Re: [gnso-ff-pdp-may08] Section 5.10 Text

[Martin Hall <martinh@xxxxxxxxxxxxxxx>]

Rod,

One observation on the following suggested text:

- Proactively use available data to identify and/or shut-down  
malicious domains: There are numerous data sources that can provide  
information that may help in identifying malicious activity. Lists  
such as theSORBS Dynamic User and Host List can provide networks  
associated to dial-up, DSL, and cable networks that are more likely to  
be abused. The Composite Block List (XBL) may indicate fraud.  
Optimally a registrar would check against this information at DNS set- 
up or modification time, however periodic scanning should see good  
results.
I wonder if we should elaborate a little to callout the difference  
between IP address and domain name data sources. The two examples you  
quote are IP address-based. Data sources that provide domain name and  
even URL lists are also available both at a general abuse/fraud level  
and, in some cases, specifically wrt fast flux. Providing concrete  
examples depends on how specific we want to get. If the group thinks  
elaboration makes sense, I'm happy to suggest a specific change.
Martin

On Nov 13, 2008, at 2:03 PM, Rod Rasmussen wrote:

> Hi folks,
>
> Sending this around to everyone as I don't think we made the cut on  
> getting it in Marika's latest draft.
> This text is meant for section 5.10 that asks, "What are some of the  
> best practices available with regard to protection from fast flux?"   
> All that was done here was to add and explain references to two  
> different documents that cover some possible best practices that  
> could be brought to bear: the APWG Registrars Best Practices and the  
> SSAC paper on Fast Flux hosting.  Some of the pertinent points were  
> brought out to show their relevance, but the point here is to get  
> references to relevant documents included here.
> We should probably discuss any changes/additions/etc. to this along  
> with our other work for tomorrow's call.
> Thanks!
>
> Rod
>
> =====================
>
> One source of best practices for protection from fast flux can be  
> found in the phishing world.  The Anti-Phishing Working Group has  
> recently released a best practices document for domain registrars in  
> dealing with domain names registered by phishers ("Anti-Phishing  
> Best Practices Recommendations for Registrars" http://www.apwg.org/reports/APWG_RegistrarBestPractices.pdf) 
> .  Several of the practices outlined in that document apply directly  
> or indirectly to dealing with fast flux domain names. While the  
> audience for this particular document is the domain registrar  
> community so some particular recommendations may not translate to  
> other entities within the domain registration space, the same  
> general principles can apply to domain registries, domain resellers,  
> and other providers of domain registration or support services.
> The following is a paraphrased sampling of some of the applicable  
> practices mentioned in this document:
> - Track the IP address, date, time, frequency and action of all  
> account changes such as updating DNS or WHOIS information
> - Limit the ability of registrants to repeatedly change their name  
> servers via a programmatic interface to reduce or eliminate  
> automated name server hopping.
> - Proactively use available data to identify and/or shut-down  
> malicious domains: There are numerous data sources that can provide  
> information that may help in identifying malicious activity. Lists  
> such as theSORBS Dynamic User and Host List can provide networks  
> associated to dial-up, DSL, and cable networks that are more likely  
> to be abused. The Composite Block List (XBL) may indicate fraud.  
> Optimally a registrar would check against this information at DNS  
> set-up or modification time, however periodic scanning should see  
> good results.
> - Use a "Registrar Lock" on registrations that are deemed to be  
> suspicious enough to warrant further investigation.
> Another source for suggested practices to mitigate the use of domain  
> names in the "double flux" variant of fast flux attacks is SAC 025,  
> Fast Flux Hosting and DNS (http://www.icann.org/committees/security/sac025.pdf 
> ).
> SAC 035 identifies mitigations methods certain registrars practice  
> today in cases where the registrar provides DNS for the customer's  
> domains:
> - Authenticate contacts before permitting changes to name server  
> configurations.
> - Implement measures to prevent automated (scripted) changes to name  
> server configurations.
> - Set a minimum allowed TTL (e.g., 30 minutes) that is long enough  
> to thwart the double flux element of fast flux hosting. [The WG  
> notes that this method could interfere with customers (registrants)  
> who use low TTLs for legitimate uses, without harm to others. In  
> such cases, the DNS provider might provide exception case processing  
> or white listing.]
> - Implement or expand abuse monitoring systems to report excessive  
> DNS configuration changes.
> - Publish and enforce a Universal Terms of Service agreement that  
> prohibits the use of a registered domain and hosting services (DNS,  
> web, mail) to abet illegal or objectionable activities (as  
> enumerated in the agreement).
--
Martin Hall
skype: martin-hall
+1-408-838-2890