fast flux report comment

[RAS 230 <ras230@xxxxxxxxx>]

full disclosure: I work for an ISP and deal with internet abuse issues
(including fast flux domains) on a daily basis.

While I haven't yet seen a legit fast flux domain, there are enough
valid reasons for short TTL values that policies against them should
be avoided, as should anything that would force *everyone* who wants
to setup a domain to jump thorough hoops or pay additional fees.

In the end, the best way to address this may be to start with
registrars who are not able to quickly identify and take down these
domains because they will typically not improve unless they are forced
to or it suddenly becomes more profitable to deal with these problems
than it is to ignore them whenever they can.

The report may say that registrars and resellers only "have the
appearance of facilitation of fast flux domain attacks", but the fact
is that they have created an environment that invites abuse. They too
often simply do not maintain staff and policies adequate to prevent
even the most blatant abuses from taking place.

When you see domains being registered like cheapviagra.me.uk,
wachoviaonlineupdate.com, or paypalseccenter.com it should be obvious
at a glance that something is suspicious, but registrars are all to
happy to charge a credit card for them and then sit back and wait for
other people to report that they are used for fraudulent activity.

A responsible registrar should be asking some real hard questions
before allowing those kinds of domains to be setup in the first place,
and even then keeping an eye on the ones that seem suspect. Doing that
type of thing will cost money however and registrars would too often
rather be willfully ignorant of the abuses taking place with these
domains than allow anti-abuse measures to dip into profits. To judge
by the large number of registrars and resellers it's been working out
very well for them, but it's been costing the rest of us.

I see the same problem with ISPs who generally do not willingly
dedicate enough resources to anti-abuse measures either. The
difference is that while ICANN can encourage ISPs to be more
responsible, they can do a fair bit more with regard to registrars.

ICANN should take a more active role by encouraging, tracking, and
publishing reports of registrars who are slow to act on abusive
domains and should be much more aggressive in dealing with registrars
who generate large numbers of complaints.

By requiring registrars to be more responsible and proactive, the
number of fast flux domains that go live will drop and the much needed
processes and policies which they should have been developing all
along will now be in place so they can quickly handle any kind of
abuse as soon as it is reported to them.