<<<
Chronological Index
>>> <<<
Thread Index
>>>
RE: Fast Flux Hosting Initial Report
- To: <fast-flux-initial-report@xxxxxxxxx>
- Subject: RE: Fast Flux Hosting Initial Report
- From: "Orbeton, Jon" <jorbeton@xxxxxxxxxx>
- Date: Fri, 13 Feb 2009 21:28:08 -0700
Dear Sirs:
Thank you for the privilege of commenting on the report published 26-JAN-2009
entitled "Initial Report on Fast Flux Hosting." I would like to specifically
focus on Section 7, page 8 which states:
What technical (e.g. changes to the way in which DNS updates operate)
and policy (e.g. changes to registry/registrar agreements or rules
governing permissible registrant behavior) measures could be
implemented by registries and registrars to mitigate the negative
effects of fast flux?
The report provides various enhancement suggestions to existing systems in
order to respond to the fast-flux risk. Of the suggestions provided, I have
highlighted those that seem the most relevant or could provide a significant
benefit:
o Make additional non-private information about registered
domains available through DNS based queries;
o Publish summaries of unique complaint volumes by registrar,
by TLD and by name server;
o Cooperative, community initiatives designed to facilitate
data sharing and the identification of problematic domain names.
o Stronger registrant verification procedures.
o Adopt accelerated domain suspension processing in collaboration with
certified investigators / responders;
If implemented properly, these specific enhancements could significantly reduce
the risk created by fast-flux networks.
As an example, I would draw your attention to the paradigm used by the Better
Business Bureau (BBB). The BBB exists to provide consumers with direct and
quantified evidence on various businesses and the level of complaints a
business receives.
The BBB exists to provide consumers with pre-purchase decision information as
well as resolving conflicts that occur during business engagements. Consumers
can file post-purchase complaints, the BBB will facilitate communication with
the business and the consumer and ensure some type of resolution that addresses
the concerns of both parties.
It is this resolution of conflict between the two parties that ICANN could
step-in to facilitate using some of the suggestions the report has already
identified and I've highlighted above. This is not in the buyer/seller respect,
but to ensure responsiveness by registrars and IP space owners to complaints,
resolving outstanding complaints, and monitoring the level of complaints
between the registrars you are approving and other entities on the Internet.
A similar model is now used in the existing ICANN "Uniform Domain-Name
Dispute-Resolution Policy." Quoting this policy: "Under the policy, most types
of trademark-based domain-name disputes must be resolved by agreement, court
action, or arbitration before a registrar will cancel, suspend, or transfer a
domain name."
A similar approach could be taken with registrars/IP space owners who are
non-responsive to wide scale and numerous abuse complaints to ensure resolution
of conflict and suppress the current growth of recalcitrant registrars/IP space
owners (of which there are few, but they do exist) and those parties who are
negatively impacted by the lack of response and action on the part of those
registrars or IP space owners.
Take the example of fast-flux phishing. There are registrars who will respond
quickly to abuse complaints and notices of the malicious activity, while other
registrars take no action whatsoever. Those that take no action become known to
the Internet Underground and groups who conduct phishing attacks as "phishing,
DDoS, and attack friendly." This has become so commonplace today, there is a
strong perception that the business model of some registrars is based on
providing services to those engaged in criminal activities.
Furthermore, many abuse departments have essentially given up reporting abusive
activities to the registrar/IP space address owner involved because they know
the registrar/owner will not take action. Registrars and IP space owners cannot
be the sole entity responsible for resolving conflict or self-policing.
Regardless of whether they can't respond, won't respond, or don't care to
respond, we believe that the health of the Internet ecosystem demands that
there must be some deterrent to no response and no action.
While the subject of regulations and governance of the Internet can be complex,
our society regulates numerous things -- especially when risk of
financial/physical harm is possible. We allow people to drive vehicles (an
inherently unsafe activity), yet we govern and regulate how these vehicles are
operated. One key principle is that these activities are viewed as privileges,
not rights.
I would implore ICANN to consider as a first step, rapid implementation of the
suggestions already called out within your own report along with the
establishment of an Advisory Board on how to continually improve these
suggestions. Registrars and IP space owners are granted significant power
within a system that requires cooperation and trust. Those organizations who
cannot operate and conduct themselves in such a way as to facilitate the
required cooperation and trust should not be granted the fundamental privilege
of naming and numbering.
While most abuse problems can be addressed through the conventional means that
are already established, there are those instances which cannot -- it is those
instances ICANN must address.
Fast-flux is a hostile attack technique deliberately designed to facilitate
criminal activity. There are some registrars and IP space owners who will not
respond to abuse complaints and who passively through inaction, or actively
through outright cynicism and seeking of criminal customers. Those small
number of companies which facilitate these attacks must face stiffer
consequences. Today they simply obtain a "bad name" within the Internet
security community and the nickname "bullet-proof registrar/webhost" within the
underground. This must change.
Thank you,
Jon Orbeton
Information Security Engineer
PayPal, an eBay company
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|