Home / Blogs

An Internet Security Operations Viewpoint of IGF

Gadi Evron

The Internet Governance Forum (IGF) is an annual UN conference on Internet governance which was held this year in Rio de Janeiro, Brazil. The topics discussed range from human rights online to providing Internet access in developing countries. A somewhat secondary topic of conversation is Internet security and cyber-crime mostly limited to policy and legislative efforts. Techies and Internet security industry don't have much to do there, but I have a few updates for us from the conference.

One of the main problems the Internet security operations community faces is that although global encompassing incident response and information sharing is happening, it is on the technological and operational levels. We mostly do not know how to communicate with the policy makers. Some of us present there made head-way in the hallways (as the sessions are mostly just repeated talk).

I spoke with Dr. Hamadoun Touré, the Secretary General of the ITU on some of our efforts and some of our operational needs, and was pleased to find an open mind and sincere interest. The ITU, at least as far as I understood, is concerned with Internet security, and appreciates the importance of the operational communities and the work we do.

On a surprised note, China ran a few security sessions in which its' delegates have shown high visibility into Internet security and abuse in China, speaking of issues of establishing trust and incident response statistics. They are highly concerned with spam, and are the only ones to have spoken in an operational manner. They quoted numbers from (mainly) US sources that showed spam and abuse activity in China, then they indicated a drop of spam being sent from the Chinese network (spam is of key importance to them in their presentations).

On the other hand they presented an increase in phishing and botnet incidents being reported. In one slide they showed numbers on phishing reports, sorted by top-reporters. The top-5 reporters were: Verisign (probably iDefense), RSA (probably Cyota), eBay (probably eBay), CastleCops (Probably PIRT) and MarkMonitor.

But wait, there's more. The Chinese delegation also discussed mitigation success rates. In phishing, out of over 600 sites reported in one time period they mitigated just over 200. They were sincere and open on where they have to get better and to be honest, I was in awe from them, a country I considered to be a black hole of abuse reports. We made some new contacts and hope these will prove fruitful for future cooperation. I am highly impressed with the people I met from China.

Another subject of interest to me was my discussion with Milton Mueller on his advocacy of some information being removed from publicly accessible WHOIS data. Although ideologically I am with him on this privacy issue, practically it is the only, granted very poor, way for the Internet security operations community to take down abusive domain names today, through registrars, and the Internet can't do without it until another option is presented. I hope to work with him on solutions to this conundrum.

My lecture there was one I only found out I was giving about a month ago after being contacted by a member of ICANNs SSAC. It was a part of the Case Studies session from the Diplo foundation, where I spoke, technically, of lessons from the Estonian Internet war and how countries can defend themselves, as written in the post-mortem analysis and recommendations I wrote for the Estonian CERT. In the questions section we spoke of the importance of CERT organizations, how they are established and on the differences in fraud as seen in different parts of the world. My fellow session members were: Robert Guerra (Canada, session moderator), Veronica Cretu (Moldova, facilitator), and the other panelists: Olga Cavalli (Argentina) and Cristine Hoepers (who manages the Brazilian CERT). I, of course, am from Israel and work for Afilias Global Registry Services.

This post was originally published on SANS ISC.

By Gadi Evron, Security Strategist
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Re: An Internet Security Operations Viewpoint of IGF The Famous Brett Watson  –  Nov 21, 2007 4:57 PM PDT

Another subject of interest to me was my discussion with Milton Mueller on his advocacy of some information being removed from publicly accessible WHOIS data. Although ideologically I am with him on this privacy issue, practically it is the only, granted very poor, way for the Internet security operations community to take down abusive domain names today, through registrars, and the Internet can’t do without it until another option is presented.

Gadi, I don't understand the nature of the problem that you are expressing here. If taking down an abusive domain name requires contact with the registrar, then what need is there for registrant details, particularly given that the registrant details are invariably false when the domain is abusive? It seems to me that the most important ingredients for enabling a take-down request are the identity of the registrar, and the date of registration.

Please explain what I'm missing in relation to the need for registrant details. It must be a very great need, given that we require honest people to give up their privacy in the name of this need.

Re: An Internet Security Operations Viewpoint of IGF Gadi Evron  –  Nov 21, 2007 7:58 PM PDT

The Famous Brett Watson said:

Please explain what I'm missing in relation to the need for registrant details. It must be a very great need, given that we require honest people to give up their privacy in the name of this need.

