Registrars Ignore Domain-Name Abuse
VeriSign, the authoritative ICANN-accredited registry for .com and .net, declined to discuss the topic of domain-name abuse. ICANN recognizes the problem of domain-name abuse by the criminal underworld, but its policies are still evolving, and there are a lot of uncertainties about ICANN's authority in this area.
"Criminal activity that concerns the abuse of domain names is a huge concern to ICANN," says Stacy Burnette, director of contractual compliance for the Marina Del Ray, Calif.-based organization. "It disrupts the system."
The tip of the iceberg can be seen in irregularities in the Whois database. ICANN gets thousands of complaints about registrars every year, many related to perceived inadequacies or wrong information in the Whois database. ICANN must review them all, and then contact registrars to report and remedy any identified failings.
But when it comes to the broader problem of cyber-criminals' abuse of domain names, ICANN today is not in a position to play cop. "ICANN is a non-profit organization, we are not a regulatory authority or a police authority," Burnette points out.
But ICANN has held meetings, including the "Generic Names Supporting Organization Registration Abuse Policy Workshop" that took place in Mexico in March, to discuss policies and guidelines it might want to embrace for domain abuse and registration abuse.
Dave Piscitello, ICANN's senior security technologist who works on such issues, says ICANN plans to introduce a proposal in October for possible new guidelines for tighter security in advance of ICANN's planned expansion of new gTLDs http://www.networkworld.com/news/2009/062409-icann-new-domains.html next year.
Though not at liberty to discuss the specifics, he points out this proposal will have to undergo a review by the entire ICANN community, and hold up to criticism, before it has any chance to be adopted by the ICANN Board.
"We are focusing more on registration issues and malicious conduct," Piscitello says. "I don't think anyone wants to see the DNS abused."
VeriSign, he notes, recently proposed adding a strong-authentication service for registrars and registrants for two-factor authentication. Other ideas, such as requiring auditing of registrars, are definitely on the table at ICANN, Piscitello says.
But he notes that the ICANN community is broad, consisting of countries that have more influence over how their country-code top-level domains (ccTLD) are used than ICANN. "We can set an example with the gTLDs, but only a cooperative effort with all governments can solve this problem."
Meanwhile, an ICANN committee last month issued a 154-page report on the topic of fast flux and criminal abuse of domain names. Like any paper, it doesn't by itself necessarily mean change, but ICANN does note it could lead the organization to "consider whether registration abuse policy provisions could address fast flux by empowering registries/registrars to take down a domain name involved in malicious or illegal fast flux."
Piscitello says so far no consensus has been reached about what to do on this issue. Detection methods to uncover criminal fast flux are quite reliable, but there have been worries expressed about liability in the case of false positives.
The domain name may be a handy tool in cybercrime today, "but one goal of the DNS community is to take that tool out of the toolbox," he said.
There are many language and jurisdictional legal issues that make tackling domain-name abuse problems extremely hard, says Ram Mohan, CTO at Dublin-based registry services provider Afilias and a liaison for the ICANN Security and Stability Advisory Committee (SSAC) on the ICANN Board of Directors.
His opinion is that ICANN, which has overall responsibility for the Whois database of registration information, has to find a way to validate the entries.
"Some rules in ICANN are just broken," Mohan says. The overall domain-name registration system "was created at a time of a benign Internet. Today we have no burden of validation and that can be fixed." He also says it might be a wise move to require some sort of security audit of the registrars and registries.
Some doubt ICANN really has authority or the will to adequately police the system it oversees. Stewart at SecureWorks, for instance, thinks the national CERTS chartered in each country for emergency response and security warning should have their roles expanded to coordinate response to cybercrime, such as domain-name abuse.
Mohan says he hopes some reform can be carried out before ICANN proceeds with its plans next year to set up a whole new set of top-level domains. "ICANN is opening up the floodgates for top-level domains," says Mohan. If the domain-name registration system can't be improved, the problem of abuse can only be expected to get worse.
Attempts by industry to cut off criminal access to domain names is proving difficult. The first globally organized effort to attempt that -- the Conficker Working Group -- sought to disable domains targeted by the Conficker worm for use in its command-and-control system. But after six months of trying, there's not much to show for it.
"Hats off to Microsoft for organizing this," says Neustar's Neuman. Neustar joined the Conficker Working Group with others that have a measure of power to influence the domain name system, including VeriSign, Afilias, Public Internet Registry, Global Domains International, ICANN, and the Chinese CNNIC, among others, including security vendor Symantec.
But the complex Conficker botnet -- now fairly quiet outside of attempts to sell fake anti-virus software -- remains undiminished as a command-and-control structure of about 4.5 million compromised computers it quietly holds as zombies.
The Conficker Working Group, in spite of efforts to tie up of millions of domain names that Conficker was pre-programmed to use, was outflanked when the botnet's designers switched to ccTLDs in the .C version of Conficker earlier this year.
The Conficker Working Group hasn't been able to get enough ccTLD participants on board to effectively tie up Conficker domains. "We have 90% of the ccTLDs partipating but 10% are not involved," says Symantec's Turner.
"It didn't work," says Dan Holden, X-Force product manager at IBM's Internet Security Systems division.
Microsoft, which has offered a $250,000 award for information leading to the arrest and conviction of those responsible for Conficker, said in a statement that the Conficker Working Group has established "a new level of industry collaboration and cooperation" for a quick response effort and method of defense, and that the Conficker investigation is still ongoing.
ICANN's Piscitello says the importance of the Conficker Working Group is that it "demonstrated that if we do get significant collaboration, we can inflict a little pain on the criminal, make it more difficult. Its success is having established a collaborative response."