Fast Flux Hosting Final Report. GNSO Council Meeting 13 August 2009

Similar documents
GNSO Issues Report on Fast Flux Hosting

SSAC Fast Flux Activities

Registry Internet Safety Group (RISG)

IRTP Part A PDP Final Report. Thursday 16 April 2009 GNSO Council Meeting

Whois Study Table Updated 18 February 2009

Registration Abuse Policies Final Report. Greg Aaron, RAPWG Chair Sunday, 20 June 2010

The Challenge of Spam An Internet Society Public Policy Briefing

DNS Abuse Handling. FIRST TC Noumea New Caledonia. Champika Wijayatunga Regional Security, Stability and Resiliency Engagement Manager Asia Pacific

G8 Lyon-Roma Group High Tech Crime Subgroup

GAC PRINCIPLES REGARDING gtld WHOIS SERVICES. Presented by the Governmental Advisory Committee March 28, 2007

Post-Expiration Domain Name Recovery PDP Initial Report Update to the GNSO Council. Saturday, 19 June 2010

Discussion Paper on the Creation of non-binding Best Practices to help Registrars and Registries address the Abusive Registrations of Domain Names

Post- Expira,on Domain Name Recovery PDP WG. ICANN San Francisco March 2011

Summary of Expert Working Group on gtld Directory Services June 2014 Final Report

WHOIS High-Level Technical Brief

PURPOSE STATEMENT FOR THE COLLECTION AND PROCESSING OF WHOIS DATA

Improving WHOIS- An Update. 20 November, 2013

Final Outcomes Report of the WHOIS Working Group 2007

Next-Generation gtld Registration Directory Service (RDS) to replace WHOIS ICANN57 F2F Meeting Slides

.rio Registration Policies 2016 Dec 16

ICANN Contractual Compliance Proforma DNS Infrastructure Abuse November 2018 Registry Audit Request For Information (RFI)*

ISSUE CHART FOR THE GNSO RAA REMAINING ISSUES PDP ON PRIVACY/PROXY SERVICES

July 13, Via to RE: International Internet Policy Priorities [Docket No ]

WHOIS Review Team Internationalized Registration Data Expert Working Group. Margie Milam ICANN October 2015

GNSO Council Report to the ICANN Board Locking of a Domain Name subject to UDRP Proceedings PDP

Proposed Final Report on the Post-Expiration Domain Name Recovery Policy Development Process Executive Summary

INTELLECTUAL PROPERTY CONSTITUENCY COMMENTS ON PROPOSED INTERIM MODELS FOR ICANN COMPLIANCE WITH EU GENERAL DATA PROTECTION REGULATION

Proposed Service. Name of Proposed Service: Technical description of Proposed Service: Redemption Grace Period for.name.

General Data Protection Regulation (GDPR)

.HEALTH REGISTRATION POLICY

Update on Whois Studies

SSR REVIEW IMPLEMENTATION REPORT (Public) *DRAFT*

Draft Thick RDDS (Whois) Consensus Policy and Implementation Notes

Summary of Public Suggestions on Further Studies of WHOIS including the GAC recommendations of 16 April Updated 10 May 2008

Request for Information on Domain Tasting 10 August 2007

Post-Expiration Domain Name Recovery PDP. Presentation of Final Report

Radix Acceptable Use and Anti-Abuse Policy

Issues in Using DNS Whois Data for Phishing Site Take Down

Mitigating Malicious Conduct. Background - New gtld Program

Hogan Lovells Comments on the 3 ICANN Models for WHOIS Compliance with GDPR published on 12 January 2018

A Next Generation Registration Directory Service (RDS) Briefing by the Expert Working Group (EWG) on gtld Directory Services 13 July 2013

Anti-Phishing Working Group

Current Status of WG Activities

ICANN STRATEGIC PLAN JULY 2011 JUNE 2014

WHOIS Accuracy Study Findings, Public Comments, and Discussion

Internet Corporation for Assigned Names and Numbers ( ICANN )

