ICANN/GNSO GNSO Email List Archives

[registrars]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [registrars] WG: [council] Fast Flux DNS

  • To: registrars@xxxxxxxxxxxxxx
  • Subject: Re: [registrars] WG: [council] Fast Flux DNS
  • From: DotAlliance <helen@xxxxxxxxxxxxxxx>
  • Date: Thu, 13 Mar 2008 19:04:56 -0700
  • List-id: registrars@xxxxxxxxxxxxxx
  • References: <02D96C107E1B2445B9CD5065309187C33CBCD6@boiexch1.mm-ads.com>
  • Sender: owner-registrars@xxxxxxxxxxxxxx


Tom has made some very good points.

As far as phish and other fraudulent activity detection is concerned; it is an evolving field. If we work strenuously to develop an effective scheme to stop them we find they come up with new methods to bypass this. While I am a firm believer in using ICANN solutions the result is likely to be out dated for the newest schemes.
I do like the idea of publishing RSS feeds at least to ICANN registrars.
I would also very much like an informal session in which registrars can swap notes on their latest schemes. I suppose the problem is the legality in revealing specific individual who appear to have more legal protection than legitimate users. However we waste a great deal of resources on developing schemes that are being duplicated and sharing can increase the repertoire of detection schemes for all registrars. When we catch a phishing site or an obvious fraudulent credit card user we frequency track several domain names that have been subsequently registered by other registrars. I would like a simple way of warning the other registrar, reciprocal if possible.
Email addresses that work.
Or perhaps a website that is password protected to registrars.
Registrars must agree not to give out this information outside.
Yes, I know there are various methods as Tim has pointed out but they do not work for all registrars or indeed many.
Effective communication is required.
If we could agree on the appropriate wording that would avoid liability but the underlying message is understood. Perhaps of the line " we have concerns, this may warrant further investigation...)

As far as fast flux DNS we find many users who use it simply for "free" websites and this is their way around their ISPS s use of dynamic IPs to circumvent just that. So our current solution is to tag these and then some poor victim has to sort through all these and determine which to shut down!

Helen

----- Original Message ----- From: "Margie Milam" <Margie.Milam@xxxxxxxxxxxxxxx>
To: <tbarrett@xxxxxxxxxxx>
Cc: <registrars@xxxxxxxxxxxxxx>
Sent: Thursday, March 13, 2008 3:24 PM
Subject: RE: [registrars] WG: [council] Fast Flux DNS



Tom,

You raise good points regarding the lack of tools to determine whether
it is a legitimate phish and the potential liability for taking action.
These are the kinds of issues that could be addressed if registrars were
to attempt to address a phishing solution through ICANN.  Bringing
together registars and security vendors that fight phishing would
facilitate an exchange of ideas/recommendations that are more likely to
have an impact than working with legislation written by persons
unfamiliar with registrar operations.

Also, I understand that data sharing on domain phishes is already
occurring through email lists that include many registrars.  The problem
is that there are many domestic and international registrars that either
ignore the requests or delay responding to such request.  If a registrar
policy were developed through ICANN for domain phishes, we should expect
to see greater attention and response from registrars in shutting down
these fraudulent sites.

Margie



-----Original Message-----
From: Thomas Barrett - EnCirca [mailto:tbarrett@xxxxxxxxxxx]
Sent: Sunday, March 09, 2008 7:04 PM
To: Margie Milam; john@xxxxxxxxxxxxxxxxx
Cc: registrars@xxxxxxxxxxxxxx
Subject: RE: [registrars] WG: [council] Fast Flux DNS



Margie,

Here is my perspective, which may be shared by others: takedown requests
due
to alleged phishing are sometimes indistinguishable from hi-jacking
attempts.  We do not have the right tools or resources to determine if
the
requestor OR the request is legitimate.  What is likely needed is a
UDRP-type challenge concensus process that would eliminate any liability
for
registrars agreeing to such requests.

In the interim, as a registrar, I do want to know about a domain that is
suspected of being used for phishing, since it will also likely result
in a
charge-back.  I have no problem of being notified of these suspects to
determine if a charge-back is also likely.

I have a suggestion that I think would be very effective in raising the
awareness among registrars about the type of domains and the frequency
of
this problem.  And might lead to registrars being more pro-active about
this
issue.

Presumably, MarkMonitor and others are monitoring this problem on bahalf
of
clients and emailing them alerts when a phishing case is detected.  Why
not
publish these alerts as RSS feeds so registrars could subscribe to these
as
well?  The feed would include the domain name, registration date and
sponsoring registrar.  This would need to be done at no cost to
registrars.
You could promote it to your clients as an additional benefit of your
service.

I am sure that some clients feel this data should be kept confidential
because that is how lawyers think.  But publicizing it may mobilize more
support and help solve the problem.  You could always restrict
publication
to just ICANN registrars, if this is a serious concern.

best regards,

Tom



-----Original Message-----
From: owner-registrars@xxxxxxxxxxxxxx
[mailto:owner-registrars@xxxxxxxxxxxxxx] On Behalf Of Margie Milam
Sent: Thursday, March 06, 2008 1:20 PM
To: john@xxxxxxxxxxxxxxxxx
Cc: registrars@xxxxxxxxxxxxxx
Subject: RE: [registrars] WG: [council] Fast Flux DNS


John,

I don't know what "shenanigans" you refer to because I recall the APWG
was
pretty helpful in the domain tasting working group in issuing a report
that
stated that they generally did not see phishers using domain tasting in
domain based phishes.  I can send you a link to that report if you would
like to see it.

