ICANN ICANN Email List Archives

[gnso-ff-pdp-may08]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [gnso-ff-pdp-may08] Choke points

  • To: George Kirikos <fastflux@xxxxxxxx>
  • Subject: Re: [gnso-ff-pdp-may08] Choke points
  • From: Marc Perkel <marc@xxxxxxxxxx>
  • Date: Thu, 07 Aug 2008 21:00:07 -0700



George Kirikos wrote:
Hi Mark,

Without responding to every point:

On Thu, Aug 7, 2008 at 10:14 PM, Marc Perkel <marc@xxxxxxxxxx>
I'm not reporting the bots. I'm reporting what the spam from the bots link
to. They all limk to fakebank.com. So if we kill the domain fakebank.com
then the fraud is stopped. If the spam gets through and they click on the
link and fakebank.com has been disabled at the registry then nothing
happens.

Right, however, one need be careful about situations like Joe Jobs
where the bad guys send out 10 million emails pretending to be Marc
Perkel's spam filtering company, linking to your website, and then
trying to get you shut down. I'm sure you'd want your registrar making
that decision manually, and not some automated system that can be
gamed. You'd want to be white-listed.
Except that the fact that junkemailfilter.com is 3 years old which would prevent it from being shut down using automation. And we can establish a number of other white rules to prevent this kind of gaming from working.
Actually that is the choke point because in one place you can shut them down
worldwide.

True, but that also creates the potential danger when the wrong sites
get shut down world-wide by mistake.
Yep - and that's why we need a good rule system and reporting method that actually works and is actually accurate. This is something that we can set up and run tests on before making it active. When we can see that we have the accuracy we need the registrars can choose to activate it.

If these domains are shut down in minutes after they are used then it
becomes useless. If someone is registering domains that fast then the
registrar sould disallow that. I don't think that a bot net can operate that
quickly.

The only way they are going to be shut down in minutes is if the
system is fully automated, that are never going to be perfect. Usually
it's Hollywood movies like 2001 (Hal) or Terminator (Skynet) that
start off with "perfect" automated systems as their premise.
All it has to do is be "perfect" with respect to false positives. Or - if we limit automated take downs to very new domains (under 5 days old?) then a false positive wouldn't do as much damage.

The registry is the only single point where they (fakebank.com) can be shut
down globally with a single change.

No one disagrees with that. It's a question of who pulls the trigger,
on what basis, and who is liable when someone gets damaged because
they got shut down negligently.
I want to point out at this point that "mistakenly" and "negligently" are very different. I think negligence of anyone implies perhaps liability. As to mistaken I'm not sure that would as long as the registrar takes reasonable precautions. My suggestion is to create as good of tools as we can and if the registrar is comfortable with the system they can choose to use it. And - important point - registrars are not requied to participate. The idea is to do this so well that registrars would all want to do it.
(FF domains not being used for fraud would not be affected because there
wouldn't be a spam campaign driving it. So free speech is safe from this
method.)

Right, so enemies of free speech would never spam in the name of their
target, in order to frame someone:

http://en.wikipedia.org/wiki/MediaSentry
Quite frankly if I were running a registry and a free speech enemy gamed the system like that I would take down their domain. Gaming the system I would think would also be easily detectable. The perp would have to be in control of the spam bot armies.
"The company provides several services for this purpose, such as
monitoring popular forums for copyright infringement, aid in
litigation, early leak detection, flooding torrents via DDoS attacks,
and the distribution of decoy files."

If I were a registrar and a domain registered through me used DDoS I would take them down.
http://en.wikipedia.org/wiki/MediaDefender

"Revision3 CEO Jim Louderback accused MediaDefender of injecting its
decoy files into Revision3's BitTorrent service through a
vulnerability, then automatically perpetrating the attack after
Revision3 increased security."

Suppose Pirate Bay (or a brand new torrent site) wanted to fast flux
to increase its resilience (i.e. make itself highly available). Would
there exist an incentive to spam in the name of that entity if you
knew it would get it shut down by the registry, over objections of a
registrar?
My suggestion applies to spam driven fast flux. If there is another way to drive FF then that would be a separate and additional problem to solve.
Getting it right means building in protections so that doesn't happen. And
that's doable.

Agreed, I wouldn't be wasting my time on this list if I didn't believe
it was doable. :)

People - this war is winnable if we do it right. I think that we can take
out 90%+ of fraud with 100% accuracy within 5 minutes. And that's a
conservative guess.

I'd be careful when quoting those stats. Check out the formulas at:

http://en.wikipedia.org/wiki/Bayes%27_theorem#Example_1:_Drug_testing

using Bayes' theorem when you're calculating false positives. In
particular note how:

"The rarer the condition for which we are testing, the greater the
percentage of positive tests that will be false positives."
There are classes of spam that I can block with 100% accuracy. I don't get rid of all spam but there are classes of spam where not a single one has ever made it through and no false positives. So we do this through testing. When we get the results we want then we go live. And if it doesn't work we fix it.
I don't know what kind of detail you all want but I think that safegaurds
wouldn't be to hard to implement. For example, if you excluded all domains
over 1 yeal old and all domains that are paid up 1 year in advance they you
would eliminate false positives on almost all the important internet sites.

Thanks for those specifics. I would agree with the above fully (it
would not affect any of my domains). As I was mentioning a "6 day"
waiting period (i.e. past the creation date), you're extending that to
1 year, with a "deposit" of another year as an economic signal.
We'll go with what works.

And if it does then you turn the domain back on, apologize profusely, and
repair the flaw that caused the problem.

Right, that's why I've been so vocal about Afilias' .INFO policy that
allowed it to CANCEL a domain at its discretion. Cancellation is never
necessary (removing from the zone file is sufficient, and then that
buys time for appeals or correcting a mistaken takedown).
I'm for automated removing of the name server info and pointing it to a nameserver for disabled domains so that it can be quickly reversed if there is a mistake. Perhaps auto cancel would happen 90 days later if the domain isn't reinstated.
I think if we do it right we can do it without losers. (Except of course for
those committing fraud. I think that we can take down a huge number of fraud
operations without taking down any good sites. It isn't going to get all the
bad guys but it will get most of them. And I think most is a good start.

Right, that's why I'd love to have some stats on how many "bad guys"
are using aged domains, fresh domains, etc., to really make things
surgically targeted.

It's too bad we can't (or can we?) run "experiments" with a live
registry. e.g. I'd be really curious as to what would happen if you
made 1/2 the .INFO domains not resolve in the first 6 days, and the
other 1/2 resolve immediately. Say "odd" domains starting with (A, C,
E, ....W,Y, 1, 3, 5, 7, 9) don't resolve until after 6 days, and
"even" domains starting with (B, D, F, ... X, Z, 0, 2, 4, 6, 8)
resolve immediately. If you found after 3 months that all the
abusers/fast fluxers/criminals switched to "even" domains, you've
found a choke point. Maybe some ccTLD might want to step up to the
plate and see what happens.....



We can run simulations. Create a system that creates a list of domains that should be shut down. Send the lists to people who verify it. Once the lists are 100% accurate then let the automation do the work.

But - let me refine my suggestions. I'm saying that we should:

1) Provide registry information by DNS that filtering operations can use.
2) Establish a standard reporting protocol to registries by qualified reporters.

I think that these two things can be done without any damage to anyone. (If I'm wrong tell me about it.) Then once these tools are in place we can do some experimenting to see what we can do with these new tools. I think we need an infrastructure first. So is there any reason not to do that?




<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy