commerce and global communications on the Internet

infrastructure and the needs of society to protect itself from harm.

I am not currently a member of any ICANN Constituency. I do, however, actively cooperate with individuals and corporations who share my concerns for the safety and security of the Internet infrastructure and of Internet-

based commerce by providing research or other support when possible.

I perceive a need for ICANN and registry/registrar policies directed towards increasing Internet security by specifically addressing the abuse of 'fast-fluxed' domains in a manner that will not damage legitimate use of

domain name system capabilities. Without such suitable policies, abusive fast-flux domains will continue to operate in a risk-free manner which will inevitably result in increased loss to personal and commercial interests.

Steven Vine
July 2008

I am a full-time employee of Register.com, Inc., which is an ICANN-accredited registrar. Register.com is a member of the Registrars Constituency, and conducts business with all major gTLD and ccTLD registries.

My position with Register.com is deputy general counsel for Register.com. In addition to general legal matters, my responsibilities include ICANN policy and compliance matters and oversight of our abuse team. I also represent Register.com on the Registrar Constituency.



Eric Brunner-Williams - resigned from the working group

9 October 2008
http://forum.icann.org/lists/gnso-ff-pdp-may08/msg00684.html July 2008

July 2008

I am Chief Technical Officer for CORE, an ICANN accredited registrar (IANA-15) , and I operate USA Webhost, also an ICANN accredited registrar (IANA-439), and a CORE member company (CORE-124). CORE also provides registry backend technical services to several registries.

Neither CORE, nor USA Webhost, registrars, nor CORE as a registry backend service provider, have any financial interest in "flux" or "fast flux".

I am not an officer, director, consultant, or employee of any other member of the Registrar Constituency or Registry Constituency or any other ICANN Constituency.