DNS Abuse Responses
DNS Abuse Responses are the various tools, methods, collaboration, and philosophies spawning from DNS Abuse itself.
Overview[edit | edit source]
There are four time-related categories of responses to DNS Abuse:
- reactionary detection and removal of sources of abuse (necessarily after the fact),
- cotemporal efforts to mitigate the amount and likelihood of abuse or its impact,
- future-focused work on stopping abuse before it can happen, and
- ongoing allowance of abuse for ideological or jurisdictional reasons.
Response Options[edit | edit source]
Reactionary Removal[edit | edit source]
- SAC115
- DNS Abuse Framework
- Terms of Service (ToS) notice-and-takedown regimes for use/content abuse
- Framework on Domain Generating Algorithms Associated with Malware and Botnets
Cotemporal Mitigation[edit | edit source]
- DNS Abuse Institute Roadmap
- Budapest Convention
- The CDM Program offers Automation in IT Security
Prevention[edit | edit source]
Intentional Inaction & Evidentiary Collection[edit | edit source]
Points of View[edit | edit source]
Every type of Internet user has worries over DNS Abuse and the responses to it. For instance, there is an ongoing multistakeholder debate over where to draw the line between technical abuse and content abuse. Moreover, there are technical limits on what each type of stakeholder can do to stop abuse.
Social Scientists[edit | edit source]
Criminologists feel the capacity to regulate DNS abuse is very limited because:
- no single global entity is responsible for the regulation of all its aspects;
- the Multistakeholder Model of governance and the distributed administration model allows disagreements and discrepancies;
- much of what happens on the Internet is beyond the jurisdictional reach of the criminal law of individual nations; and
- regulation will continue to be reserved for the most egregious infringements.
Regulation will remain limited until a uniform set of policies to prevent abuse before it happens is enacted.[1]
Intergovernmental Organizations[edit | edit source]
IGO responses generally treat DNS Abuse as a facet of Cybercrime.
Objectives[edit | edit source]
Pro-Mitigation[edit | edit source]
Pro-privacy[edit | edit source]
Government Responses[edit | edit source]
Government responses tend to focus on what can be adjudicated; include content abuse, such as child pornography; and outline how and when electronic evidence can be collected.
Domestic Legislation[edit | edit source]
Federal[edit | edit source]
In the U.S., cybersecurity legislation thus far has focused on standardizing and formalizing preventative measures.[2] Congress passed
- The Federal Information Security Management Act of 2002
- The Cybersecurity Enhancement Act of 2014 (CEA)
- The Cybersecurity and Infrastructure Security Agency Act of 2018
State[edit | edit source]
CISA[edit | edit source]
The CISA seeks to prevent future cyberattacks on critical infrastructure. Its CDM Program is a dynamic approach to fortifying the cybersecurity of civilian government networks and systems. Its Stop Ransomware Website is a one-stop shop for preparing for ransomware attacks among other forms of malware.
FBI[edit | edit source]
The FBI leads the National Cyber Investigative Joint Task Force (NCIJTF) and runs the public-facing Internet Crime Complaint Center (IC3) to collect cybercrime and electronic evidence of other types of crimes.
DOD[edit | edit source]
NIST[edit | edit source]
- NCCoE
- NICE
Responding to State-Sponsored Cyberattacks[edit | edit source]
Sanctions/Condemnations[edit | edit source]
- SolarWinds Hacking Attack: In an executive order issued April 15, 2021, President Biden levied economic sanctions against Russian financial institutions, technology companies, and individuals that participated in this series of hacks that infiltrated nine federal agencies and over 100 private companies.[3]
- Microsoft Email Systems Hacking Attack: On July 19, 2021, the Biden administration formally condemned but did not inflict sanctions against the Chinese government for working with hackers to breaching Microsoft email systems.[4]
Technical Community[edit | edit source]
Internet Governance Organizations[edit | edit source]
ICANN[edit | edit source]
ICANN has been steadfast in its focus on technical DNS abuse, what it calls "DNS security threats," and avoidance of policymaking around content abuse. ICANN has two missions related to DNS Abuse: maintaining the SSR of the DNS and engendering trust in the domain name industry. ICANN's determination of the org's definition for DNS Abuse is based on the work product of GAC and the base gTLD Registry Agreement. Thus, ICANN considers DNS security threats to be limited to attacks involving phishing, malware, botnet command and control, pharming, and spam as a vector.[5] As recently as ICANN 71, the ICANN board was criticized by members of the ALAC, the BC, and other Internet Governance bodies for not doing enough to steward contracted parties and non-contracted parties toward involvement in reducing abuse. However, ICANN and SSAC, in particular, have begun pointing to SAC115 and DAAR as evidence of their work on addressing DNS abuse. Parts of ICANN Org, Board, and Community that are dedicated to resolving DNS Abuse issues:
- OCTO monitors gTLD zone files and runs
- SSAC advises on the stability and security of the DNS, and
- Contractual Compliance is not beholden to the DNS Abuse Framework; instead, the office can reprimand registrars or registries that do not maintain abuse contacts (or a webform) to receive abuse complaints or promptly investigate allegations of DNS Abuse in good faith.
- DAAR
- Domain Name Security Threat Information Collection and Reporting Project (DNSTICR)[6]
- ICANN Organization has developed an internal DNS Security Threat Mitigation Program,[7] which seeks to realize ICANN organization-wide coordination & collaboration on DNS abuse responses and, thus, acts as a hub for DAAR and DNSTICR, Compliance Audits and Abuse Complaints, Working with Contracted Parties, and Leading Educational Outreach.
