<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [gnso-ff-pdp-may08] 5.4
- To: "James M. Bladel" <jbladel@xxxxxxxxxxx>
- Subject: Re: [gnso-ff-pdp-may08] 5.4
- From: Rod Rasmussen <rod.rasmussen@xxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 21 Nov 2008 00:45:54 -0800
Hi Folks,
Unfortunately I will not be able to participate in the bulk of the
call Friday, as I have a commitment tomorrow morning, but I wanted to
make some points here.
I think the ordering that James is proposing is appropriate both from
a proportional assessment and political standpoint. I would rephrase
the entire section to something more akin to the following though, as
I think we need to flesh this out a lot more to both point out the
real issues we're wrestling with but not cast aspersions onto the
registrar community as a whole that has done a lot to become more
responsive to these issues. One particular point is that "most"
registrars have not been involved in FFLUX hosting since many of them
by raw count are either little utilized, used for threads to the
registries, or are simply sub-registrars to larger operations and
don't take direct registrations from the public.
1) Most registrars are -not- involved in FF or double-flux due to
their business models that don't provide direct public access for the
registration of domain names in volume. Many of those who do offer
such services invest significant resources (time, money, personnel)
working against the practice, and in the generic case of online fraud.
2) Of the registrars where FFLUX domains are registered by miscreants,
the vast majority are unwitting participants in the schemes, largely
due to ignorance of the problematic registrations. Once informed of a
problem, most of these registrars act fairly quickly to deal with such
domains, as they usually result in abuse issues and charge-backs on
the credit cards used to register them which negatively impacts a
registrar. However, some registrars appear to take consistently longer
to deal with them than their peers. This could be due to many
factors: staffing levels, standard procedures, and communications
channels. Anecdotal evidence points to weaknesses in all of these
factors in such cases and no actual intent to delay shut-down of a
fraudulent or criminal scheme being perpetrated by a FFLUX attack.
3) Some registrars and more often resellers of registrar services have
the APPEARANCE of facilitation of FFLUX domain attacks. In the case
of an apparent "rogue reseller" registrars are usually swift to deal
with such parties once made aware of the problems they have caused.
Such incidents have been communicated privately to mitigation agents
and discussed in some cases publicly in defense of registrar practices
(the recent DirectI blog reference here could be useful).
4) While no registrar has been prosecuted for facilitating criminal
activities related to FFLUX domains, there is at least one recent case
where some would argue there is the appearance of complicity:
ESTDomains. Activities surrounding their involvement with a
disproportionately large number of fraudulent domains including FFLUX
domains has been widely reported in the press (Washington Post ref/
Knujon Report/Intercage exposés) along with the conviction of their
president for money laundering and credit card fraud. Recent actions
to remove their registrar service credentials by ICANN, combined with
de-peering of Intercage and McColo, hosting companies that both hosted
a large amount of highly undesirable and criminal content AND a large
number of domains registered by ESTDomains, resulted in dramatic
reduction in spam across the entire Internet (lots of current press
references).
Thus there is a wide range of "involvement" and reaction to FFLUX
domains by the diverse members of the domain registrar community. The
vast majority of actual involvement by registrars is largely as an
unwitting provider of services which end up victimizing the registrars
as well, as these types of domain registrations are often never
legitimately paid, and create support overhead to deal with abuse
issues. However, there is at least the possibility that at least one
registrar could have become involved in directly facilitating such
activities.
So there's my 2 cents on this - hopefully this is helpful for the
discussion, my apologies for missing most of it.
- Rod
On Nov 16, 2008, at 6:40 PM, James M. Bladel wrote:
Hi Mike:
I agree with the sentiments behind many of your points below, and
offer the following suggestions:
1. Most registrars are -not- involved in FF or double-flux, and
invest significant resources (time, money, personnel) working
against the practice, and generic online fraud. This should be
stated first, and emphasized in the introduction.
2. The assertion of registrar involvement within the report should
reference some sort of external data, ICANN / SSAC findings, or
articles in industry / general media. Doing so will lend weight to
the claim, and preempt counterarguments.
3. We may also note that registrar participation in FF or double-
flux often require that said registrar offers hosting services, and
that these non-registration services are outside the scope of ICANN.
Thoughts?
J.
-------- Original Message --------
Subject: [gnso-ff-pdp-may08] 5.4
From: "Mike Rodenbaugh" <icann@xxxxxxxxxxxxxx>
Date: Fri, November 14, 2008 11:35 am
To: <gnso-ff-pdp-may08@xxxxxxxxx>
681 The WG has no hard evidence that any registrar intentionally
facilitates fast flux hosting
682 attacks.
I appreciate all the work that went into this Section by many folks,
but I think the opening sentence is not true, and think it is likely
to be harmful to efforts against fast flux attacks if it left as-
is. Is there Support (or even Agreement?) for any all of these
three sentences instead …?
There is at least anectodal evidence that at least a few registrars
and/or their resellers intentionally facilitate fast flux domain
name exploits, particularly “double-flux” attacks.
There is evidence that some registrars and/or their resellers have
willfully ignored evidence that they are facilitating fast flux
domain name exploits that were causing harm to the broader internet
community.
Many and perhaps most registrars take affirmative steps to ensure
that they do not facilitate fast flux exploits, and also rapidly
respond to information that they may be doing so without their
knowledge.
Thanks,
Mike R.
