RE: [gnso-ff-pdp-may08] 5.4

["Mike Rodenbaugh" <icann@xxxxxxxxxxxxxx>]

I can?t make the call either, due to a speaking engagement this morning.  I
concur with Rod?s thoughts on 5.4.  I think 5.10 needs to be entirely
rewritten or deleted, but I haven?t had time to rewrite it yet.

 

Thanks,

Mike R.

  _____  

From: Rod Rasmussen [mailto:rod.rasmussen@xxxxxxxxxxxxxxxxxxxx] 
Sent: Friday, November 21, 2008 12:46 AM
To: James M. Bladel
Cc: icann@xxxxxxxxxxxxxx; gnso-ff-pdp-may08@xxxxxxxxx
Subject: Re: [gnso-ff-pdp-may08] 5.4

 

Hi Folks,

 

Unfortunately I will not be able to participate in the bulk of the call
Friday, as I have a commitment tomorrow morning, but I wanted to make some
points here.

 

I think the ordering that James is proposing is appropriate both from a
proportional assessment and political standpoint.  I would rephrase the
entire section to something more akin to the following though, as I think we
need to flesh this out a lot more to both point out the real issues we're
wrestling with but not cast aspersions onto the registrar community as a
whole that has done a lot to become more responsive to these issues.  One
particular point is that "most" registrars have not been involved in FFLUX
hosting since many of them by raw count are either little utilized, used for
threads to the registries, or are simply sub-registrars to larger operations
and don't take direct registrations from the public.

 

1) Most registrars are -not- involved in FF or double-flux due to their
business models that don't provide direct public access for the registration
of domain names in volume.  Many of those who do offer such services invest
significant resources (time, money, personnel) working against the practice,
and in the generic case of online fraud.

 

2) Of the registrars where FFLUX domains are registered by miscreants, the
vast majority are unwitting participants in the schemes, largely due to
ignorance of the problematic registrations. Once informed of a problem, most
of these registrars act fairly quickly to deal with such domains, as they
usually result in abuse issues and charge-backs on the credit cards used to
register them which negatively impacts a registrar. However, some registrars
appear to take consistently longer to deal with them than their peers.  This
could be due to many factors: staffing levels, standard procedures, and
communications channels.  Anecdotal evidence points to weaknesses in all of
these factors in such cases and no actual intent to delay shut-down of a
fraudulent or criminal scheme being perpetrated by a FFLUX attack.

 

3) Some registrars and more often resellers of registrar services have the
APPEARANCE of facilitation of FFLUX domain attacks.  In the case of an
apparent "rogue reseller" registrars are usually swift to deal with such
parties once made aware of the problems they have caused.  Such incidents
have been communicated privately to mitigation agents and discussed in some
cases publicly in defense of registrar practices (the recent DirectI blog
reference here could be useful).  

 

4) While no registrar has been prosecuted for facilitating criminal
activities related to FFLUX domains, there is at least one recent case where
some would argue there is the appearance of complicity: ESTDomains.
Activities surrounding their involvement with a disproportionately large
number of fraudulent domains including FFLUX domains has been widely
reported in the press (Washington Post ref/Knujon Report/Intercage exposés)
along with the conviction of their president for money laundering and credit
card fraud.  Recent actions to remove their registrar service credentials by
ICANN, combined with de-peering of Intercage and McColo, hosting companies
that both hosted a large amount of highly undesirable and criminal content
AND a large number of domains registered by ESTDomains, resulted in dramatic
reduction in spam across the entire Internet (lots of current press
references).

 

Thus there is a wide range of "involvement" and reaction to FFLUX domains by
the diverse members of the domain registrar community.  The vast majority of
actual involvement by registrars is largely as an unwitting provider of
services which end up victimizing the registrars as well, as these types of
domain registrations are often never legitimately paid, and create support
overhead to deal with abuse issues.  However, there is at least the
possibility that at least one registrar could have become involved in
directly facilitating such activities.

