The Registrants question (was: Re: [gnso-ff-pdp-may08] Draft - How are registrants affected by fast flux hosting?)

[Eric Brunner-Williams <ebw@xxxxxxxxxxxxxxxxxxxx>]

There are on the order of 100 million registrations. As of June's VGRS 
published data is 162 million, but 100 million is a nice round number. 
Assuming half are artifacts of gaming Google, typos, and expiries, that 
is "tasting", which I don't know to be true or false, but to a first 
order, significantly reduces the universe of registrants, then further 
assuming half of what's left are, on average, second or subsequent 
registrations by registrants, again, which I don't know to be true or 
false, that leaves a universe of 25,000,000 registrants. To be utterly 
arbitrary and capricious, lets assume that even that number is off by a 
multiple of 25 and there really are only 1,000,000 registrants.
Just a million.

Off list, Jose Nazario was kind enough to provide on the order of 10,000 
domains, previously or currently meeting his metrics (reasonable ones) 
for being relevant to this working group.
Just ten thousand.

So the probability of a registrant ever being affected, assuming that 
all domains of interest were taken from registrants by any means, by 
fastflux, is .01,
Just one in a hundred.

If the rounding and assumptions above are discarded, with the exception 
that the assumption that all domains of interest were taken from 
registrants by any means, which is retained, the probability of affect 
is .00006
So when we chat about the harm to registrants, meaning somehow the 
direct harm to registrants by the operations of third-parties who's 
activities meet the (still murky) definition of "fastflux", it would be 
helpful to distinguish direct harm which appears so statistically small 
as to be difficult to detect by even very large random samples, and 
indirect or conjectured harm.
Harmful, but wicked rare. As a motivation for policy development, I 
don't think it is compelling. Of course, there may be better (smaller) 
estimates of the size of the universe of registrants, and better 
(larger) estimates of the number of domain names used by activities 
which meet the (still murky) definition of "fastflux", and correction is 
welcome.
Eric

Dave Piscitello wrote:
> By registrants, we are talking about all these cases, correct?
>
> - individuals who register a domain name for mail purposes only
>   (e.g., <given_name>@<family_name>.name
> - individuals who register a domain name for personal web
> - individuals who register a domain name for small business web
> - organizations that register domain names for
>   * mail purposes only
>   * other non-web purposes
>   * web presence, commerce, publishing, marketing etc.
>   * speculation (secondary market)
>   * monetization (and tasting)
>   * Intellectual Property and brand protection
> - outsourcing companies (e.g., web hosting providers, MS Exchange/email
> providers)
>
> Let's begin with harm.
>
> 1) All these parties are vulnerable to attacks designed to compromise the
> registrant's domain account so that the domain names can be used to abet
> fast flux (e.g., the attacker hacks example.com's registration account, adds
> or modifies NS, MX and A records of these "reputable" domains).
>
> Such attacks have several consequences to the domain name registrant,
> depending on how the name is abused. Examples: if the domain is used to
> resolve names to systems that host illegal web activities, the registrant
> may experience loss of service at his legitimate sites, damage to
> reputation, loss of business presence and revenue. If the name is used to
> relay spam, the domain may be blocklisted thereby disrupting the
> registrant's email service.
>
>
> 2) Many of the above parties are vulnerable to attack by parties who might
> seek to gain administrative control of the registrant's legitimate web
> presence so that it can serve as a host for illegal activities, since the
> registrant's reputation enhances the deception. (This does not require
> compreomise of the registrant's domain registration account.
>
> 3) A registrant whose web presence that is compromised and subsequently used
> for serious criminal activities may be encumbered by an extensive
> investigation by LEAs; for example, if child pornography was uploaded to the
> site. The registrant or hosting company bears the costs associated with
> cooperating/complying with the investigation, e.g., it may have to
> (temporarily) replace assets seized to restore service. Part of the "clean
> up" may require extensive customer-facing tasks - assisting in the
> restoration of accounts, recovery of (financial) assets, It may have to deal
> with regulators if the attack caused the registrant to fall out of
> compliance with a regulation or law.
>
> On 7/14/08 8:30 AM, "Mike O'Connor" <mike@xxxxxxxxxx> wrote:
>
>   
> > This is an email to kick off a draft answer to the question "How are
> > registrants affected by fast flux hosting?"
> >
> > I'm just seeding the discussion, not writing a draft for people to
> > shoot at.  Mostly because I can't come up with any
> > "registrant-specific" impacts from fast-flux.
> >
> > Please help!
> >
> > m
> >
> >
> >     
>
>
>
>
>