Changes

DNS Abuse Responses (view source)

Revision as of 18:09, 26 April 2022

2,133 bytes added , 2 years ago

no edit summary

Line 118: Line 118:

Parts of [[ICANN Organization]], [[ICANN Board|Board]], and [[ICANN Community|Community]] that are dedicated to resolving DNS Abuse issues:

:*[[GDD|GDD Accounts and Services]] and [[OCTO]] have come to an agreement with [[RySG]] to change the Base gTLD Registry Agreement to enable ICANN org to use existing data provided by registries for research purposes such as [[DAAR]].<ref>[https://www.icann.org/en/blogs/details/icann-makes-progress-toward-a-more-comprehensive-dns-security-threat-analysis-28-10-2021-en ICANN Makes Progress on DNS Security Threat Analysis, ICANN Blogs]</ref>

+

=====ICANN Organization=====

+

:*[[Goran Marby]] formed the DNS Security Facilitation - Technical Study Group ([[DSFI-TSG]]) to investigate and determine what ICANN should and should not do based on the technical landscape about security threats and attack vectors, including the DNS, and its final report recommendations are now under review for implementation by the ICANN Org.

:*[[OCTO]] monitors gTLD zone files and runs

−

~~:*[[SSAC]] advises on the stability and security of the DNS, and~~

+

:*[[Contractual Compliance]] reprimands registrars or registries that do not maintain abuse contacts (or a webform) to receive abuse complaints or promptly investigate allegations of DNS Abuse in good faith and conducts audits.

−

:*[[Contractual Compliance]] ~~is not beholden to the DNS Abuse Framework; instead, the office can reprimand~~ registrars or registries that do not maintain abuse contacts (or a webform) to receive abuse complaints or promptly investigate allegations of DNS Abuse in good faith.

:*[[Domain Abuse Activity Reporting|DAAR]]

:*[[Domain Name Security Threat Information Collection and Reporting Project]] (DNSTICR)<ref>[https://www.icann.org/en/announcements/details/adding-linguistic-diversity-to-the-domain-name-security-threat-information-collection-and-reporting-project-14-6-2021-en Adding Linguistic Diversity to the DNSTICR project, ICANN Announcements]</ref> <br/>

:*[[ICANN Organization]] has developed an internal [[DNS Security Threat Mitigation Program]],<ref>[https://www.icann.org/en/system/files/files/presentation-dns-security-threat-mitigation-program-update-22jul21-en.pdf DNS Security Threat Mitigation Program Update, ICANN Presentation, July 2021]</ref> which seeks to realize ICANN organization-wide coordination & collaboration on DNS abuse responses and, thus, acts as a hub for DAAR and DNSTICR, Compliance Audits and Abuse Complaints, Working with Contracted Parties, and Leading Educational Outreach.

+

=====ICANN Community=====

+

======GNSO======

+

The GNSO Council formed a "Small Team on DNS Abuse," to which the [[DNS Abuse Institute|DNSAI]] sent a [https://dnsabuseinstitute.org/dnsai-response-gnso-small-team-dns-abuse/ letter] offering advice on how to respond to DNS Abuse in a way that is clearly within ICANN's remit.<ref>[https://gnso.icann.org/en/council/correspondence/2022 Responses to GNSO DNS Abuse Small Team Request for Input, GNSO Council Correspondence April 2022]</ref> [[Graeme Bunton]] explained that there is

+

<blockquote>near universal agreement...that malicious registrations used for the distribution of malware, phishing, or the operation of botnets are appropriately and reasonably addressed by registrars and registries...which means there is an opportunity to focus on this issue at the outset and make meaningful progress on abuse. ICANN’s [[https://icannwiki.org/Policy_Development_Process_to_Review_the_Transfer_Policy|current work]] on [[Inter-Registrar Transfer Policy]] provides a model for an approach. I would propose three separate, sequential efforts, either narrowly scoped efforts or [[PDP]]s, for mitigating malicious registrations:

+

* Malicious Registrations used for the distribution of Malware;

+

* Malicious Registrations used for Phishing;

+

* Malicious Registrations used for the operation of Botnet command and control systems.