REGISTRY POLICY STATEMENT ACCEPTABLE USE POLICY AND TERMS OF SERVICE

CERTIFICATE SCHEME THE MATERIAL HEALTH CERTIFICATE PROGRAM. Version 1.1. April 2015

The IDN Variant TLD Program: Updated Program Plan 23 August 2012

Expert Working Group on gtld Directory Services (EWG) Frequently Asked Questions (FAQs) 2014 Final Report Update

Proposed Interim Model for GDPR Compliance-- Summary Description

President s Report 2009

The Internet Big Bang: Implications for Financial Services Brand Owners

PRIVACY POLICY Let us summarize this for you...

Updates on Sharing Threat Data, Security Awareness and Policy Efforts to Fight Cybercrime

WYANDOTTE MUNICIPAL SERVICES ACCEPTABLE USE POLICY

Attachment 3..Brand TLD Designation Application

Progress Report Negotiations on the Registrar Accreditation Agreement Status as of 1 March 2012

Draft Applicant Guidebook, v3

DRAFT: gtld Registration Dataflow Matrix and Information

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

ICANN and Russia. Dr. Paul Twomey President and CEO. 10 June International Economic Forum St. Petersburg, Russia

Update on ICANN Domain Name Registrant Work

Advisory Concerning Inter-Registrar Transfer Policy. 23 August 2007

APNIC s role in stability and security. Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013

IT Security Evaluation and Certification Scheme Document

GDPR. The new landscape for enforcing and acquiring domains. You ve built your business and your brand. Now how do you secure and protect it?

APNIC Cooperation SIG: Anti-Abuse Community Development

Matters Related to WHOIS

Effective October 31, Privacy Policy

EU policy on Network and Information Security & Critical Information Infrastructures Protection

Promoting accountability and transparency of multistakeholder partnerships for the implementation of the 2030 Agenda

One World. One Internet.

Topic LE /GAC position Registrar Position Agreement in Principle 1. Privacy and Proxy services

ACCEPTABLE USE POLICY

Attachment 3..Brand TLD Designation Application

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

NebraskaLink Acceptable Use Policy

A1. Actions which have been undertaken by Governments

ANNEX 2: Policy Development Process Manual

ICANN Identifier System SSR Update 1H 2015

Phishing Activity Trends Report August, 2005

UNITED STATES OF AMERICA COMMENTS ON THE REPORT OF THE WGIG

This descriptive document is intended as the basis for creation of a functional specification for 2

G7 Bar Associations and Councils

INTER-REGISTRAR TRANSFER POLICY ISSUES - PDP Recommendations - 19 Mar 08

Examination Guidelines for Design (Provisional translation)

Public consultation on Counterfeit and Piracy Watch-List

Explanation of Data Element Data Element Potentially Legitimate purposes for Collection/Retention

Transnational Anti-Abuse Working Group (AAWG) Development

[1] Addition of French, Spanish, and German languages to the list of approved languages for the following TLD:.xn--fjq720a

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

Searchable WHOIS Terms of Use

T-CY Guidance Note #8 Obtaining subscriber information for an IP address used in a specific communication within a criminal investigation

2. What do you think is the significance, purpose and scope of enhanced cooperation as per the Tunis Agenda? a) Significance b) Purpose c) Scope

Law Enforcement Recommended RAA Amendments and ICANN Due Diligence Detailed Version

Abuse Management System (AMS) Mon-Loi Perez Associate Consultant Singapore Network Information Centre Pte. Ltd. (SGNIC)

RSA INCIDENT RESPONSE SERVICES

Magna5 reserves the right to make modifications to this policy at any time.