Mr. Famous, thanks for your answer.
This information has been public as a status quo, there is no hurry to change it, so don't make it look like we are TAKING PRIVACY AWAY, we are in fact trying to give users MORE PRIVACY than they CURRENTLY have.

Now, to your question. :)

The only way for any Joe, Jack and Jill today to "take down" a domain name is by submitting a report of it being registered with fake information. The DNS is often abused and has become an infrastructure for getting away with criminal activity. We can't mitigate once the DNS is the weak link rather than say, an IP address.

Sometimes you get to talk to a registrar which cares, at other times the registrar's business case is to sell domains in bulk to spammers (and is less than interested in helping you).

The only means we have to work with, and then only if the registrar cares (cares being about honest helping, required by regulation or financially interested — guess which one it is, hint, first one), is the fake registrant information. This is very bad, but it's what we've got to work with.

All that said, if this public information is taken away without some other means by which to report and "take down" malicious domains instead of it… let's just say you don't want to live on that Internet.

Re: An Internet Security Operations Viewpoint of IGF The Famous Brett Watson  –  Nov 21, 2007 11:50 PM PDT

This information has been public as a status quo, there is no hurry to change it, so don’t make it look like we are TAKING PRIVACY AWAY, we are in fact trying to give users MORE PRIVACY than they CURRENTLY have.

The status quo is such that only the most civil-minded and honest people surrender their privacy voluntarily. Either that, or their registration dates back to a kinder, gentler Internet. Everyone else simply lies or hides behind a proxy. Status quo this may be, but that does not alter the fact that it is manifestly unjust. No good deed goes unpunished in this environment. Why would I seek to maintain this status quo?

The only way for any Joe, Jack and Jill today to “take down” a domain name is by submitting a report of it being registered with fake information.

I challenge that assertion. If it were true, then there would be no grounds to request a take down the many domains which are registered through proxy services — usually proxy services which are provided by the registrar itself. The maliciousness of the use to which the domain is put should be sufficient in and of itself to justify the take-down request, and a cooperative registrar can and will accept that line of reasoning. I believe this (as opposed to verification of data) is what happens in actual practice in 100% of cases where a domain is taken down, although I hasten to add that I'm not in a position to know the internal operations of any registrars.

Address the issue at its core, rather than trying to solve it obliquely. We don't need registrant information, true, false, or otherwise; nor do we actually wish the registrar to verify those details. Think about the work involved in actually verifying whether the registrant details are true or not: if you're really lucky, you can verify the telephone contact details immediately via a phone call, but only if the phone is answered by someone who speaks your language and knows what you're talking about. I don't believe that you want registrars to keep the domain active while they perform a slow verification process of this sort, and I'm pretty sure you can anticipate the potential denial of service attack created by taking the domain offline until the details are verified just because some random person claimed they were false.

What we really want is for the registrar to say, "oh yes, you're right: that is clearly a phishing site," and take it down. Isn't that the sort of effect we're looking to achieve?

All that said, if this public information is taken away without some other means by which to report and “take down” malicious domains instead of it… let’s just say you don’t want to live on that Internet.

Gadi, this is propagandous scaremongering. I respect both your research work and your evident concern for the greater good, but I expect you to be able to rise above the emotional issues. Yes, cybercrime is bad and hurts people, and we ought to try to do something about it, but let's not go prescribing snake oil out of panic.

The call for true, public registrant details is snake oil so far as addressing cybercrime is concerned, and I'm calling it out as such. If you think it's not, use your research skills and give me evidence or a reasoned argument to the contrary.

Re: An Internet Security Operations Viewpoint of IGF Gadi Evron  –  Nov 22, 2007 6:06 AM PDT

You are just looking for a fight. Back to my original post:

Privacy == good.
Public info CURRENTLY out there == necessary.
New security measures == required before this public data is gone, I like it and can't live without it.

Re: An Internet Security Operations Viewpoint of IGF The Famous Brett Watson  –  Nov 22, 2007 3:08 PM PDT

Actually, I'm not looking for a fight; I'm looking for an argument. There's a difference. Specifically, I'm challenging your second point: the idea that the public info out there — specifically the registrant info — is in any way necessary. If you can demonstrate that the information is necessary, then I'll grant you the third point. Given that you also think that privacy is good, the benefit offered by making registrant information public must be greater than the harm caused by the loss of privacy. Please detail this great benefit.