+

By restricting the work to malicious registrations...avoids actors outside of ICANN’s contractual regime, like hosting companies and content distribution networks and targets bad actors, and the impacts on legitimate registrants are correspondingly minimized.</blockquote>

+

Bunton also hopes that taking the "micro-PDP" approach will result in short, simple, easy to implement requirements.

:*The [[CPH]] has developed a [https://www.rysg.info/wp-content/uploads/archive/Final-CPH-Notifier-Framework-6-October-2021.pdf Trusted Notifier Framework]

:**The [[RrSG]] offers guidance on [https://rrsg.org/wp-content/uploads/2021/10/Appeal-Mechanisms-following-DNS-Abuse-Mitigation-22-October-2021-.pdf Appeal Mechanisms for DNS Abuse Mitigation], [https://rrsg.org/wp-content/uploads/2021/10/RrSG-Approaches-to-BEC-Scams-22-Oct-2021.pdf managing BEC Scams], [https://rrsg.org/wp-content/uploads/2020/03/Guide-to-Registrar-Abuse-Reporting-v1.8.pdf Registrar Abuse Reporting], and [https://rrsg.org/wp-content/uploads/2020/10/CPH-Minimum-Required-Information-for-a-Whois-Data-Requests.docx.pdf Minimum requirements for WHOIS data requests].

Line 130: Line 140:

:**encourage these same entities to develop and deploy new tools to identify domain names that could potentially infringe on their rights; and

:**encourage these same entities to offer services allowing [[IP|Intellectual Property]] rights holders to preventively block infringing domain name registrations.<ref>[https://domainnamewire.com/2022/03/30/business-constituency-weighs-in-on-dns-abuse/ BC weighs in on DNS Abuse, Domain Name Wire]</ref>

−

:*The [[~~ISPCP~~]]

+

:*The [[IPC]] is concerned with the year-on-year growth of online fraud recently due in large part to the Covid pandemic and with trust in the Internet

−

~~:*The [[ALAC]]~~

+

======GAC======

:*The [[GAC]] wants to help law enforcement and regulatory bodies gain access to the contact information of victims as well as bad actors

:**The [[PSWG] (within GAC) developed the Framework on DGAs Associated with Malware and Botnets in collaboration with the [[RySG]]<ref>[https://www.rysg.info/wp-content/uploads/assets/Framework-on-Domain-Generating-Algorithms-DGAs-Associated-with-Malware-and-Botnets.pdf DGAs, Malware, and Botnets Framework, RySG]</ref>

+

======ccNSO======

:*The [[ccNSO]] has begun exploring its role in mitigating DNS Abuse, as it has limited remit but many attacks happen via [[ccTLD]]s

−

:*The [[~~IPC~~]] ~~is concerned with the year-~~on~~-year growth of online fraud recently due in large part to the Covid pandemic~~ and ~~with trust in the Internet~~

+

======SSAC======

−

+

:*The [[SSAC]] has published several documents on DNS Abuse measurement and mitigation

====IGF====

====DNS Abuse Institute====

Line 166: Line 177:

# Reserve the domains or

# create the domains in order to suspend or [[DNS sinkholing|sinkhole]] the domains for victim identification

−

====Reputation Industry====

Commercial service providers, researchers, and non-profit organizations operate the most prominent [[RBL]]s that detect or receive notifications of security threats. Some key players include:

Line 175: Line 185:

* [http://www.surbl.org/ SURBL], and

* [https://www.threatstop.com/ ThreatStop].

−

====End Users====

End users, even those who work in the DNS industry, need help managing DNS Abuse mainly because of the timeless effectiveness of [[Social Engineering Attacks]]. For instance, at the end of 2020, [[GoDaddy]] notoriously tested its workers to see if they would share sensitive information after clicking on dubious links from a spoofed email.<ref> [http://domainincite.com/26143-godaddy-pranks-employees-with-insensitive-phishing-test GoDaddy Pranks Employees, DomainIncite]</ref>

Jessica

Bureaucrats, Check users, lookupuser, Administrators, translator

14,932

edits

Changes

DNS Abuse Responses (view source)

Revision as of 18:09, 26 April 2022

Navigation menu

Search