gTLDs and MALICIOUS USE OF DOMAIN NAMES

Posted May 28th, 2009

---

By now, interested people are aware that ICANN intends to allow an unlimited number of new top-level names, intended to rival the existing gTLDs such as .com, .net, .org, .biz, .travel, .jobs, etc.  Many of these will be internationalized domain names (“IDNs”) in scripts currently unavailable at the top-level of the DNS, such as Arabic, Chinese, Cyrillic, Hebrew, Hindi, Korean and Japanese.  ICANN also intends to allow new IDN country-code TLDs, for example “.India” in Hindi script, to supplement the current ASCII versions like .co.uk, .cn, .de, .in, etc.

Fewer people are aware of how phishing attacks, malware distribution, child pornography and other criminal activity, all dependent upon domain name registrations and/or IP addresses, are often enabled by exploiting vulnerabilities in the registration systems of TLD registries, domain registrars and their resellers.  Typically a criminal operation will find a security hole or process vulnerability to exploit, and then exploit it until the registry, registrar and/or reseller fix it.  Then they move on to another target.

Moreover, many of the attacks are characterized as “fast flux” exploits, because the criminal operations will change their IP addresses and/or nameserver delegations rapidly in order to evade take down of criminal content.  The only practical way to “take down” such content is to disable the domain name that is distributed as the link to access it.  This effectively ends a phishing attack, or distribution of other criminal content (such as malware or child porn) accessible via the domain name.

Unfortunately, it is often difficult and sometimes impossible to convince a registry, registrar or reseller to suspend resolution to a name, even if evidence of abuse is absolutely clear.  Phish attacks stay live for many hours, often for days, occasionally for weeks or months, even though they may have been detected within minutes of initial distribution.  In the future, there will be many more registries, registrars and resellers of domains in new TLDs, opening up many more potential points of failure and/or obstruction.

Most of those people, who are aware of this background, are seriously concerned that ICANN’s planned rollout of an unlimited number of new TLDs will lead to many more “weak links” in the registration chain.  It is logically expected that criminals will have many more targets to exploit in a short amount of time.  If ICANN’s contracting parties remain as unregulated as they are today, without any formal mechanism for rapid suspension of a name, then the community can expect continued and rapidly growing criminal abuse of the DNS.

ICANN’S NEW gTLD PROGRAM DELAYED

In January, ICANN announced the delay of the new gTLD rollout by up to six months, in order for the community to address four “overarching issues” derived from voluminous public comments to the Draft Applicant Guidebook for prospective new gTLD operators.  One of those four issues is malicious use of the DNS.

ICANN states clearly it’s “intent to examine this issue in order to identify mitigation measures that can be incorporated in the implementation of new gTLDs.”  They suggest responses specifically to several questions:

1) What trends have you or your organization observed in the volume of illegal behavior or malicious conduct which are directly associated with increases in allocated domain names?  Have the addition of the latest gTLD (.cat, .jobs, .mobi, .tel, .travel) increased such activity?

2) In cases where urgent measures are needed to deal with malicious conduct involving the Domain Name System, what challenges exist?  What measures can be employed by registries and registrars to speed response?

3) As the current model of cooperative interaction between registry – registrar – security organizations and law enforcement – scales to become more global, what new processes will be needed to mitigate malicious conduct that utilize the Domain Name System?

4) What specific measures can be employed by ICANN as a corporation to mitigate any potential increase in malicious conduct that might arise solely from the additions of new gTLD?

Public comments are welcome anytime in response to those questions, or any other issues relating to malicious use of domain names.

IRT PROPOSES “UNIFORM SUSPENSION SYSTEM”

Another ‘overarching issue’ was identified as ‘trademark protection’, and to address that issue the ICANN Board chartered the GNSO’s Intellectual Property Constituency to create an Implementation Recommendation Team (“IRT”).  The IRT is tasked with reviewing all of the public comments about trademark abuse in new gTLDs, and make recommendations to address the expressed concerns.  The IRT is underway and has produced its initial Draft Report HERE.

Of particular interest on this broader issue of abusive domain registrations, the IRT made a recommendation for a “Uniform Rapid Suspension” (“URS”) process to address cases of obvious cybersquatting.  The proposal is highly detailed at more than 15 pages, but essentially ICANN would outsource the URS process to a third party.  That party would devise a standing panel of UDRP experts to make initial judgments on short-form UDRP complaints.  If the complaining party provides ‘clear and convincing’ proof of the three UDRP elements, such that there is no ‘contestable and material issue’ to resolve, then resolution of the infringing domain name will be suspended.  The registrant is provided process and an opportunity to answer before suspension, as well as an avenue to appeal any default and/or suspension.

Since the URS process originates from a group of IP attorneys chartered to address trademark issues, it is specifically limited in its current form to cybersquatting disputes.  However, there seems no reason why a similar process cannot be employed for other forms of abusive DNS registration.

APWG SUGGESTS “ANTI-PHISHING SUSPENSION PLAN”

Formally unaffiliated with ICANN, the Anti-Phishing Working Group is also actively working to mitigate the frequency and effect of abusive domain name registrations, specifically with respect to phishing and malware distribution.  A detailed “Anti-Phishing Suspension Plan” has been drafted in collaboration between members of APWG’s Internet Policy Committee, and representatives of the dotAsia registry and its back-end services provider, Afilias.  The APWG is working with dotAsia and a few other domain registries to fully implement this process in 2009.

The APWG suspension plan differs materially in many respects from the ICANN IRT’s URS proposal, discussed above.  Fundamentally, APWG would “accredit” certain entities with experience in anti-phishing efforts to make complaints directly to participating domain registries under certain conditions.  The complaining party would swear that a specific set of steps has been taken to verify the complaint as accurate.  The registry then would be empowered to suspend resolution to the domain name immediately, with avenues for the registrant to appeal the suspension.

This “trusted introducer” system ought to minimize the possibility of false complaints, and lead to faster take down of criminal content.  If it works well in the registries that initially volunteer to adopt it, then possibly it could be recommended by the GNSO Council, approved by the ICANN Board, and imposed as an ICANN Consensus Policy applicable to all gTLD registries.

ADDITIONAL EFFORTS AT ICANN

While the ICANN Board and Staff identified the four ‘overarching issues’ in the new gTLD program, ICANN’s GNSO Council had meanwhile chartered the “Registration Abuse Policies Working Group” to examine existing inconsistencies in the various contractual arrangements between ICANN and its registries, between ICANN contracting parties, and with domain registrants.  Specifically, some contracts have greater protections against abuse than others.  Indeed, Verisign’s .com and .net registry agreements do not have the protections included in other gTLD registry agreements, and this does not appear to make any sense.  The RAP WG hopefully will devise recommendations for minimum contractual standards applicable to all parties, and may also make further recommendations for a suspension process for abusive domains, and/or as further outlined below.

Hopefully, ICANN can take the lead to develop a strong and balanced proposal that will mitigate all forms of abusive domain registrations, both in new and existing TLDs.  Many ideas are on the table, any or all of which could greatly assist in mitigating the widespread harm currently enabled by abuse of the DNS, including:

– requiring a public abuse contact for all contracting parties,
with duties upon those parties to respond and otherwise investigate
complaints sent to that contact

– requiring all new gTLD registries to adopt a ‘thick WHOIS’ model so that there is a central WHOIS database for each registry

– requiring some form of registrant authentication before a domain name is activated for use

– regulating the use of ‘proxy’ or ‘privacy’ WHOIS services that create further burdens on law enforcement entities

To be sure, there are substantial efforts underway to force and/or otherwise assist ICANN’s contracting parties to take quicker and more decisive action against abuse of domain names they register.  Of course, the difficulty is to ensure as much as reasonably possible that false complaints do not hinder legitimate business or other legitimate content.  The IRT has made a strong, balanced proposal to address a substantial subset of the cybersquatting problem.  The APWG has devised a strong and balanced proposal to address a substantial subset of the phishing and malware problem.

In closing, 2009 clearly should be a watershed year for ICANN policy development with respect to abusive domain name registrations.  To many in the Internet community, this is extremely welcome and long overdue.  There are many opportunities for volunteers to participate in the ICANN process, including participation in Working Groups or GNSO Constituencies such as the Business Constituency.  All help is more than welcome in this ongoing, multi-faceted effort to mitigate the frequency and severity of criminal abuse of the DNS.

(Mike Rodenbaugh has twice been elected by the Business Constituency as one of its three administrative Officers and one of its three Councilors to the GNSO.  All opinions expressed in this article are those of Mike Rodenbaugh, and not those of the Business Constituency or the GNSO.)

Tags: gTLDS, ICANN, IRT, malware, phishing
Posted in Enforcement, gTLDS, ICANN, Internet Security by Mike Rodenbaugh