From: owner-ntfy-gnso-ff-pdp-may08@xxxxxxxxx [mailto:owner-ntfy-gnso-ff-pdp-may08@xxxxxxxxx
] On Behalf Of Marika Konings
Sent: Friday, November 14, 2008 7:54 AM
To: ntfy-gnso-ff-pdp-may08@xxxxxxxxx
Subject: FW: REMINDER Fast Flux Conference Details Friday 14
November, 2008--16:00 UTC
------ Forwarded Message
From: Glen de Saint Géry <Glen@xxxxxxxxx>
Date: Wed, 5 Nov 2008 04:10:01 -0800
To: <ntfy-gnso-ff-pdp-may08@xxxxxxxxx>
Subject: REMINDER Fast Flux Conference Details Friday 14 November,
2008--16:00 UTC
Dear All,
There will be a Fast Flux teleconference on Friday 14 November 2008
at 16:00 UTC
08:00 PST (California), 10:00 CST (Cedar Rapids), 11:00 EST
(Washington DC), 16:00 (London), 17:00 CET (Brussels), 03:00
Melbourne next day.
Public WIKI workspace:
https://st.icann.org/pdp-wg-ff/index.cgi
Private WIKI workspace that only group members can read and edit
https://st.icann.org/fast-flux-wg/index.cgi?fast_flux_working_group
Dial-in details are below.
Thank you and let me know if you have any questions.
Kind regards,
Glen
Dial-in details:
PARTICIPANT PASSCODE: FF
For security reasons, the passcode will be required to join the call.
Country Toll Numbers Freephone/
Toll Free Number
ARGENTINA
0800-777-0494
AUSTRALIA ADELAIDE: 61-8-8121-4862
1-800-880-485
AUSTRALIA BRISBANE: 61-7-3102-0964
1-800-880-485
AUSTRALIA CANBERRA: 61-2-6100-1964
1-800-880-485
AUSTRALIA MELBOURNE: 61-3-9010-7733
1-800-880-485
AUSTRALIA PERTH: 61-8-9467-5243
1-800-880-485
AUSTRALIA SYDNEY: 61-2-8211-1386
1-800-880-485
AUSTRIA 43-1-92-89-654
0800-999-636
BELGIUM 32-2-402-2432
0800-4-8360
BRAZIL
0800-8912038
CHILE
1230-020-0281
CHINA* 86-400-810-4760
10800-712-1193
10800-120-1193
COLOMBIA
01800-9-156463
CZECH REPUBLIC 420-2-25-98-56-15
800-700-167
DENMARK 45-7014-0238 8088-6075
FINLAND Land Line: 106-33-164
0-800-1-12056
FINLAND Mobile: 09-106-33-164
0-800-1-12056
FRANCE LYON: 33-4-26-69-12-75
080-511-1431
FRANCE MARSEILLE: 33-4-86-06-00-75
080-511-1431
FRANCE PARIS: 33-1-70-75-00-04
080-511-1431
GERMANY 49-69-2222-52104
0800-216-1601
GREECE 30-80-1-100-0639
00800-12-5999
HONG KONG 852-2286-5632
800-964-136
HUNGARY
06-800-15227
INDIA
000-800-852-1216
INDONESIA
001-803-011-3500
IRELAND 353-1-246-0036
1800-931-782
ISRAEL
1-80-9303048
ITALY 39-02-3600-0326
800-906-585
JAPAN OSAKA: 81-6-7739-4763
00531-12-1149
JAPAN TOKYO: 81-3-5539-5154
00531-12-1149
LUXEMBOURG 352-27-000-1314
MALAYSIA
1-800-80-8121
MEXICO
001-866-627-0541
NETHERLANDS 31-20-710-9321
0800-023-4655
NEW ZEALAND 64-9-970-4641
0800-443-793
NORWAY 47-21-59-00-14 800-11982
PANAMA
011-001-800-5072119
POLAND
00-800-1210067
PORTUGAL 8008-12179
RUSSIA
8-10-8002-9613011
SINGAPORE 65-6883-9197
800-120-4057
SLOVAK REPUBLIC 421-2-322-422-15
SOUTH AFRICA
080-09-93390
SOUTH KOREA 82-2-6744-1052
00798-14800-6323
SPAIN 34-91-414-15-44
800-099-279
SWEDEN 46-8-566-10-782
0200-887-612
SWITZERLAND 41-44-580-7718
0800-000-038
TAIWAN 886-2-2795-7346
00801-137-565
THAILAND
001-800-1206-65091
UNITED KINGDOM BIRMINGHAM: 44-121-210-9015
0800-018-0795
UNITED KINGDOM GLASGOW: 44-141-202-3215
0800-018-0795
UNITED KINGDOM LEEDS: 44-113-301-2115
0800-018-0795
UNITED KINGDOM LONDON: 44-20-7019-0812
0800-018-0795
UNITED KINGDOM MANCHESTER: 44-161-601-1415
0800-018-0795
URUGUAY
000-413-598-3439
USA 1-210-795-0472
877-818-6787
VENEZUELA
0800-1-00-3205
*Access to your conference call will be either of the numbers
listed, dependent on the participants' local telecom provider.
Restrictions may exist when accessing freephone/toll free numbers
using a mobile telephone.
Glen de Saint Géry
GNSO Secretariat
gnso.secretariat@xxxxxxxxxxxxxx
http://gnso.icann.org
------ End of Forwarded Message
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|