 

So there's my 2 cents on this - hopefully this is helpful for the
discussion, my apologies for missing most of it.

 

- Rod

 

On Nov 16, 2008, at 6:40 PM, James M. Bladel wrote:





Hi Mike:

I agree with the sentiments behind many of your points below, and offer the
following suggestions:

1.  Most registrars are -not- involved in FF or double-flux, and invest
significant resources (time, money, personnel) working against the practice,
and generic online fraud.  This should be stated first, and emphasized in
the introduction.
2.  The assertion of registrar involvement within the report should
reference some sort of external data, ICANN / SSAC findings, or articles in
industry / general media.  Doing so will lend weight to the claim, and
preempt counterarguments.
3.  We may also note that registrar participation in FF or double-flux often
require that said registrar offers hosting services, and that these
non-registration services are outside the scope of ICANN. 

Thoughts?

J.





-------- Original Message --------
Subject: [gnso-ff-pdp-may08] 5.4
From: "Mike Rodenbaugh" <icann@xxxxxxxxxxxxxx>
Date: Fri, November 14, 2008 11:35 am
To: <gnso-ff-pdp-may08@xxxxxxxxx>




681 The WG has no hard evidence that any registrar intentionally facilitates
fast flux hosting

682 attacks.

 

I appreciate all the work that went into this Section by many folks, but I
think the opening sentence is not true, and think it is likely to be harmful
to efforts against fast flux attacks if it left as-is.  Is there Support (or
even Agreement?) for any all of these three sentences instead ??

 

1.      There is at least anectodal evidence that at least a few registrars
and/or their resellers intentionally facilitate fast flux domain name
exploits, particularly ?double-flux? attacks. 
2.      There is evidence that some registrars and/or their resellers have
willfully ignored evidence that they are facilitating fast flux domain name
exploits that were causing harm to the broader internet community. 
3.      Many and perhaps most registrars take affirmative steps to ensure
that they do not facilitate fast flux exploits, and also rapidly respond to
information that they may be doing so without their knowledge.

 

Thanks,

Mike R.

 

  _____  

From: owner-ntfy-gnso-ff-pdp-may08@xxxxxxxxx
[mailto:owner-ntfy-gnso-ff-pdp-may08@xxxxxxxxx] On Behalf Of Marika Konings
Sent: Friday, November 14, 2008 7:54 AM
To: ntfy-gnso-ff-pdp-may08@xxxxxxxxx
Subject: FW: REMINDER Fast Flux Conference Details Friday 14 November,
2008--16:00 UTC

 


------ Forwarded Message
From: Glen de Saint Géry <Glen@xxxxxxxxx
<https://email.secureserver.net/Glen@xxxxxxxxx> >
Date: Wed, 5 Nov 2008 04:10:01 -0800
To: <ntfy-gnso-ff-pdp-may08@xxxxxxxxx
<https://email.secureserver.net/ntfy-gnso-ff-pdp-may08@xxxxxxxxx> >
Subject: REMINDER Fast Flux Conference Details Friday  14 November,
2008--16:00 UTC



Dear All,

There will be a Fast Flux teleconference on Friday 14 November 2008 at 16:00
UTC

08:00 PST (California), 10:00 CST (Cedar Rapids), 11:00 EST (Washington DC),
16:00 (London), 17:00 CET (Brussels),  03:00 Melbourne next day.

Public WIKI workspace:
https://st.icann.org/pdp-wg-ff/index.cgi

Private WIKI workspace that only group members can read and edit
https://st.icann.org/fast-flux-wg/index.cgi?fast_flux_working_group

Dial-in details are below.

Thank you and let me know if you have any questions.
Kind regards,
Glen


Dial-in details:
PARTICIPANT PASSCODE: FF
For security reasons, the passcode will be required to join the call.

Country                             Toll Numbers          Freephone/Toll
Free Number

ARGENTINA                                                   0800-777-0494
AUSTRALIA           ADELAIDE:      61-8-8121-4862           1-800-880-485
AUSTRALIA           BRISBANE:      61-7-3102-0964           1-800-880-485
AUSTRALIA           CANBERRA:      61-2-6100-1964           1-800-880-485
AUSTRALIA           MELBOURNE:     61-3-9010-7733           1-800-880-485
AUSTRALIA           PERTH:         61-8-9467-5243           1-800-880-485
AUSTRALIA           SYDNEY:        61-2-8211-1386           1-800-880-485
AUSTRIA                            43-1-92-89-654           0800-999-636
BELGIUM                            32-2-402-2432            0800-4-8360
BRAZIL                                                      0800-8912038
CHILE                                                       1230-020-0281
CHINA*                             86-400-810-4760          10800-712-1193
                                                            10800-120-1193
COLOMBIA                                                    01800-9-156463
CZECH REPUBLIC                     420-2-25-98-56-15        800-700-167
DENMARK                            45-7014-0238             8088-6075
FINLAND             Land Line:     106-33-164               0-800-1-12056
FINLAND             Mobile:        09-106-33-164            0-800-1-12056
FRANCE              LYON:          33-4-26-69-12-75         080-511-1431
FRANCE              MARSEILLE:     33-4-86-06-00-75         080-511-1431
FRANCE              PARIS:         33-1-70-75-00-04         080-511-1431
GERMANY                            49-69-2222-52104         0800-216-1601
GREECE                             30-80-1-100-0639         00800-12-5999
HONG KONG                          852-2286-5632            800-964-136
HUNGARY                                                     06-800-15227
INDIA                                                       000-800-852-1216
INDONESIA                                                   001-803-011-3500
IRELAND                            353-1-246-0036           1800-931-782
ISRAEL                                                      1-80-9303048
ITALY                              39-02-3600-0326          800-906-585
JAPAN               OSAKA:         81-6-7739-4763           00531-12-1149
JAPAN               TOKYO:         81-3-5539-5154           00531-12-1149
LUXEMBOURG                         352-27-000-1314
MALAYSIA                                                    1-800-80-8121
MEXICO                                                      001-866-627-0541
NETHERLANDS                        31-20-710-9321           0800-023-4655
NEW ZEALAND                        64-9-970-4641            0800-443-793
NORWAY                             47-21-59-00-14           800-11982
PANAMA
011-001-800-5072119
POLAND                                                      00-800-1210067
PORTUGAL                                                    8008-12179
RUSSIA
8-10-8002-9613011
SINGAPORE                          65-6883-9197             800-120-4057
SLOVAK REPUBLIC                    421-2-322-422-15
SOUTH AFRICA                                                080-09-93390
SOUTH KOREA                        82-2-6744-1052           00798-14800-6323
SPAIN                              34-91-414-15-44          800-099-279
SWEDEN                             46-8-566-10-782          0200-887-612
SWITZERLAND                        41-44-580-7718           0800-000-038
TAIWAN                             886-2-2795-7346          00801-137-565
THAILAND
001-800-1206-65091
UNITED KINGDOM      BIRMINGHAM:    44-121-210-9015          0800-018-0795
UNITED KINGDOM      GLASGOW:       44-141-202-3215          0800-018-0795
UNITED KINGDOM      LEEDS:         44-113-301-2115          0800-018-0795
UNITED KINGDOM      LONDON:        44-20-7019-0812          0800-018-0795
UNITED KINGDOM      MANCHESTER:    44-161-601-1415          0800-018-0795
URUGUAY                                                     000-413-598-3439
USA                                1-210-795-0472           877-818-6787
VENEZUELA                                                   0800-1-00-3205
*Access to your conference call will be either of the numbers listed,
dependent on the participants' local telecom provider.

Restrictions may exist when accessing freephone/toll free numbers using a
mobile telephone.

Glen de Saint Géry
GNSO Secretariat
gnso.secretariat@xxxxxxxxxxxxxx
<https://email.secureserver.net/gnso.secretariat@xxxxxxxxxxxxxx> 
http://gnso.icann.org












------ End of Forwarded Message