KnujOnICANN Policy Enforcement

MIT Spam ConferenceMarch 1009

Dr. Robert BruenGarth Bruen

KnujOn

Dr. Bob and son Garth

Started with fighting spam Using whois data accuracy Policy Enforcement & Sunshine Registrars are the key Spam is the gateway for crime

Policies and Contracts

Policies are in contracts/agreements/rules

Critical that Policies are well constructed

Bad policy creates problems

Good policy helps decisions in novel situations

Whois Data Accuracy

Long and sordid history (1982-now)

Registrars required to correct WI data (RAA)

Still very controversial

KnujOn cares about individual privacy

Want commercial entities policy enforcement

Enforcing WI Data Accuracy

KnujOn receives spam (anonymous & clients)

Extract transaction sites

Verify WI Data for each site

Complain to ICANN (Policy Enforcement)

Aggregate data & publish results (Sunshine)

Research Impact

Shutdowns – now in the 100,000s

Registrars are paying attention

“You [KnujOn] are casting a big shadow” Steve Crocker. ICANN BoD

KnujOn now an ICANN ALAC ALS

Major influence on new RAA recommendations

Major influence on ICANN's new WDPRS

Top Ten Worst Registrars May 08

Xin Net Bei Gong Da Software Beijing Networks Todaynic Joker eNom, Inc. MONIKER Dynamic Dolphin The Nameit Co/AITDOMAINS.COM PDR (Directi) Intercosmos/DIRECTNIC

Top Ten Worst Registrars Feb 09

Xin Net eNom Network Solutions Register.com Planet Online Regtime - 1st Russian registrar to make the list OnlineNIC Spot Domain/Domainsite Wild West Domain HiChina Web Solutions

What Happened

EstDomains lost accreditation Domains transferred to Directi

PDR (Directi) – Cooperating Intercosomos/Directnic - Improving Joker – breach notice - Improving Beijing Networks – breach notice - improving Moniker – Market losses Dynamic Dolphin – Market losses & lawsuits

On Top of That...

AIT investigated by ICANN Possible breach notice

Atrivo/Intercage report by HostExploit.com ISPs stopped doing business with them A/I never recovered

McColo report by HostExploit.com ISPs stopped doing business with them McColo never recovered completely Spam has only reached bottom of previous range

Even More...

Ukranian takedown UkrTeleGroup Ltd. 30Jan09

Spam levels drop dramatically, like McColo Within a day, backup to highest since McColo Parava Breach Notice from ICANN 27Feb09

KnujOn at ICANN Cairo

Gave presentation to ICANN ALAC in CAIRO ALAC = At Large Advisory Committee

Well received – Asked to be become an ALS KnujOn European mirror established ALAC RAA improvement recommendations Participated in ALAC - Registrar meeting

Registrars

Lots of pushback

Deny responsibilities

Success with Fake Pharmacies shutdowns

Reseller issues

Attacks on Registars

Recent DomainTheNet Israel Jan 2009 “Team Evil” NetSol/CheckFree Dec 2008 Comcast May 2008

Not really that new

SSAC Report: Domain Name Hijacking 2005 panix.com hushmail.com (NetSol) HZ.com etc.

SSAC 2005 – Selected Quotes

Finding (1) Failures by registrars and resellers to adhere to the transfer policy have contributed to hijacking incidents and thefts of domain names.

Finding (2) Registrant identity verification used in a number of registrar business processes is not sufficient to detect and prevent fraud, misrepresentation, and impersonation of registrants.

SSAC cont. Finding (6) Accuracy of registration records and

Whois information are critical to the transfer process.

Finding (7) ...Resellers, however, may operate with the equivalent of a registrar’s privileges when registering domain names. ... The current situation suggests that resellers are effectively “invisible” to ICANN and registries and are not distinguishable from registrants. ... The responsibility of assuring that policies are enforced by resellers (and are held accountable if they are not) is entirely the burden of the registrar.

Wholesale Registrars

Registrars who use resellers, some exclusively Examples: Tucows, NetSol, eNom Has legitimate purpose Also has problems:

New attacks on registrars Resellers not held accountable by registrars Used as a channel by the bad guys

Criminal Ecosystem

Two Main Views Law Enforcement (LE) view KnujOn View

LE = Details (Lots...) Financial theft &fraud, key loggers, hijacks,botnets Arrest the Criminals

KnujOn = Same as Legitimate Activity Fast Flux, domain resellers, DNS, Pharmacies Fix and Enforce Policy

ICANN

Registry.com .net Registrar Reseller

IANAASNs

ISPs

TLD/ CC

Hosting Services

Registrant

DNS

US Government

CriminalEcosystem

RAAJPA

Financials

Brian Krebs story March 20 SecurityFix

TrafficConverter2.biz shutdown Antivirus 360 & 2009

Visa/MasterCard and a Bank (Germany) Financial capability to stop criminals No money = No incentive = No Crime About time

Financial System

Banks

Credit Card Companies

PayPal

CriminalEcosystem

Merchants

Good Domains

Bad Actors

Technical Connections

Registrars

ISPs

Hosting Companies

Resellers

Any Questions?

Bob Bruen bob.bruen@coldrain.net http://www.coldrain.net/bruen

Garth Bruen garth.bruen@coldrain.net http://www.knujon.com