<<<
Chronological Index
>>> <<<
Thread Index
>>>
[gnso-ff-pdp-may08] Text for Section 5.4
- To: Fast Flux Workgroup <gnso-ff-pdp-May08@xxxxxxxxx>
- Subject: [gnso-ff-pdp-may08] Text for Section 5.4
- From: Dave Piscitello <dave.piscitello@xxxxxxxxx>
- Date: Wed, 29 Oct 2008 09:56:06 -0700
Here is the text we propose to insert in the report for Section 5.4
------------------ begin --------------
The WG has no hard evidence that any registrar intentionally facilitates
fast flux hosting attacks. However, registrars become targets for
registration abuse (and abuse of registered domain names) when attackers
discover they can exploit weaknesses in the registrar's registration
services and internal processes. The attackers' objectives are in most cases
to gain control of a customer's domain account so that he can use the domain
names and name servers as resources for a subsequent attack, i.e., by
modifying or adding name servers that host zone files of domain names used
in phishing and other forms of attack that employ domain names.
Some of the known attack vectors are mentioned below:
- attackers scan registrar web sites to identify web application
vulnerabilities. They exploit vulnerabilities in registration web pages to
gain unauthorized access to existing customer accounts.
- attackers impersonate registrars using phishing techniques. A
registrar-impersonating phisher tries to lure a registrar's customer to a
bogus copy of the registrar's customer login page, where the customer may
unwittingly disclose account credentials to the attacker who can then modify
or assume ownership of the customer's domain names (See SAC 028 at
http://www.icann.org/committees/security/sac028.pdf).
- Attackers will brute force customer account credentials when they detect
that no countermeasures are implemented to block account access after
repeated attempts to login have failed.
- Attackers may attempt to coerce or socially engineer help desk and support
staff into making changes to customer accounts, or to grant access without
proper identification and credentials.
- Attackers may create customer accounts using false credentials and stolen
credit cards. They register domain names under this account and submit
incomplete, inaccurate and intentionally fraudulent registration contact
information. Attackers target registrars whom they have determined have
insufficient measures to validate or verify information the customer submits
when he completes a registration information form. In certain cases,
attackers will initially submit superficially valid whois (e.g., the
information may correspond to the credit card holder). Once the domains are
created, the attacker returns to falsify contact information so that the
contact information is not obviously linked to the credit card holder in
displayed WHOIS information.
This list is representative but not exhaustive. The above mentioned attacks
are also used to gain administrative control over domain names for purposes
other than fast flux attacks. For example, any attack that allows an
attacker to control a domain name can be used to facilitate a web defacement
attack or other forms of denial of service attack involving domain names and
DNS.
Registrars are directly involved in assisting customers who use certain fast
flux hosting techniques in production networks for self-beneficial purposes
(and without harmful impact on others). In most cases, the registrar
provides such customers with the ability to identify name servers and
addresses for name servers. In some cases, i.e., when the registrar provides
name service for the customer, the registrar allows the customer to set the
TTL parameter for name server records to arbitrarily small values.
Some registrars are aware of the range of attacks that can be perpetrated
against registrars and customers, and take proactive measures to protect
themselves and their customers from attacks of the nature described above.
Some of these are done as part of a general abuse prevention service while
others are premium services that pay particular attention to customers that
have high profile or high value domain name portfolios. Examples of such
measures are mentioned below:
- certain registrars provide a brand equity protection service. They
proactively study domain name registrations to to identify and block
attempts to mimic or abuse IP, brands, copyrights and trademarks.
- certain registrars monitor and limit DNS configuration changes for name
servers that are to be included in TLD zone files. They may limit frequency
of change, minimum TTL parameter values, number of DNS changes in a given
time period, and total number of name servers that can be created for a
given domain name.
- abuse and brand protection staff of certain registrars work in cooperation
with contracted parties and self-help groups to identify domain names and IP
addresses of systems that appear to be participants in fast flux attacks.
They correlate the IP addresses with routing information (ASNs), domains and
hyperlinks found in blacklisted phish email messages and work cooperatively
with registries to suspend or delete domains used in harmful attacks. Some
registrars work with ISPs, hosting service providers, system administrators
whose systems have been compromised and used to host fraudulent web sites to
mitigate the effects of the attacks.
- certain registrars offer customized domain name administration services to
protect registrants from unauthorized access and misuse of that registrant's
domains. Such services prevent fast flux attackers from using domains that
are perceived as legitimate by black listing services and consumers for
harmful purposes.
The above mentioned protection services do not focus specifically on
mitigating fast flux attacks, but more broadly on protection from domain
hijacking, malicious configuration of DNS, and brand protection.
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|