- The CPH has developed a Trusted Notifier Framework
- The RrSG offers guidance on Appeal Mechanisms for DNS Abuse Mitigation, managing BEC Scams, Registrar Abuse Reporting, and Minimum requirements for WHOIS data requests.
- The BC is limited to removing content and sharing evidence with registries to suspend or take down sites.
- The ISPCP
- The ALAC
- The GAC wants to help law enforcement and regulatory bodies gain access to the contact information of victims as well as bad actors
- The ccNSO has begun exploring its role in mitigating DNS Abuse, as it has limited remit but many attacks happen via ccTLDs
IGF[edit | edit source]
DNS Abuse Institute[edit | edit source]
Currently, this newcomer is entirely focused on creating an interoperable framework to reduce DNS abuse. The DNSAI acknowledges there are two options for reducing security threats: proactive and reactive methods. The institute is currently putting more of its energy into developing reactive tools because they can be used by anti-abuse or compliance personnel without requiring integration in registration platforms and thus, broad buy-in should be easier to secure.[9]
Private Sector[edit | edit source]
Cybersecurity Providers[edit | edit source]
The cybersecurity industry is booming and is trying various approaches to protect networks and supply chains from data breaches and ransomware attacks. For instance, Prevailion's strategy is to hack the hackers, while McAfee remains the revenue leader by continuing to churn out cybersecurity software.[10]
Registries and Registars[edit | edit source]
European ccTLD Registries[edit | edit source]
Sebastian Felix Schwemer's 2020 analysis of 30 European ccTLD terms of services (ToS) showed several responses to use/content-related domain name abuse, including no related reservations, reactions to severe cases, and proactive screening.[11] Some ToSes do not contractually reserve to take down a domain name due to use or content, while others do reserve the right to take down a domain name but only in severe situations. Others have established "takedown regimes" akin to that of site operators, hosting providers, and registrants (per Article 14 of the E-Commerce Directive. EURid, .be, and SIDN have begun to screen abusive use by crawling content, using fuzzy hashes, or HTML structural similarity analysis; they are also working on early warning systems. Schwemer found that only 1/3 of ccTLD ToSes contained content/use provisions and that the discretion for registrars to take down domain names via a morality clause was higher than it was for ccTLD registries. This analysis also revealed the emergence of ccTLD registries' use of data validation in a new way. Registries have noticed a correlation between domain names engaging in unlawful activities and the provision of poor registration data. Because ToSes can reserve the right to terminate registrations based on wrong or inaccurate information, some ccTLD registries are using this term as a workaround.[12]
DNS Abuse Framework[edit | edit source]
This framework was developed by registries and registrars. The framework discourages a registry or registrar from taking action against domains, except in certain types of Website Content Abuse:
- child sexual abuse materials,
- illegal distribution of opioids online,
- human trafficking, or
- specific, credible incitements to violence
- Registrars and registry operators can
- include their own acceptable use policies or terms of use to set forth provisions to cover Website Content Abuses,
- contract Trusted Notifiers to monitor content and report abuse
- Registry Operators
- Have to determine whether the domain in question was maliciously registered or if the domain has been compromised. Registries cannot generally directly remediate a compromised domain; instead, it is up to the sponsoring registrar.[13] Conversely, if a domain has been maliciously registered, the registry has six options:
- Suspend the domain (most common)
- Refer to the sponsoring registrar
- Lock the domain
- Redirect a domain by changing the name servers
- Transfer the domain
- Delete the domain (generally considered an ineffective and extreme response)
- If a registry encounters unregistered domain names resulting from an automatic Domain Generation Algorithm (DGA), the operator can:
- Reserve the domains or
- create the domains in order to suspend or sinkhole the domains for victim identification
IP[edit | edit source]
Intellectual property lawyers
Reputation Industry[edit | edit source]
End Users[edit | edit source]
End users, even those who work in the DNS industry, need help managing DNS Abuse mainly because of the timeless effectiveness of Social Engineering Attacks. For instance, at the end of 2020, GoDaddy notoriously tested its workers to see if they would share sensitive information after clicking on dubious links from a spoofed email.[14]
References[edit | edit source]
References[edit | edit source]
- ↑ Criminal misuse of the Domain Name System, Australian Institute of Criminology, 2018, pg 13
- ↑ CISA Act of 2018
- ↑ Biden's SolarWinds Executive Order, Vox
- ↑ US Govt Accuses China of Hacking Microsoft, NY Times
- ↑ Update on DNS Security Threats, ICANN Org
- ↑ Adding Linguistic Diversity to the DNSTICR project, ICANN Announcements
- ↑ DNS Security Threat Mitigation Program Update, ICANN Presentation, July 2021
- ↑ DGAs, Malware, and Botnets Framework, RySG
- ↑ DNSAI Roadmap pg. 9
- ↑ Top 25 Cybersecurity Companies of 2020, The Software Report
- ↑ Schwemer, The regulation of abusive activity and content: a study of registries’ terms of service
- ↑ Schwemer, The regulation of abusive activity and content: a study of registries’ terms of service
- ↑ RySG recommended options for registries
- ↑ GoDaddy Pranks Employees, DomainIncite