Re: The Registrants question (was: Re: [gnso-ff-pdp-may08] Draft - How are registrants affected by fast flux hosting?)

["Mike O'Connor" <mike@xxxxxxxxxx>]

This is the kind of thing that I'm thinking of with that Risk 
Management picture I threw up in best practices.  Here's the link to 
the picture again;
https://st.icann.org/pdp-wg-ff/index.cgi?risk_management

One way to think of that is as a 3-layer process.

Top layer -- identify and assess risk.  This last post by Eric is a 
great example of that.
Middle layer -- determine what to do about the risk.  The interesting 
piece of this layer is that there are always choice to make.  If the 
risk is improbable and the impact is small, we can just assume the 
risk and deal with it if/when it happens.  If the risk is highly 
probable and the impacts are predictable (the other extreme), we can 
buy insurance.  The other two choices (Avoid Risk and Limit Risk) 
fall in the "It depends" category.
Bottom layer -- monitor.  This is the realm of facts, and we've been 
learning a lot about what we know, and what we don't know, this week.
I don't subscribe entirely to this model, and I especially don't 
subscribe to the normal application of the model which says you start 
with the top layer and work down.  This often leads to long studies 
and delays.  I think you can start anywhere in the model and work through it.
But again, I like the direction that Eric took the conversation with 
this last post.  Thanks Eric,
m

At 05:39 AM 7/17/2008, Eric Brunner-Williams wrote:
> There are on the order of 100 million registrations. As of June's 
> VGRS published data is 162 million, but 100 million is a nice round 
> number. Assuming half are artifacts of gaming Google, typos, and 
> expiries, that is "tasting", which I don't know to be true or false, 
> but to a first order, significantly reduces the universe of 
> registrants, then further assuming half of what's left are, on 
> average, second or subsequent registrations by registrants, again, 
> which I don't know to be true or false, that leaves a universe of 
> 25,000,000 registrants. To be utterly arbitrary and capricious, lets 
> assume that even that number is off by a multiple of 25 and there 
> really are only 1,000,000 registrants.
> Just a million.
>
> Off list, Jose Nazario was kind enough to provide on the order of 
> 10,000 domains, previously or currently meeting his metrics 
> (reasonable ones) for being relevant to this working group.
> Just ten thousand.
>
> So the probability of a registrant ever being affected, assuming 
> that all domains of interest were taken from registrants by any 
> means, by fastflux, is .01,
> Just one in a hundred.
>
> If the rounding and assumptions above are discarded, with the 
> exception that the assumption that all domains of interest were 
> taken from registrants by any means, which is retained, the 
> probability of affect is .00006
> So when we chat about the harm to registrants, meaning somehow the 
> direct harm to registrants by the operations of third-parties who's 
> activities meet the (still murky) definition of "fastflux", it would 
> be helpful to distinguish direct harm which appears so statistically 
> small as to be difficult to detect by even very large random 
> samples, and indirect or conjectured harm.
> Harmful, but wicked rare. As a motivation for policy development, I 
> don't think it is compelling. Of course, there may be better 
> (smaller) estimates of the size of the universe of registrants, and 
> better (larger) estimates of the number of domain names used by 
> activities which meet the (still murky) definition of "fastflux", 
> and correction is welcome.
> Eric
>
> Dave Piscitello wrote:
> > By registrants, we are talking about all these cases, correct?
> >
> > - individuals who register a domain name for mail purposes only
> >   (e.g., <given_name>@<family_name>.name
> > - individuals who register a domain name for personal web
> > - individuals who register a domain name for small business web
> > - organizations that register domain names for
> >   * mail purposes only
> >   * other non-web purposes
> >   * web presence, commerce, publishing, marketing etc.
> >   * speculation (secondary market)
> >   * monetization (and tasting)
> >   * Intellectual Property and brand protection
> > - outsourcing companies (e.g., web hosting providers, MS Exchange/email
> > providers)
> >
> > Let's begin with harm.
> >
> > 1) All these parties are vulnerable to attacks designed to compromise the
> > registrant's domain account so that the domain names can be used to abet
> > fast flux (e.g., the attacker hacks example.com's registration account, adds
> > or modifies NS, MX and A records of these "reputable" domains).
> >
> > Such attacks have several consequences to the domain name registrant,
> > depending on how the name is abused. Examples: if the domain is used to
> > resolve names to systems that host illegal web activities, the registrant
> > may experience loss of service at his legitimate sites, damage to
> > reputation, loss of business presence and revenue. If the name is used to
> > relay spam, the domain may be blocklisted thereby disrupting the
> > registrant's email service.
> >
> >
> > 2) Many of the above parties are vulnerable to attack by parties who might
> > seek to gain administrative control of the registrant's legitimate web
> > presence so that it can serve as a host for illegal activities, since the
> > registrant's reputation enhances the deception. (This does not require
> > compreomise of the registrant's domain registration account.
> >
> > 3) A registrant whose web presence that is compromised and subsequently used
> > for serious criminal activities may be encumbered by an extensive
> > investigation by LEAs; for example, if child pornography was uploaded to the
> > site. The registrant or hosting company bears the costs associated with
> > cooperating/complying with the investigation, e.g., it may have to
> > (temporarily) replace assets seized to restore service. Part of the "clean
> > up" may require extensive customer-facing tasks - assisting in the
> > restoration of accounts, recovery of (financial) assets, It may have to deal
> > with regulators if the attack caused the registrant to fall out of
> > compliance with a regulation or law.
> >
> > On 7/14/08 8:30 AM, "Mike O'Connor" <mike@xxxxxxxxxx> wrote:
> >
> >
> > > This is an email to kick off a draft answer to the question "How are
> > > registrants affected by fast flux hosting?"
> > >
> > > I'm just seeding the discussion, not writing a draft for people to
> > > shoot at.  Mostly because I can't come up with any
> > > "registrant-specific" impacts from fast-flux.
> > >
> > > Please help!
> > >
> > > m
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com Version: 8.0.138 / Virus 
> Database: 270.5.0/1556 - Release Date: 7/16/2008 4:56 PM