Gadi Evron ge at linuxbox.org
Tue Mar 14 09:47:16 UTC 2006

Simon Waters wrote:

So.. ICANN, the domain name's importance to phishing and what registrars 
can do, in that order.

> I thought we established last month that deleting domain names is a very good 
> way of messing up the entire Internet. See the thread on losing entire data 
> centres.

The domain today is the weak spot we need to hit. Using fast-flux, 
spammers (phishers), VX-ers, etc. jump from IP to IP even every 10 
minutes. Whack-a-mole itself becomes impossible.

Kill the domain (or the DNS RR) and you destroy the bottle-neck.

Bad guys already seem to be bouncing back from the blacklisting of 
entire bulk registrations. They used to say, register 5K domains and use 
them as throw-away. Now we can black-list all of them ahead of time. Or 
at least we could do so, now they are already bouncing back with their 
new evolution in the whack-a-mole game.

Terminate a DNS RR and they just create new ones, but the short-term 
effect, if you can make it happen, it worth it for TODAY.

Terminate the domains (one doesn't really help) and you cost them money.

> If you have any useful proposals on how registrars might be of use in 
> defending against botnets, I'm sure ICANN and friends are all ears. But 
> unless you've found an amplification attack using whois servers, it probably 
> isn't something the registrars can help you with.

ICANN from the part I know them - the registrars and security front, are 
good people. They do good under their own constraints. We should stick 
to putting them down for so called "governance" issues.

ICANN domain termination though is a useless process in practicality.

> There is some discussion on phishing, but even here it isn't clear what a 
> registrar could do, and most phishing these days doesn't involve the 
> registrars at all.

I am not sure what the numbers are, but most phishing seems to involve 
this or that registrar. Many of the registrars today are extremely 
responsive. Godaddy showed that much, despite what people may think of 
their actions. I wonder, did we ever get their side of the story?

All that aside, as I don't want to start that war again, many of the key 
registrars today are sitting on the reg-ops operational list and respond 
to new reports in semi-real time. They can't deal with the volume due to 
obvious limitations in how the process works, but anything reported to 
them gets checked into in a reasonable time, and acted upon.

There are some blackhat registrars (mostly resellers), but that wasn't 
what we were discussing.

> Randy's original comment was misplaced, it was the content, not the domain 
> name he was objecting to. Deleting domain names is a very extreme, and oft 
> times ineffective, way of trying to remove content.
> We've have enough trouble with ISPs with knee-jerk reactions to objectionable 
> content, we don't need registrars adopting the same daft policies, or the 
> Internet would collapse in a few weeks.

The Internet is not going to die tomorrow.

The domains reported are 2 out of a ... a lot, today alone. I think 
maybe we should all start sending in every bad domain we find into 
NANOG. </cynical>
Sorry for the wake-up call, but how many domains out of those registered 
do you figure are legit or have legit contact information?


More information about the NANOG mailing list