The APWG is not comprised of lawyers setting policy.   The participants
tend to be technology types who deal with online fraud.   For example,
we are a member and participate through our product managers and
engineers
that design and operate our anti-phishing detection and take down
solutions.
GoDaddy is also a member of the APWG. If registrars have technical
objections to their recommendations, I think ICANN is the right place to
have this discussion to make recommendations that help solve the problem
and
minimize the impact to registrar operations.  We have more control over
the
solution if the policy comes out of the ICANN structure as opposed to
another forum.

With respect to the Anti-Phishing Bill, currently it does not deal with
fast-flux issues, but it certainly could be amended to address this
problem.   It includes WHOIS requirements, presumably because of the
problems and roadblocks imposed by registrars in accessing this data in
the past.   If registrars continue to fight proposals to address domain
based phishes and continue to allow phishers to use their registration
systems as a means of accomplishing their activities, we should expect
that another solution, perhaps a legislative one, would be pursued.   I
would think it is better for registrars to come up with a solution
through
ICANN than to try to revise legislative initiatives written by people
that
don't understand the registrar business.

I disagree with you that the issue does not affect or involve the domain
business.  The issue is a problem that can be addressed by registrars
because (i) preventing the domain name from resolving altogether will
effectively stop the phish, and (ii) for those registrars that provide
name
server services, limiting the number of updates could reduce the number
of
IP addresses that are utilized in a phish attack.  I would like to
understand why this is so objectionable-- and what registrars
think would be a reasonable solution to this problem.

Margie



-----Original Message-----
From: John Berryhill [mailto:john@xxxxxxxxxxxxxxxxx]
Sent: Wednesday, March 05, 2008 9:35 PM
To: Margie Milam; 'Thomas Keller'; 'Ross Rader'
Cc: registrars@xxxxxxxxxxxxxx
Subject: RE: [registrars] WG: [council] Fast Flux DNS



The Anti-Phishing Working Group has been trying for years
to get registrars to conform to their best practice approach.

Did you actually *read* the last report?

I sure did.  If recent comments about the AGP are any indication, there
are
a whole lot of people who didn't.

While we were sitting in the room in Delhi, and Paul Stahura was
explaining
how the AGP can be used to run fraud profile tests and delete names that
meet fraud profiles, I was actually reading the APWG recommendation that
registrars do precisely that.

Now, over in the BCISPIP cross-constituency meeting, they were
discussing
how use of the AGP for DOING just what the APWG was recommending, was a
"phony excuse" for keeping the AGP.

Sorry, but I call shenanigans here.

Let's have a rational explanation as to why elements of the GNSO are
hell-bent on ELIMINATING use of one of the mechanisms recommended by the
Anti-Phishing working group.

Is there a "ten words or less" explanation that anyone has, as to WHY
the
BCISPIP folks DON'T want registrars to be able to implement the fraud
profile and domain deletion recommendations of the most recent APWG
report.

Because if there isn't, this is the wrong place to come crying about
just
who is not interested in implementing the APWG recommendations.

As many of you may know, there is an anti-phishing bill introduced by
Senator Snowe in the U.S. senate that, if enacted as currently
written,
would impose requirements on registrars.

And the provisions of that bill relating to Fast Flux DNS are where,
exactly?  The argument that an ineffective solution from the GNSO will
forestall an ineffective solution from elsewhere is simply posturing.

I am convinced that too few people are capable of reading and
understanding
either the SSAC or APWG reports.

The issue is not "changing name servers" rapidly.  The issue is changing
IP
resource records and DNS records *IN* the nameservers rapidly. It is a
DNS
and hosting issue, NOT a domain name registration issue.

Where this whole discussion goes into stupid overdrive is that if you
want
to put a choke on nameserver changes, then the choke point is at the
REGISTRY.  If you believe that this issue relates to how quickly the
designated nameservers are changed, then you simply roll back to what we
had
a few years ago when you had to wait a few hours for batch updates to
the
.com (or other TLD) zone file.

I don't know if you know how any of this stuff works, but it is the data
in
the TLD zone file that identifies the IP addresses of the name servers
in
which DNS records can be found.

REGISTRARS DON'T RUN THE ZONE SERVERS.  Let those six words sink in for
a
few moments.  Anyone who does not understand the implications of those
six
words to this issue is simply not qualified to participate.

Catering to a group of lawyers who don't know how the internet works
doesn't
make sense.  People can have wonderful and interesting opinions about
lots
of things.  But if they want to participate in technical coordinating
tasks
relevant to a global computer network, then having a clue how that
network
actually works would be a great idea.

So, let's re-cap the agenda:

1.  The APWG wants registrars to be able to delete domain names rapidly
soon
after registration if fraud is detected.  Much of the GNSO would like to
eliminate that capability.

2.  There is a security issue arising, in part, from too many changes
being
permitted to records in the TLD zone files maintained by the REGISTRIES.
Solving this problem is the responsibility of the REGISTRARS.

3.  Agreeing to an irrelevant and ineffective ICANN GNSO proposal will
prevent the US Government from doing silly things.

Hey, here's a "best practice" - how about if the Telco's and ISP's quit
shipping everyone's phone and internet traffic to the US Government
without
a warrant (even a retroactive warrant).  Boy, it's a good thing we don't
have outfits like that proposing ICANN policy.

Oh, wait a minute.  We do!

We obviously need better lobbyists.  ICANN participants in the other
constituencies can get their very own law that permits them to engage in
criminal activity with immunity, but we have to pretend to be solving a
problem by agreeing to a solution that won't solve the problem, or we'll
be
in big trouble.







--
No virus found in this incoming message.
Checked by AVG.
Version: 7.5.519 / Virus Database: 269.21.7/1328 - Release Date: 13/03/2008 11:31 AM






<<< Chronological Index >>>    <<< Thread Index >>>