I've explained as clearly as I can why I believe that registrant information is irrelevant. I have offered a refutation of your claim that "the only way… to 'take down' a domain name is by submitting a report of it being registered with fake information," which is the only argument you've offered in support of the necessity of this information. I have also explained why I think it's not even desirable for registrars to check the veracity of the registrant data, and why I think it never actually happens in practice. Please explain where my refutation is lacking.

It's possible that we're dealing with different threat models, and so we're failing to perceive the problem the same way. When I think of "malicious domain names", I think of phishing sites, fictitious corporate websites set up by the same phishing gangs to recruit money mules, and sites being used to host browser exploits. Is that roughly the kind of threat you have in mind when you speak of "malicious domains" — the cybercrime connection? I can see why there would be some urgency about addressing these threats. (There is a separate question as to whether it's even worth taking these sites down, pragmatically speaking, but let's deal with one can of worms at a time!)

On reflection, I think I can clarify my position further, and provide evidence to back my view. All registrars include terms of service (ToS), even if they exist to do no more than pass on the obligations imposed by ICANN and the relevant registry, plus demand payment for services rendered. I decided to investigate the ToS imposed by Gandi, and it turns out that their ToS are both eminently readable and impose basic "lawful use" restrictions, like so.

You acknowledge that purposefully providing Us with inaccurate data, or not regularly updating Your data, or requesting us to do so, as well as any abusive, fraudulent, illegal or prejudicial use of Our services, shall justify the suspension of Our services, the deletion of the domain name and/or the early cancellation of the Contract under the following conditions.

Clearly if I wanted to get a phishing domain taken down, and Gandi was the registrar, I wouldn't even need to know the registrant details. I could just point out to them the obvious fraud, and request that they enforce their ToS accordingly. Granted, Gandi isn't the biggest of players in the registrar market, but Go Daddy is, and their Universal Terms of Service also prohibit "unlawful conduct or improper use" at point five. I'm not going to do an exhaustive survey here, but I am not seeing any kind of evidence that "the only way… to 'take down' a domain name is by submitting a report of it being registered with fake information." On the contrary, "unlawful conduct" appears to be a common alternative basis.

Re: An Internet Security Operations Viewpoint of IGF Gadi Evron  –  Nov 22, 2007 5:46 PM PDT

Okay, try it.

Re: An Internet Security Operations Viewpoint of IGF The Famous Brett Watson  –  Nov 22, 2007 6:25 PM PDT

Why? What is the purpose of the experiment? To see if registrars effectively enforce their ToS or respond to external complaints of ToS violations? How will the outcome impact this argument?

Re: An Internet Security Operations Viewpoint of IGF Gadi Evron  –  Nov 22, 2007 6:30 PM PDT

As the outcome of this ridiculous argument is that you are a great guy with the heart in the right place and quite a few brain cells, but absolutely no clue as to what's going on outside your own home (in analogy to the Internet).

Re: An Internet Security Operations Viewpoint of IGF Suresh Ramasubramanian  –  Nov 26, 2007 3:06 AM PDT

Well, the OPOC proposal was a horrible mess. The sunset proposal wasnt going to fly all that far .. it was painfully obvious from the start.

For a rather better informed take on this, from a law enforcement perspective, take a look at OPTA Netherlands' statement to the GNSO.

Re: An Internet Security Operations Viewpoint of IGF Gadi Evron  –  Nov 28, 2007 8:13 AM PDT

I read our conversation again and I realize my mistake.

Famous; the issue is that the DNS is the one thing you can't mitigate in any online threat, if a domain name is used, the criminals can just change the IP address and keep working, as one example.

As to taking down domains by the AUP clauses you mentioned, liability issues over who determines what criminal activity actually is, usually come into play This only if the financial barrier of communicating with most registrars on issues such is these is broken through by personal relationships. You need to remember most of the world doesn't have these relationships.

Re: An Internet Security Operations Viewpoint of IGF The Famous Brett Watson  –  Nov 28, 2007 8:41 PM PDT

Gadi, I appreciate your taking the time to revisit this conversation. I have a reasonable amount of experience with both DNS and cybercrime, and I understand that DNS can act as a good choke-point to disable a criminal operation — temporarily, at least. I don't completely agree that "the DNS is the one thing you can’t mitigate," but that's a can of worms that I'll leave unopened for now.

With regards to liability issues, registrars usually writetheir ToS in such a way that they are entitled to take down on reasonable suspicion of foul intent, rather than having to prove anything. But even if you're right, doesn't the same argument cut against enforcing truth in contact details? If there is liability for wrongful take-down on the basis of alleged unlawful conduct, isn't there also liability for wrongful take-down on the basis of alleged false contact details? If not, why not? If so, won't that result in lengthy delays (to allow address verification) between lodging the complaint and effecting the take-down — delays which render the whole process somewhat ineffective?

