[gnso-ff-pdp-may08] Update on outstanding sections in draft Initial Report

[Marika Konings <marika.konings@xxxxxxxxx>]

Dear All,

Please find below an overview of the sections that have been / are being 
discussed on the list and which were not included in the latest version of the 
report yet. I would like to include these in the next update of the initial 
report, so I would like to invite you to review the proposed additions and 
continue any further discussion if needed on the working group mailing list 
and/or be prepared to indicate your support or disagreement on the next call so 
the appropriate label can be included in the report (agreement / support / 
alternative view). Please note that there are some sections for which I have 
not received any input yet (apologies if I missed your e-mail) such as 5.10, so 
please (re)send it to the list.

With best regards,

Marika
=================================

Proposed text for Section 5.4
------------------  begin --------------

The WG has no hard evidence that any registrar intentionally facilitates
fast flux hosting attacks. However, registrars become targets for
registration abuse (and abuse of registered domain names) when attackers
discover they can exploit weaknesses in the registrar's registration
services and internal processes. The attackers' objectives are in most cases
to gain control of a customer's domain account so that he can use the domain
names and name servers as resources for a subsequent attack, i.e., by
modifying or adding name servers that host zone files of domain names used
in phishing and other forms of attack that employ domain names.

Some of the known attack vectors are mentioned below:

- attackers scan registrar web sites to identify web application
vulnerabilities. They exploit vulnerabilities in registration web pages to
gain unauthorized access to existing customer accounts.

- attackers impersonate registrars using phishing techniques. A
registrar-impersonating phisher tries to lure a registrar's customer to a
bogus copy of the registrar's customer login page, where the customer may
unwittingly disclose account credentials to the attacker who can then modify
or assume ownership of the customer's domain names (See SAC 028 at
http://www.icann.org/committees/security/sac028.pdf).

- Attackers will brute force customer account credentials when they detect
that no countermeasures are implemented to block account access after
repeated attempts to login have failed.

- Attackers may attempt to coerce or socially engineer help desk and support
staff into making changes to customer accounts, or to grant access without
proper identification and credentials.

- Attackers may create customer accounts using false credentials and stolen
credit cards. They register domain names under this account and submit
incomplete, inaccurate and intentionally fraudulent registration contact
information. Attackers target registrars whom they have determined have
insufficient measures when he completes a registration information form. In 
certain cases,
attackers will initially submit superficially valid whois (e.g., the
information may correspond to the credit card holder). Once the domains are
created, the attacker returns to falsify contact information so that the
contact information is not obviously linked to the credit card holder in
displayed WHOIS information.

This list is representative but not exhaustive. The above mentioned attacks
are also used to gain administrative control over domain names for purposes
other than fast flux attacks. For example, any attack that allows an
attacker to control a domain name can be used to facilitate a web defacement
attack or other forms of denial of service attack involving domain names and
DNS.

Registrars are directly involved in assisting customers who use certain fast
flux hosting techniques in production networks for self-beneficial purposes
(and without harmful impact on others). In most cases, the registrar
provides such customers with the ability to identify name servers and
addresses for name servers. In some cases, i.e., when the registrar provides
name service for the customer, the registrar allows the customer to set the
TTL parameter for name server records to arbitrarily small values.

Some registrars are aware of the range of attacks that can be perpetrated
against registrars and customers, and take proactive measures to protect
themselves and their customers from attacks of the nature described above.
Some of these are done as part of a general abuse prevention service while
others are premium services that pay particular attention to customers that
have high profile or high value domain name portfolios. Examples of such
measures are mentioned below:

- certain registrars provide a brand equity protection service. They
proactively study domain name registrations to to identify and block
attempts to mimic or abuse IP, brands, copyrights and trademarks.

- certain registrars monitor and limit DNS configuration changes for name
servers that are to be included in TLD zone files. They may limit frequency
of change, minimum TTL parameter values, number of DNS changes in a given
time period, and total number of name servers that can be created for a
given domain name.

- abuse and brand protection staff of certain registrars work in cooperation
with contracted parties and self-help groups to identify domain names and IP
addresses of systems that appear to be participants in fast flux attacks.
They correlate the IP addresses with routing information (ASNs), domains and
hyperlinks found in blacklisted phish email messages and work cooperatively
with registries to suspend or delete domains used in harmful attacks. Some
registrars work with ISPs, hosting service providers, system administrators
whose systems have been compromised and used to host fraudulent web sites to
mitigate the effects of the attacks.

- certain registrars offer customized domain name administration services to
protect registrants from unauthorized access and misuse of that registrant's
domains. Such services prevent fast flux attackers from using domains that
are perceived as legitimate by black listing services and consumers for
harmful purposes.

The above mentioned protection services do not focus specifically on
mitigating fast flux attacks, but more broadly on protection from domain
hijacking, malicious configuration of DNS, and brand protection.
-------------------------
Proposed text for section 5.5

Registrants are targets for fast flux attackers who seek domain names they
can use to facilitate double flux attacks. Attackers often gain
administrative control over a registrant's portfolio of domain names using
some of the methods described in Section 5.4. The attacker uses domains he
controls via compromised accounts in fast flux attacks by modifying or
adding to DNS configuration information via the registrant's domain
administration account.

Attackers are attracted to existing domains that have a positive reputation
(i.e., are not blacklisted) over newly registered domains. This attraction
has increased because domain name (registration) age and history have become
factors investigators consider as they attempt to determine whether a domain
is associated with phishing, spam, and fast flux attacks. Attackers are also
aware that registrars and registries often require stronger evidence of
abuse and typically proceed more cautiously take down requests are submitted
against "established" domains.

The impact to a registrant in such circumstances can be severe, ranging from
service disruption to domain blacklisting or suspension. Service disruption
can cause loss of revenue, service, advertising or business opportunities.
Blackisting or suspension can cause considerable reputational harm to a
registrant's brands and trademarks.
-------------------
Proposed addition to section 5.7

In 5.7 of the document, for "active engagement" ideas (starting at
line 926), I'd propose adding the following point, say between line
930 and line 931 of the current document or at line 947:

- stronger registrant verification procedures

Note, this can be accomplished without affecting the display of public
WHOIS (i.e. verification takes place by registrar or registry, but
WHOIS display is unaffected, in particular they can continue to use
privacy services).

[Note, there was further discussion on this proposal on the list. George, 
please let the group now if you want to update your proposal following the 
feedback received]