Root KSK Roll Delay Update

Transcription:

Fast Flux Hosting Final Report GNSO Council Meeting 13 August 2009 1

January 2008: SAC 025 Fast Flux Hosting and DNS Characterizes Fast Flux (FF) as an evasion technique that enables cybercriminals to extend lifetime of compromised hosts employed in illegal activities Encourages ICANN, registries, and registrars [ ] to establish best practices to mitigate fast flux and consider whether such practices should be addressed in future agreements. March 2008: GNSO Council Request for an Issues Report Issues report recommends further fact finding and research May 2008: GNSO initiates Policy Development Process (PDP) June 2008: Fast Flux Hosting Working Group formed 26 January 2009: Initial Report published 2

Who benefits from FF, who is harmed? Who would benefit from cessation of the practice, who would be harmed? Are registry operators involved in FF hosting activities? If so, how? Are registrars involved in FF hosting activities? If so, how? How are registrants affected by FF hosting? How are Internet users affected by FF hosting? What technical and policy measures could be implemented by registries & registrars to mitigate the negative effects of FF hosting? What would be the impact of establishing limitations, guidelines, or restrictions on registrants, registrars or registries with respect to practices that enable or facilitate FF hosting? What would be the impact of these limitations, guidelines, or restrictions to product and service innovation? What are some of the best practices available with regard to protection from fast flux? Obtain expert opinion on which areas of fast flux are in scope and out of scope of GNSO policy making 3

WG started working on answering charter questions in parallel to preparation of Constituency Statements In addition, several members of the WG worked on collecting supporting data on Fast Flux to be incorporated in the report Weekly conference calls, over 1,000 emails exchanged Where no broad agreement could be reached, the WG would use support and alternative view labels to indicate level of support for certain position Following public comment period, close review and analysis of comments received (25) and incorporation in the report where appropriate 4

Purview Does this matter fall within ICANN s remit or should other avenues be pursued? How should Fast Flux be defined? Legitimate vs. Illegitimate use Activities What kinds of monitoring are needed? How should monitored data be reported, published, shared? What actions (responses) are appropriate? Roles of players Who monitors FF activities today? Are they trustworthy? Are registrars and registries expected to monitor FF activity? Are data currently collected accurate and sufficient to justify a domain suspension action? What is an acceptable false positive rate? 5

Final report published on 6 August 2009 Report provides answers by the WG to the Charter Questions, incl. a list of characteristics that a fast flux attack network might exhibit and fast flux metrics No recommendations for new consensus policy, or changes to existing policy, but a number of ideas for next steps 6

Charter Questions Who benefits from fast flux? Organizations that operate highly targetable networks Content distribution networks Mobility support Free speech / advocacy groups Criminal entities Who is harmed? Harm can arise both from legitimate and malicious uses; the WG struggled to maintain a clear distinction between harms that arise directly from the techniques themselves and harms that arise from the malicious behavior of bad actors who may use fast flux No consensus concerning the separately identifiable culpability of fast flux hosting with respect to the harm caused by malicious behavior, but the WG does recognize the way in which fast flux techniques are used to prolong an attack

Charter Questions Who would benefit from cessation of the practice? Individuals Business and organizations Internet Service Provider Registries and Registrars Law enforcement investigators Digital divide (not investigated by WG, but comment submitted) Are registry operators involved, or could they be, in fast flux hosting activities? If so, how? Registry Constituency (RyC) provides detailed notes regarding the technical and policy options available to registry operators regarding fast flux hosting 8

Charter Questions Are registrars involved in fast flux hosting activities? If so, how? Varying opinions on what the WG should say here, as involvement has many interpretations: Reputable registrars are uninvolved Certain registrars are unwitting participants (ignorant of problematic registrations) Certain registrars appear to lack competence in managing abuse The actions of certain registrars (or lack thereof) create the appearance of facilitation or complicity

Charter Questions How are registrants affected by fast flux hosting? Registrants who employ self beneficial flux techniques improve network availability and resiliency to failure/attack Registrants are also targets for phishing and other forms of attacks that result in unauthorized access to domain accounts and DNS exploitation How are Internet users affected by fast flux hosting? They are the victims of fraud, malicious, and criminal activities that are abetted by flux hosting which is used to extend the duration of the attack Internet user assets are used to facilitate flux attacks (e.g., bots on PCs, compromised servers, domain accounts and name services Bear the burden of detection and recovery costs (individual users as well as businesses and organizations that make use of online presence)

