Knuj On ICANN Policy Enforcement MIT Spam Conference

Knuj. On ICANN Policy Enforcement MIT Spam Conference March 1009 Dr. Robert Bruen Garth Bruen

Knuj. On Dr. Bob and son Garth Started with fighting spam Using whois data accuracy Policy Enforcement & Sunshine Registrars are the key Spam is the gateway for crime

Policies and Contracts Policies are in contracts/agreements/rules Critical that Policies are well constructed Bad policy creates problems Good policy helps decisions in novel situations

Whois Data Accuracy Long and sordid history (1982 -now) Registrars required to correct WI data (RAA) Still very controversial Knuj. On cares about individual privacy Want commercial entities policy enforcement

Enforcing WI Data Accuracy Knuj. On receives spam (anonymous & clients) Extract transaction sites Verify WI Data for each site Complain to ICANN (Policy Enforcement) Aggregate data & publish results (Sunshine)

Research Impact Shutdowns – now in the 100, 000 s Registrars are paying attention “You [Knuj. On] are casting a big shadow” Steve Crocker. ICANN Bo. D Knuj. On now an ICANN ALAC ALS Major influence on new RAA recommendations Major influence on ICANN's new WDPRS

Top Ten Worst Registrars May 08 Xin Net Bei Gong Da Software Beijing Networks Todaynic Joker e. Nom, Inc. MONIKER Dynamic Dolphin The Nameit Co/AITDOMAINS. COM PDR (Directi) Intercosmos/DIRECTNIC

Top Ten Worst Registrars Feb 09 Xin Net e. Nom Network Solutions Register. com Planet Online Regtime - 1 st Russian registrar to make the list Online. NIC Spot Domain/Domainsite Wild West Domain Hi. China Web Solutions

What Happened Est. Domains lost accreditation Domains transferred to Directi PDR (Directi) – Cooperating Intercosomos/Directnic - Improving Joker – breach notice - Improving Beijing Networks – breach notice - improving Moniker – Market losses Dynamic Dolphin – Market losses & lawsuits

On Top of That. . . AIT investigated by ICANN Atrivo/Intercage report by Host. Exploit. com Possible breach notice ISPs stopped doing business with them A/I never recovered Mc. Colo report by Host. Exploit. com ISPs stopped doing business with them Mc. Colo never recovered completely Spam has only reached bottom of previous range

Even More. . . Ukranian takedown Ukr. Tele. Group Ltd. 30 Jan 09 Spam levels drop dramatically, like Mc. Colo Within a day, backup to highest since Mc. Colo Parava Breach Notice from ICANN 27 Feb 09

Knuj. On at ICANN Cairo Gave presentation to ICANN ALAC in CAIRO ALAC = At Large Advisory Committee Well received – Asked to be become an ALS Knuj. On European mirror established ALAC RAA improvement recommendations Participated in ALAC - Registrar meeting

Registrars Lots of pushback Deny responsibilities Success with Fake Pharmacies shutdowns Reseller issues

Attacks on Registars Recent Domain. The. Net Israel Jan 2009 “Team Evil” Net. Sol/Check. Free Dec 2008 Comcast May 2008 Not really that new SSAC Report: Domain Name Hijacking 2005 panix. com hushmail. com (Net. Sol) HZ. com etc.

SSAC 2005 – Selected Quotes Finding (1) Failures by registrars and resellers to adhere to the transfer policy have contributed to hijacking incidents and thefts of domain names. Finding (2) Registrant identity verification used in a number of registrar business processes is not sufficient to detect and prevent fraud, misrepresentation, and impersonation of registrants.

SSAC cont. Finding (6) Accuracy of registration records and Whois information are critical to the transfer process. Finding (7). . . Resellers, however, may operate with the equivalent of a registrar’s privileges when registering domain names. . The current situation suggests that resellers are effectively “invisible” to ICANN and registries and are not distinguishable from registrants. . The responsibility of assuring that policies are enforced by resellers (and are held accountable if they are not) is entirely the burden of the registrar.

Wholesale Registrars who use resellers, some exclusively Examples: Tucows, Net. Sol, e. Nom Has legitimate purpose Also has problems: New attacks on registrars Resellers not held accountable by registrars Used as a channel by the bad guys

Criminal Ecosystem Two Main Views LE = Details (Lots. . . ) Law Enforcement (LE) view Knuj. On View Financial theft &fraud, key loggers, hijacks, botnets Arrest the Criminals Knuj. On = Same as Legitimate Activity Fast Flux, domain resellers, DNS, Pharmacies Fix and Enforce Policy

US Government J P A Criminal Ecosystem RAA Registry. com. net Registrar Reseller ICANN TLD/ CC IANA ASNs Registrant ISPs DNS Hosting Services

Financials Brian Krebs story March 20 Security. Fix Traffic. Converter 2. biz shutdown Antivirus 360 & 2009 Visa/Master. Card and a Bank (Germany) Financial capability to stop criminals No money = No incentive = No Crime About time

Criminal Ecosystem Financial System Banks Credit Card Companies Pay. Pal Merchants Good Domains Bad Actors Technical Connections Registrars ISPs Hosting Companies Resellers

Any Questions? Bob Bruen Garth Bruen bob. bruen@coldrain. net http: //www. coldrain. net/bruen garth. bruen@coldrain. net http: //www. knujon. com