North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical


  • From: Gadi Evron
  • Date: Tue Mar 14 04:52:07 2006

Simon Waters wrote:

So.. ICANN, the domain name's importance to phishing and what registrars can do, in that order.

I thought we established last month that deleting domain names is a very good way of messing up the entire Internet. See the thread on losing entire data centres.
The domain today is the weak spot we need to hit. Using fast-flux, spammers (phishers), VX-ers, etc. jump from IP to IP even every 10 minutes. Whack-a-mole itself becomes impossible.

Kill the domain (or the DNS RR) and you destroy the bottle-neck.

Bad guys already seem to be bouncing back from the blacklisting of entire bulk registrations. They used to say, register 5K domains and use them as throw-away. Now we can black-list all of them ahead of time. Or at least we could do so, now they are already bouncing back with their new evolution in the whack-a-mole game.

Terminate a DNS RR and they just create new ones, but the short-term effect, if you can make it happen, it worth it for TODAY.

Terminate the domains (one doesn't really help) and you cost them money.

If you have any useful proposals on how registrars might be of use in defending against botnets, I'm sure ICANN and friends are all ears. But unless you've found an amplification attack using whois servers, it probably isn't something the registrars can help you with.
ICANN from the part I know them - the registrars and security front, are good people. They do good under their own constraints. We should stick to putting them down for so called "governance" issues.

ICANN domain termination though is a useless process in practicality.

There is some discussion on phishing, but even here it isn't clear what a registrar could do, and most phishing these days doesn't involve the registrars at all.
I am not sure what the numbers are, but most phishing seems to involve this or that registrar. Many of the registrars today are extremely responsive. Godaddy showed that much, despite what people may think of their actions. I wonder, did we ever get their side of the story?

All that aside, as I don't want to start that war again, many of the key registrars today are sitting on the reg-ops operational list and respond to new reports in semi-real time. They can't deal with the volume due to obvious limitations in how the process works, but anything reported to them gets checked into in a reasonable time, and acted upon.

There are some blackhat registrars (mostly resellers), but that wasn't what we were discussing.

Randy's original comment was misplaced, it was the content, not the domain name he was objecting to. Deleting domain names is a very extreme, and oft times ineffective, way of trying to remove content.

We've have enough trouble with ISPs with knee-jerk reactions to objectionable content, we don't need registrars adopting the same daft policies, or the Internet would collapse in a few weeks.
The Internet is not going to die tomorrow.

The domains reported are 2 out of a ... a lot, today alone. I think maybe we should all start sending in every bad domain we find into NANOG. </cynical>
Sorry for the wake-up call, but how many domains out of those registered do you figure are legit or have legit contact information?