ICANN ICANN Email List Archives


<<< Chronological Index >>>    <<< Thread Index >>>

The Registrants question (was: Re: [gnso-ff-pdp-may08] Draft - How are registrants affected by fast flux hosting?)

  • To: Dave Piscitello <dave.piscitello@xxxxxxxxx>
  • Subject: The Registrants question (was: Re: [gnso-ff-pdp-may08] Draft - How are registrants affected by fast flux hosting?)
  • From: Eric Brunner-Williams <ebw@xxxxxxxxxxxxxxxxxxxx>
  • Date: Thu, 17 Jul 2008 06:39:11 -0400

There are on the order of 100 million registrations. As of June's VGRS published data is 162 million, but 100 million is a nice round number. Assuming half are artifacts of gaming Google, typos, and expiries, that is "tasting", which I don't know to be true or false, but to a first order, significantly reduces the universe of registrants, then further assuming half of what's left are, on average, second or subsequent registrations by registrants, again, which I don't know to be true or false, that leaves a universe of 25,000,000 registrants. To be utterly arbitrary and capricious, lets assume that even that number is off by a multiple of 25 and there really are only 1,000,000 registrants.

Just a million.

Off list, Jose Nazario was kind enough to provide on the order of 10,000 domains, previously or currently meeting his metrics (reasonable ones) for being relevant to this working group.

Just ten thousand.

So the probability of a registrant ever being affected, assuming that all domains of interest were taken from registrants by any means, by fastflux, is .01,

Just one in a hundred.

If the rounding and assumptions above are discarded, with the exception that the assumption that all domains of interest were taken from registrants by any means, which is retained, the probability of affect is .00006

So when we chat about the harm to registrants, meaning somehow the direct harm to registrants by the operations of third-parties who's activities meet the (still murky) definition of "fastflux", it would be helpful to distinguish direct harm which appears so statistically small as to be difficult to detect by even very large random samples, and indirect or conjectured harm.

Harmful, but wicked rare. As a motivation for policy development, I don't think it is compelling. Of course, there may be better (smaller) estimates of the size of the universe of registrants, and better (larger) estimates of the number of domain names used by activities which meet the (still murky) definition of "fastflux", and correction is welcome.


Dave Piscitello wrote:
By registrants, we are talking about all these cases, correct?

- individuals who register a domain name for mail purposes only
  (e.g., <given_name>@<family_name>.name
- individuals who register a domain name for personal web
- individuals who register a domain name for small business web
- organizations that register domain names for
  * mail purposes only
  * other non-web purposes
  * web presence, commerce, publishing, marketing etc.
  * speculation (secondary market)
  * monetization (and tasting)
  * Intellectual Property and brand protection
- outsourcing companies (e.g., web hosting providers, MS Exchange/email

Let's begin with harm.

1) All these parties are vulnerable to attacks designed to compromise the
registrant's domain account so that the domain names can be used to abet
fast flux (e.g., the attacker hacks example.com's registration account, adds
or modifies NS, MX and A records of these "reputable" domains).

Such attacks have several consequences to the domain name registrant,
depending on how the name is abused. Examples: if the domain is used to
resolve names to systems that host illegal web activities, the registrant
may experience loss of service at his legitimate sites, damage to
reputation, loss of business presence and revenue. If the name is used to
relay spam, the domain may be blocklisted thereby disrupting the
registrant's email service.

2) Many of the above parties are vulnerable to attack by parties who might
seek to gain administrative control of the registrant's legitimate web
presence so that it can serve as a host for illegal activities, since the
registrant's reputation enhances the deception. (This does not require
compreomise of the registrant's domain registration account.

3) A registrant whose web presence that is compromised and subsequently used
for serious criminal activities may be encumbered by an extensive
investigation by LEAs; for example, if child pornography was uploaded to the
site. The registrant or hosting company bears the costs associated with
cooperating/complying with the investigation, e.g., it may have to
(temporarily) replace assets seized to restore service. Part of the "clean
up" may require extensive customer-facing tasks - assisting in the
restoration of accounts, recovery of (financial) assets, It may have to deal
with regulators if the attack caused the registrant to fall out of
compliance with a regulation or law.

On 7/14/08 8:30 AM, "Mike O'Connor" <mike@xxxxxxxxxx> wrote:

This is an email to kick off a draft answer to the question "How are
registrants affected by fast flux hosting?"

I'm just seeding the discussion, not writing a draft for people to
shoot at.  Mostly because I can't come up with any
"registrant-specific" impacts from fast-flux.

Please help!


<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy