[gnso-ff-pdp-may08] Updated text for section 5.4

[Marika Konings <marika.konings@xxxxxxxxx>]

Dear All,

As discussed on our last call, please find below the proposed text for section 
5.4 which merges the original text with the changes proposed by Rod. Please 
share any comments / edits with the list so the text can be finalised on the 
next call (foreseen for 5 December, no call on 28 November).

Best regards,

Marika

===========

5.4  Are registrars involved in fast flux hosting activities? If so, how?

Agreement / Support / Alternative View (TO BE DECIDED)

1) Most registrars are not involved in fast flux or double-flux due to their 
business models that do not provide direct public access for the registration 
of domain names in volume. Of those who do offer such services, most invest 
significant resources (time, money, personnel) working against the practice, 
and against generic online fraud.

2) Of the registrars where fast flux domains are registered by miscreants, the 
vast majority are unwitting participants in the schemes, largely due to 
ignorance of problematic registrations. Once informed of a problem, most of 
these registrars act quickly to deal with such domains, as they usually result 
in abuse issues and charge-backs on the credit cards used to register them 
which negatively impacts a registrar. However, some registrars appear to take 
consistently longer to deal with them than their peers.  This could be due to 
many factors: staffing levels, standard procedures, and communications 
channels.  Anecdotal evidence points to weaknesses in all of these factors in 
such cases and no actual intent to delay shut-down of a fraudulent or criminal 
scheme being perpetrated by a fast flux attack.

3) Some registrars and more often resellers of registrar services have the 
appearance of facilitation of fast flux domain attacks. In the case of an 
apparent "rogue reseller" registrars are usually swift to deal with such 
parties once made aware of the problems they have caused.  Such incidents have 
been communicated privately to mitigation agents and discussed in some cases 
publicly in defence of registrar practices (e.g. 
http://blog.directi.com/company/joint-statement-from-directi-and-hostexploit-clarifying-previous-posts/
 [Rod, please confirm if this is the reference you meant]).

4) While no registrar has been prosecuted for facilitating criminal activities 
related to fast flux domains, there is at least one recent case where some 
would argue there is the appearance of complicity, namely ESTDomains. 
Activities surrounding their involvement with a disproportionately large number 
of fraudulent domains including fast flux domains has been widely reported in 
the press (see e.g. 
http://voices.washingtonpost.com/securityfix/2008/09/estdomains.html) along 
with the conviction of their president for money laundering and credit card 
fraud. Recent actions to remove their registrar service credentials by ICANN, 
combined with de-peering of Intercage and McColo, hosting companies that both 
hosted a large amount of highly undesirable and criminal content and a large 
number of domains registered by ESTDomains, resulted in dramatic reduction in 
spam across the entire Internet (see 
http://voices.washingtonpost.com/securityfix/2008/11/spam_volumes_drop_by_23_after.html).

Thus there is a wide range of "involvement" and reaction to fast flux domains 
by the diverse members of the domain registrar community. The vast majority of 
actual involvement by registrars is largely as an unwitting provider of 
services which end up victimizing the registrars as well, as these types of 
domain registrations are often never legitimately paid, and create support 
overhead to deal with abuse issues. However, there is at least the possibility 
that at least one registrar could have become involved in directly facilitating 
such activities.

In general, registrars become targets for registration abuse (and abuse of 
registered domain names) when attackers discover they can exploit weaknesses in 
the registrar's registration services and internal processes. The attackers' 
objectives are in most cases to gain control of a customer's domain account so 
that he can use the domain names and name servers as resources for a subsequent 
attack, i.e., by modifying or adding name servers that host zone files of 
domain names used in phishing and other forms of attack that employ domain 
names.