Charter Questions What technical (e.g. changes to the way in which DNS updates operate) and policy (e.g. changes to registry/registrar agreements or rules governing permissible registrant behavior) measures could be implemented by registries and registrars to mitigate the negative effects of fast flux? Information Gathering (examples): Sharing of additional non private DNS information via TXT response messages (domain age, # of NS changes over a measurement interval) Publish summaries of unique complaint volumes by registrar, by TLD, and by name server Cooperative, cross community information sharing Active Engagement (examples): Adopt accelerated domain suspension processing in collaboration with certified investigators Stronger registrant verification procedures

Charter Questions What would be the impact (positive or negative) of establishing limitations, guidelines, or restrictions on registrants, registrars and/or registries with respect to practices that enable or facilitate fast flux hosting? The WG considered several possible options, including governing Time To Live (TTL) values, charging registrants and/or registrars for nameserver changes, and requiring multiple contacts to confirm DNS updates before having them take effect, but did not reach consensus nor endorse any of these What would be the impact of these limitations, guidelines, or restrictions to product and service innovation? None of the possible options noted above were deemed appropriate or viable 12

Charter Questions What are some of the best practices available with regard to protection from fast flux? Cited Anti Phishing Best Practices Recommendations for Registrars from APWG http://www.apwg.org/reports/apwg_registrarbestpractices.pdf Cited SAC 025 Mannheim formula Enumerated subset of recommendations from both that FF WG believes to be applicable

Four Constituency statements: Registry Constituency, Non Commercial Users, Intellectual Property Constituency and Registrar Constituency All recognize that fast flux is being used by miscreants involved in online crime to evade detection, but disagree on whether ICANN or policy development is the appropriate way forward All recognize the difficulty in separating legitimate from illegitimate use, and several highlight the importance of ensuring that any potential solutions do not impact legitimate use Overall support for further fact finding and data gathering 14

The WG recognizes that fast flux is a networking technique, and as such can be employed for illicit or legitimate purposes. Many types of organizations can potentially be involved in fast flux use, including registries, registrars, ISPs, hosting firms and other online businesses. Coordination and cooperation is therefore necessary. The WG finds that key components to better understanding of fast flux include data collection, DNS monitoring, and data sharing among various parties (e.g., registries, registrars, ISPs, and security service providers. 15

The WG recommends that the ICANN community consider how future coordinated operational responses involving security, DNS and law enforcement communities could confront, contain, or confound fast flux hosting. The WG acknowledges that fast flux and similar techniques are merely components in the larger issue of Internet fraud and abuse. The techniques described in this report are only part of a vast and constantly evolving toolkit for attackers. These numerous and interdependent issues should all be taken into account in any potential policy development process and/or next steps. 16

Recommendations The WG would like to put forward the following ideas, ranked in order of importance, forward for further consideration by the GNSO Council: Highlight which solutions / recommendations could be addressed by policy development, best practices and/or industry solutions Consider whether registration abuse policy provisions could address fast flux by empowering registries / registrars to take down a domain name involved in fast flux Explore the development of a Fast Flux Data Reporting System Explore the possibility of ICANN as a best practices facilitator Explore the possibility to involve other stakeholders in the fast flux policy development process Redefine the issue and scope 17

Final Report [link to be included] Initial Report http://gnso.icann.org/issues/fast fluxhosting/fast flux initial report 26jan09.pdf Summary of Public Comments http://forum.icann.org/lists/fast flux initialreport/msg00025.html Public Comment Forum http://forum.icann.org/lists/fastflux initial report/ Working Group Wiki https://st.icann.org/pdp wgff/index.cgi?fast_flux_pdp_wg 18

Questions? 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback