RE: Fast Flux Hosting Initial Report

["Orbeton, Jon" <jorbeton@xxxxxxxxxx>]

Dear Sirs:

Thank you for the privilege of commenting on the report published 26-JAN-2009 
entitled "Initial Report on Fast Flux Hosting." I would like to specifically 
focus on Section 7, page 8 which states:

   What technical (e.g. changes to the way in which DNS updates operate) 
   and policy (e.g. changes to registry/registrar agreements or rules
   governing permissible registrant behavior) measures could be 
   implemented by registries and registrars to mitigate the negative 
   effects of fast flux?

The report provides various enhancement suggestions to existing systems in 
order to respond to the fast-flux risk. Of the suggestions provided, I have 
highlighted those that seem the most relevant or could provide a significant 
benefit:

     o Make additional non-private information about registered 
       domains available through DNS based queries;

     o Publish summaries of unique complaint volumes by registrar,
       by TLD and by name server;

     o Cooperative, community initiatives designed to facilitate 
       data sharing and the identification of problematic domain names. 

     o Stronger registrant verification procedures.

     o Adopt accelerated domain suspension processing in collaboration with
       certified investigators / responders;

If implemented properly, these specific enhancements could significantly reduce 
the risk created by fast-flux networks. 

As an example, I would draw your attention to the paradigm used by the Better 
Business Bureau (BBB). The BBB exists to provide consumers with direct and 
quantified evidence on various businesses and the level of complaints a 
business receives. 

The BBB exists to provide consumers with pre-purchase decision information as 
well as resolving conflicts that occur during business engagements. Consumers 
can file post-purchase complaints, the BBB will facilitate communication with 
the business and the consumer and ensure some type of resolution that addresses 
the concerns of both parties. 

It is this resolution of conflict between the two parties that ICANN could 
step-in to facilitate using some of the suggestions the report has already 
identified and I've highlighted above. This is not in the buyer/seller respect, 
but to ensure responsiveness by registrars and IP space owners to complaints, 
resolving outstanding complaints, and monitoring the level of complaints 
between the registrars you are approving and other entities on the Internet. 

A similar model is now used in the existing ICANN "Uniform Domain-Name 
Dispute-Resolution Policy." Quoting this policy: "Under the policy, most types 
of trademark-based domain-name disputes must be resolved by agreement, court 
action, or arbitration before a registrar will cancel, suspend, or transfer a 
domain name."

A similar approach could be taken with registrars/IP space owners who are 
non-responsive to wide scale and numerous abuse complaints to ensure resolution 
of conflict and suppress the current growth of recalcitrant registrars/IP space 
owners (of which there are few, but they do exist) and those parties who are 
negatively impacted by the lack of response and action on the part of those 
registrars or IP space owners.

Take the example of fast-flux phishing. There are registrars who will respond 
quickly to abuse complaints and notices of the malicious activity, while other 
registrars take no action whatsoever. Those that take no action become known to 
the Internet Underground and groups who conduct phishing attacks as "phishing, 
DDoS, and attack friendly." This has become so commonplace today, there is a 
strong perception that the business model of some registrars is based on 
providing services to those engaged in criminal activities. 

Furthermore, many abuse departments have essentially given up reporting abusive 
activities to the registrar/IP space address owner involved because they know 
the registrar/owner will not take action. Registrars and IP space owners cannot 
be the sole entity responsible for resolving conflict or self-policing. 
Regardless of whether they can't respond, won't respond, or don't care to 
respond, we believe that the health of the Internet ecosystem demands that 
there must be some deterrent to no response and no action. 

While the subject of regulations and governance of the Internet can be complex, 
our society regulates numerous things -- especially when risk of 
financial/physical harm is possible. We allow people to drive vehicles (an 
inherently unsafe activity), yet we govern and regulate how these vehicles are 
operated. One key principle is that these activities are viewed as privileges, 
not rights.

I would implore ICANN to consider as a first step, rapid implementation of the 
suggestions already called out within your own report along with the 
establishment of an Advisory Board on how to continually improve these 
suggestions. Registrars and IP space owners are granted significant power 
within a system that requires cooperation and trust. Those organizations who 
cannot operate and conduct themselves in such a way as to facilitate the 
required cooperation and trust should not be granted the fundamental privilege 
of naming and numbering. 

While most abuse problems can be addressed through the conventional means that 
are already established, there are those instances which cannot -- it is those 
instances ICANN must address. 

Fast-flux is a hostile attack technique deliberately designed to facilitate 
criminal activity.  There are some  registrars and IP space owners who will not 
respond to abuse complaints and who passively through inaction, or actively 
through outright cynicism and seeking of criminal customers.  Those small 
number of companies which facilitate these attacks must face stiffer 
consequences. Today they simply obtain a "bad name" within the Internet 
security community and the nickname "bullet-proof registrar/webhost" within the 
underground. This must change.


Thank you,
Jon Orbeton

Information Security Engineer
PayPal, an eBay company