Some of the known attack vectors are mentioned below:

-  Attackers scan registrar web sites to identify web application 
vulnerabilities. They exploit vulnerabilities in registration web pages to gain 
unauthorized access to existing customer accounts.
-  Attackers impersonate registrars using phishing techniques. A 
registrar-impersonating phisher tries to lure a registrar's customer to a bogus 
copy of the registrar's customer login page, where the customer may unwittingly 
disclose account credentials to the attacker who can then modify or assume 
ownership of the customer's domain names (See SAC 028 at
http://www.icann.org/committees/security/sac028.pdf 
<http://www.icann.org/committees/security/sac028.pdf> ).
-  Attackers will brute force customer account credentials when they detect 
that no countermeasures are implemented to block account access after repeated 
attempts to login have failed.
-  Attackers may attempt to coerce or socially engineer help desk and support 
staff into making changes to customer accounts, or to grant access without 
proper identification and credentials.
-  Attackers may create customer accounts using false credentials and stolen 
credit cards. They register domain names under this account and submit 
incomplete, inaccurate and intentionally fraudulent registration contact 
information. Attackers target registrars whom they have determined have 
insufficient measures when he completes a registration information form. In 
certain cases, attackers will initially submit superficially valid whois (e.g., 
the information may correspond to the credit card holder). Once the domains are 
created, the attacker returns to falsify contact information so that the 
contact information is not obviously linked to the credit card holder in 
displayed WHOIS information.\

This list is representative but not exhaustive. The above-mentioned attacks are 
also used to gain administrative control over domain names for purposes other 
than fast flux attacks. For example, any attack that allows an attacker to 
control a domain name can be used to facilitate a web defacement attack or 
other forms of denial of service attack involving domain names and DNS.

Some registrars are aware of the range of attacks that can be perpetrated 
against registrars and customers, and take proactive measures to protect 
themselves and their customers from attacks of the nature described above. Some 
of these are done as part of a general abuse prevention service while others 
are premium services that pay particular attention to customers that have high 
profile or high value domain name portfolios. Examples of such measures are 
mentioned below:

-  Certain registrars provide a brand equity protection service. They 
proactively study domain name registrations to identify and block attempts to 
mimic or abuse IP, brands, copyrights and trademarks.
-  Certain registrars monitor and limit DNS configuration changes for name 
servers that are to be included in TLD zone files. They may limit frequency of 
change, minimum TTL parameter values, number of DNS changes in a given time 
period, and total number of name servers that can be created for a given domain 
name.
-  Abuse and brand protection staff of certain registrars work in cooperation 
with contracted parties and self-help groups to identify domain names and IP 
addresses of systems that appear to be participants in fast flux attacks.
They correlate the IP addresses with routing information (ASNs), domains and 
hyperlinks found in blacklisted phish email messages and work cooperatively 
with registries to suspend or delete domains used in harmful attacks. Some 
registrars work with ISPs, hosting service providers, system administrators 
whose systems have been compromised and used to host fraudulent web sites to 
mitigate the effects of the attacks.
-  Certain registrars offer customized domain name administration services to 
protect registrants from unauthorized access and misuse of that registrant's 
domains. Such services prevent fast flux attackers from using domains that are 
perceived as legitimate by black listing services and consumers for harmful 
purposes.

The above mentioned protection services do not focus specifically on mitigating 
fast flux attacks, but more broadly on protection from domain hijacking, 
malicious configuration of DNS, and brand protection.
while others are premium services that pay particular attention to customers 
that have high profile or high value domain name portfolios. Examples of such 
measures are mentioned below:

-  Certain registrars provide a brand equity protection service. They 
proactively study domain name registrations to identify and block attempts to 
mimic or abuse IP, brands, copyrights and trademarks.
-  Certain registrars monitor and limit DNS configuration changes for name 
servers that are to be included in TLD zone files. They may limit frequency of 
change, minimum TTL parameter values, number of DNS changes in a given time 
period, and total number of name servers that can be created for a given domain 
name.
-  Abuse and brand protection staff of certain registrars work in cooperation 
with contracted parties and self-help groups to identify domain names and IP 
addresses of systems that appear to be participants in fast flux attacks.
They correlate the IP addresses with routing information (ASNs), domains and 
hyperlinks found in blacklisted phish email messages and work cooperatively 
with registries to suspend or delete domains used in harmful attacks. Some 
registrars work with ISPs, hosting service providers, system administrators 
whose systems have been compromised and used to host fraudulent web sites to 
mitigate the effects of the attacks.
-  Certain registrars offer customized domain name administration services to 
protect registrants from unauthorized access and misuse of that registrant's 
domains. Such services prevent fast flux attackers from using domains that are 
perceived as legitimate by black listing services and consumers for harmful 
purposes.

The above mentioned protection services do not focus specifically on mitigating 
fast flux attacks, but more broadly on protection from domain hijacking, 
malicious configuration of DNS, and brand protection.