Slide 1

Download Report

Transcript Slide 1

KnujOn ICANN Policy Enforcement

MIT Spam Conference March 1009 Dr. Robert Bruen Garth Bruen

KnujOn

 Dr. Bob and son Garth  Started with fighting spam  Using whois data accuracy  Policy Enforcement & Sunshine  Registrars are the key  Spam is the gateway for crime

Policies and Contracts

 Policies are in contracts/agreements/rules  Critical that Policies are well constructed  Bad policy creates problems  Good policy helps decisions in novel situations

Whois Data Accuracy

 Long and sordid history (1982-now)  Registrars required to correct WI data (RAA)  Still very controversial  KnujOn cares about individual privacy  Want commercial entities policy enforcement

Enforcing WI Data Accuracy

 KnujOn receives spam (anonymous & clients)  Extract transaction sites  Verify WI Data for each site  Complain to ICANN (Policy Enforcement)  Aggregate data & publish results (Sunshine)

Research Impact

 Shutdowns – now in the 100,000s  Registrars are paying attention  “You [KnujOn] are casting a big shadow”  Steve Crocker. ICANN BoD  KnujOn now an ICANN ALAC ALS  Major influence on new RAA recommendations  Major influence on ICANN's new WDPRS

Top Ten Worst Registrars May 08

          Xin Net Bei Gong Da Software Beijing Networks Todaynic Joker eNom, Inc.

MONIKER Dynamic Dolphin The Nameit Co/AITDOMAINS.COM

PDR (Directi) Intercosmos/DIRECTNIC

Top Ten Worst Registrars Feb 09

          Xin Net eNom Network Solutions Register.com

Planet Online Regtime - 1 st Russian registrar to make the list OnlineNIC Spot Domain/Domainsite Wild West Domain HiChina Web Solutions

What Happened

       EstDomains lost accreditation  Domains transferred to Directi PDR (Directi) – Cooperating Intercosomos/Directnic - Improving Joker – breach notice - Improving Beijing Networks – breach notice - improving Moniker – Market losses Dynamic Dolphin – Market losses & lawsuits

On Top of That...

 AIT investigated by ICANN  Possible breach notice  Atrivo/Intercage report by HostExploit.com

 ISPs stopped doing business with them  A/I never recovered  McColo report by HostExploit.com    ISPs stopped doing business with them McColo never recovered completely Spam has only reached bottom of previous range

Even More...

 Ukranian takedown UkrTeleGroup Ltd. 30Jan09  Spam levels drop dramatically, like McColo  Within a day, backup to highest since McColo  Parava Breach Notice from ICANN 27Feb09

KnujOn at ICANN Cairo

 Gave presentation to ICANN ALAC in CAIRO  ALAC = At Large Advisory Committee  Well received – Asked to be become an ALS  KnujOn European mirror established  ALAC RAA improvement recommendations  Participated in ALAC - Registrar meeting

Registrars

 Lots of pushback  Deny responsibilities  Success with Fake Pharmacies shutdowns  Reseller issues

Attacks on Registars

 Recent  DomainTheNet Israel Jan 2009 “Team Evil”  NetSol/CheckFree Dec 2008  Comcast May 2008  Not really that new  SSAC Report: Domain Name Hijacking 2005     panix.com hushmail.com (NetSol) HZ.com etc.

SSAC 2005 – Selected Quotes

Finding (1) Failures by registrars and resellers to adhere to the transfer policy have contributed to hijacking incidents and thefts of domain names.

Finding (2) Registrant identity verification used in a number of registrar business processes is not sufficient to detect and prevent fraud, misrepresentation, and impersonation of registrants.

SSAC cont.

 Finding (6)

Accuracy of registration records and Whois information are critical to the transfer process.

 Finding (7)

...Resellers, however, may operate with the equivalent of a registrar’s privileges when registering domain names. ... The current situation suggests that resellers are effectively “invisible” to ICANN and registries and are not distinguishable from registrants. ... The responsibility of assuring that policies are enforced by resellers (and are held accountable if they are not) is entirely the burden of the registrar.

Wholesale Registrars

 Registrars who use resellers, some exclusively  Examples: Tucows, NetSol, eNom  Has legitimate purpose  Also has problems:    New attacks on registrars Resellers not held accountable by registrars Used as a channel by the bad guys

Criminal Ecosystem

 Two Main Views  Law Enforcement (LE) view  KnujOn View  LE = Details (Lots...)   Financial theft &fraud, key loggers, hijacks,botnets Arrest the Criminals  KnujOn = Same as Legitimate Activity   Fast Flux, domain resellers, DNS, Pharmacies Fix and Enforce Policy

US Government J P A RAA Registry .com .net

ICANN TLD/ CC IANA ASNs ISPs DNS Registrar Hosting Services Criminal Ecosystem Reseller Registrant

Financials

 Brian Krebs story March 20  SecurityFix  TrafficConverter2.biz shutdown  Antivirus 360 & 2009  Visa/MasterCard and a Bank (Germany)  Financial capability to stop criminals  No money = No incentive = No Crime  About time

Financial System

Banks Credit Card Companies PayPal

Technical Connections

Registrars ISPs Hosting Companies Resellers Criminal Ecosystem

Merchants

Good Domains Bad Actors

Any Questions?

 Bob Bruen  [email protected]

 http://www.coldrain.net/bruen  Garth Bruen   [email protected]

http://www.knujon.com