Home / Blogs

Put Security Alongside .XXX

Isn’t security as important to discuss as .XSS?

The DNS has become an abuse infrastructure, it is no longer just a functional infrastructure. It is not being used by malware, phishing and other Bad Things [TM], it facilitates them.

Operational needs require the policy and governance folks to start taking notice.

It’s high time security got where it needs to be on the agenda, not just because it is important to consider security, but rather because lack of security controls made it a necessity.

In discussion of my latest post, some folks on NANOG raised interesting ideas, such as:

(these are displayed as I understood them)
1. Terminating domains found to be registered with stolen credit cards (raised by Chris Morrow)
2. Introducing a delay to registration (Douglas Otis)
3. Reviewing legacy engineering decisions (David Conrad)
4. A show of responsibility by Registries and Registrars to take care of bad domains (Paul Vixie)
5. Public shaming should be considered (Paul Vixie)
6. Closing the vulnerability with DNS should not be ignored just because bad guys will find something else to exploit (Hank Nussbacher)
7. Check out http://www.icann.org/participate/ (John Crain)

As well as other ideas and contributors. I won’t push my own here, there’s enough already up there to keep us busy for a while.

Whether these ideas are good remains to be seen, the fact is that we now discuss the issues.

Some other conclusions were that the domain registration system and process are a significant part of the current on-going abuse of the DNS infrastructure.

So, as important as the XXX TLD is, security should get as much attention, if not more.

It’s about the current policy which allows black hat registrars to exist (rather than controlling good ones - lower hanging fruit first?), as well as about the policy of registration and termination of domain names. It is about old policy no longer fitting today’s threats, and, to a limited fashion, technology which needs to be revamped.

Here is one of the latest emails in the NANOG thread, by me in reply to David Conrad. Things start to make sense now that flames and personal attacks have died down.

This email message is about ICANN’s role, if it is to have one, as well as about practical suggestions:

Date: Mon, 2 Apr 2007 21:02:46 -0500 (CDT)
From: Gadi Evron

To: David Conrad

Cc: [email protected]
Subject: ICANNs role [was: Re: On-going ...]

On Mon, 2 Apr 2007, David Conrad wrote:
> On Apr 1, 2007, at 8:45 AM, Gadi Evron wrote:
> > On Sun, 1 Apr 2007, David Conrad wrote:
> >> On Mar 31, 2007, at 8:44 PM, Gadi Evron wrote:
> >> I’m not clear what “this realm” actually is.
> > Abuse and Security (non infrastructure).
>
> Well, ICANN is supposed to look after the “security and stability” of
> the Internet, which is sufficiently vague and ambiguous to cover
> pretty much anything. I was actually looking for something a bit
> more concrete.

So you are the guys asleep at the guard post? :)

> The one concrete suggestion I’ve seen is to induce a delay in zone
> creation and publish a list of newly created names within the zone.
> The problem with this is that is sort of assumes:

What are your thoughts on basic suggestions such as:
1. Allowing registrars to terminate domains based on abuse, rather than just fake contact details.
2. Following these incidents as they happen so that YOU, in charge, can make these suggestion?
3. For true emergencies threatening the survivability of the system, shoudln’t we be able to black-list a domain in the core?
4. Black lists for providers are not perfect, but perhaps they could help protect users significantly?
5. Enforcing that registrars act in say, not a whitehat fashion, but a not blackhat fashion?
6. Yours here?

I can go to extremes in my suggestions, non are new:
1. Rather than terminate on fake details - verify details before a domain is registered. Not just the credit card, either.
2. Domains are a commodity, ICANN should know, what of putting them under a wider license on abuse and termination or suspension?

The whole system is almost completely unregulated, and this is money you take care of that we speak of here.

You have a long way to go before claiming to take care of the Internet. Please take that route if you believe you can. The Internet needs your help.

How about some funding for research projects? Getting involved and perhaps funding Incident response on a global scale?

Why does this have to be in the hands of volunteers, such as myself and hundreds of others?

Why does Internet security have to be in the hands of those with “good will” rather than those who are supposed to take care of it?

How about adding security to the main agenda along-side with the .xxx TLD?

I have no problem with ICANN, but there is a long way to go before you can claim to protect the Internet, infrastructure, users, or what’s in the middle. I’d encourage ICANN to take that road, much like I would encourage any person or organization that wants to help.

You were not here before when we needed you, so organizations like FIRST, the ISOTF and many good-will based groups were created. You are here now, how do we proceed?

What is ICANNs next step? I will support it, so will others. It’s not about politics as much as it is about who DOES. Maybe you just need to work with the community rather than claim to run it when you don’t really do anything in security quite yet.

> a) the registries all work on similar timescales
> b) that timescale is on the order of a day
> c) ICANN has a mechanism to induce the registries to make changes to
> those timescales
> d) making changes along these lines would be what end users actually
> want.
>
> Of these options:
>
> - (a) isn’t true (by observation)
> - (b) is currently true for com/net, but I don’t expect that to last
>—I’ve heard there is a lot of competitive pressure on the
> registries to be faster in doing zone modifications
> - (c) I don’t think is true now for even those TLDs ICANN has a
> contractual relationship with and is highly unlikely to ever be true
> for the vast majority of TLDs
> - (d) probably isn’t true, given lots of people complain about how
> long it takes to get zone changes done now and I believe registries
> are working to reduce the amount of time significantly due to
> customer demand.
>
> Even if a delay were imposed, I’m not sure I see how this would
> actually help as I would assume it would require folks to actually
> look at the list of newly created domains and discriminate between
> the ones that were created for good and the ones created for ill.
> How would one do this?