I'm still not convinced of two points, you see. I'm not convinced that requesting a take-down on the basis of false details is or can be any more effective than requesting a take-down on the basis of any other ToS violation. You seem adamant that there is a major difference here, but I'm sceptical, and I need specific evidence. The other point of doubt on my part is the exact benefit of effecting such a take-down, especially relative to the cost in terms of lost privacy for honest domain registrants. Again, I'm sceptical, and I need a robust argument to persuade me that we've struck a fair balance here.

I'm even more concerned about this, because I think we're overlooking much more effective ways to defang hostile domains — ways which do not rely on registrars or WHOIS at all. If I'm right on that account, then we're not only violating privacy unnecessarily, we're not even terribly effective at achieving our stated goals.

Re: An Internet Security Operations Viewpoint of IGF Gadi Evron  –  Nov 30, 2007 9:00 PM PDT

The Famous Brett Watson said:

-- temporarily, at least. I don't completely agree that "the DNS is the one thing you can’t mitigate," but that's a can of worms that I'll leave unopened for now.

It has become that, unfortunately.

With regards to liability issues, registrars usually writetheir ToS in such a way that they are entitled to take down on reasonable suspicion of foul intent, rather than having to prove anything. But even if you're right, doesn't the same argument cut against enforcing truth in contact details? If there is liability for wrongful take-down on the basis of alleged unlawful conduct, isn't there also liability for wrongful take-down on the basis of alleged false contact details? If not, why not? If so, won't that result in lengthy delays (to allow address verification) between lodging the complaint and effecting the take-down — delays which render the whole process somewhat ineffective?

I'd say extremely ineffective, I never claimed otherwise. It's still what we've got.

There are other reasons which are important, but secondary.

Public whois is the only real domain reputation system out there, operationally. If you see public contact info which is verifiable, the doman gets reputation for being real and potentially responsive (especially if it has an abuse address in the WHOIS info).

Also, locating bad domain names, as they have become the number one choke point and DNS today is an abuse infrastructure, is by comparing WHOIS across different domains. It is a powerful intelligence source.

Both these last reasons won't hold as far as keeping the information public, so shouldn't be treated as such, but are some of the uses for the data.

I'm still not convinced of two points, you see. I'm not convinced that requesting a take-down on the basis of false details is or can be any more effective than requesting a take-down on the basis of any other ToS violation. You seem adamant that there is a major difference here, but I'm sceptical, and I need specific evidence. The other point of doubt on my part is the exact benefit of effecting such a take-down, especially relative to the cost in terms of lost privacy for honest domain registrants. Again, I'm sceptical, and I need a robust argument to persuade me that we've struck a fair balance here.

To emphasize:
1. This isn't a good way to do this.
2. This is the only way that works for most people, currently, unless they KNOW someone.

All that said, this information is ALREADY PUBLIC, I don't want it public. We are not hurting anyone by making it public as it already is. It's public. Everyone can see it. I don't like it. I am all for making it private, I am asking for some solution BEFORE IT GOES AWAY as it is essential we maintain at the very least our somewhat effective measures. If we don't have it, things will get even worse. Much worse.

I'm even more concerned about this, because I think we're overlooking much more effective ways to defang hostile domains — ways which do not rely on registrars or WHOIS at all. If I'm right on that account, then we're not only violating privacy unnecessarily, we're not even terribly effective at achieving our stated goals.

You are probably right, and I'd love to hear more about your idea, and share my own. But it doesn't change the current operational conundrum we're stuck in.

DNS is not just a business for ICANN, Verisign or the registrants. It is a business for the criminals as well, as they spend millions every months to maintain that infrastructure alone, not to mention what they build on it. Some registrars, in fact, would not be here if not for this bulk registration business.

I believe we agree on goals and ideologies, just not that there is currently an operational need to MAINTAIN what we have until an ALTERNATIVE is created.

I'd love to discuss further with you, but off-line. For now, I'd recommend studying on fastflux and if you can, taking the time to see how immense the whole problems surrounding it, are. And seeing what we've already tried.

Maybe you can help?

To post comments, please login or create an account.

Related

Topics

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC

DNS Security

Sponsored byAfilias

New TLDs

Sponsored byAfilias