Well, if a domain was registered last month, last week, or 2 hours ago, and is used to send spam, host a phishing site or changes name servers that support phishing sites ALONE (nothing legit) in the thousands, or support the sending of billions of email messages burdening messaging across the board, I’d call it bad.

Who “one” is, now that is something to work out. We need help setting the system in place with guidelines and policies so that the one or other can start reporting and getting results.

Is ICANN willing to help?

> -drc

  Gadi.

>
> P.S. I should point out that IANA has only glancing interaction with
> the registry/registrar world, so I’m working from a large amount of
> ignorance here. Fortunately, being ignorant rarely stops me… :-)

Where do we go from here? If we do proceed, what legitimate business concerns stand to lose money? (or not earn as much?)

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By Gadi Evron, Security Strategist

Filed Under

Comments

Gadi Evron  –  Apr 3, 2007 4:03 AM

David’s reply deserves a spot here, as obviously our discussion on NANOG is friendly:

Date: Mon, 2 Apr 2007 20:57:32 -0700
From: David Conrad

To: Gadi Evron

Cc: .(JavaScript must be enabled to view this email address)
Subject: Re: ICANNs role [was: Re: On-going ...]

Gadi,

> So you are the guys asleep at the guard post? :)

Something ICANN is frequently accused of.

> 1. Allowing registrars to terminate domains based on abuse, rather
> than
> just fake contact details.

Seems like a reasonable idea to me, but wouldn’t that be a
contractual term between the registrar and registrant?

> 2. Following these incidents as they happen so that YOU, in charge,
> can
> make these suggestion?

Sorry, who is in charge?

> 3. For true emergencies threatening the survivability of the system,
> shoudln’t we be able to black-list a domain in the core?

I don’t understand this one.  What’s “the core” in this context?

> 4. Black lists for providers are not perfect, but perhaps they
> could help
> protect users significantly?

Perhaps they could.  Not sure what ICANN would have to do with this
though (unless you’re suggesting ICANN runs a blacklist? If so, I
suspect ICANN’s legal counsel would have ... concerns).

> 5. Enforcing that registrars act in say, not a whitehat fashion, but a
> not blackhat fashion?

Sorry, what does this mean?

> 6. Yours here?

Sorry, haven’t really looked into this space, so I don’t yet have
suggestions.

> 1. Rather than terminate on fake details - verify details before a
> domain
> is registered. Not just the credit card, either.

Isn’t this a business practice of the registrars?  I gather you’re
suggesting ICANN take a much more aggressive role with registrars?

> 2. Domains are a commodity, ICANN should know, what of putting them
> under
> a wider license on abuse and termination or suspension?

My observations are that the relationship between ICANN and the
registry/registrar folks is much less dictatorial than you appear to
assume.

> The whole system is almost completely unregulated, and this is
> money you
> take care of that we speak of here.

There are many who argue quite forcefully that ICANN is not a regulator.

> You have a long way to go before claiming to take care of the
> Internet.

I don’t think ICANN has ever claimed this.

> Please take that route if you believe you can. The Internet
> needs your help.

You seem to believe ICANN has a much greater role in Internet
management than it has.  ICANN can’t even make changes to a name
server in the root zone without US government approval.

> How about some funding for research projects? Getting involved and
> perhaps
> funding Incident response on a global scale?

I can suggest this, although having a concrete proposal would
probably carry more weight.

> Why does this have to be in the hands of volunteers, such as myself
> and
> hundreds of others?
>
> Why does Internet security have to be in the hands of those with “good
> will” rather than those who are supposed to take care of it?

I suspect because the Internet is decentralized.

> How about adding security to the main agenda along-side with
> the .xxx TLD?

It is, although there are lots of aspects to security so undoubtedly,
it can’t be all things to all people.  ICANN has an advisory
committee specifically targeted at “security and stability” that has
some folks who frequently participate on this list (http://
http://www.icann.org/committees/security/).

> I have no problem with ICANN, but there is a long way to go before
> you can
> claim to protect the Internet, infrastructure, users, or what’s in the
> middle.

I don’t think ICANN claims this.

> I’d encourage ICANN to take that road, much like I would encourage
> any person or organization that wants to help.
>
> You were not here before when we needed you, so organizations like
> FIRST, the ISOTF and many good-will based groups were created. You are
> here now, how do we proceed?

I don’t think anyone expected ICANN to take on the role of Internet
security czar.  I suspect if ICANN tried to assert this sort of role,
the USG (among other governments) would take strong exception.
ICANN’s role (as I understand it) is coordinative, not directive.
Any attempt to go beyond this will result in ICANN getting slapped down.

> What is ICANNs next step? I will support it, so will others. It’s not
> about politics as much as it is about who DOES. Maybe you just need to
> work with the community rather than claim to run it when you don’t
> really
> do anything in security quite yet.

I don’t think ICANN has ever claimed to run “the community”.

> Well, if a domain was registered last month, last week, or 2 hours
> ago,
> and is used to send spam, host a phishing site or changes name servers
> that support phishing sites ALONE (nothing legit) in the thousands, or
> support the sending of billions of email messages burdening messaging
> across the board, I’d call it bad.

As would I.

> Who “one” is, now that is something to work out. We need help
> setting the
> system in place with guidelines and policies so that the one or
> other can
> start reporting and getting results.
>
> Is ICANN willing to help?

To be perfectly clear, I don’t speak for ICANN, I just run IANA.  I’m
happy to forward suggestions to folks in ICANN who don’t participate
in NANOG or other forums, but don’t expect this to have significantly
more impact than you participating directly in the various ICANN forums.

Rgds,
-drc

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

Cybersecurity

Sponsored byVerisign