Dear all, At the last Council meeting I promised to share additional notes I made for myself during ICANN73 DNS Abuse Plenary: Evolving the DNS Abuse Conversation. You may see them below Should you are not interested in the subject please ignore this message Best regards, Irina ============ MACIEJ KORCZYNSKI Presentation Example 1: URL to malicious website (blacklisted by a Phish Tank). There is no meaningful content, WHOIS information shows that the domain name was registered just two days before the actual URL was blacklisted =>> strong evidence that the domain name is maliciously registered and abused to serve illegal and abusive content Mitigation should be both at the DNS and hosting level from the technical perspective Example 2: URL to malicious website (blacklisted by Anti-Phishing Working Group). A website with a legitimate content, and the content also corresponds to the domain name itself. WHOIS information shows that the domain name was registered back in 2014 =>> most probably the domain name itself is legitimate. Wp-includes in the malicious URL, indicate that the actual website has been hacked by exploiting vulnerable Word Press installation Mitigation should be at the hosting level by hosting provider or the owner or administrator of the website. To clean the malicious content and to patch vulnerable and Word Press installation. Legitimate domains are mainly abused at the website level (vulnerable software). Sometimes it happens at the DNS level. Example - domain shadowing where the attackers first will try to phish for credentials of registrars, registrants to get to their registration panel. After add subdomains that could be used in phishing attacks. ======= QUESTION: Do we need to distinguish between malicious or compromised? REG LEVI: Customers use commercial website creators that require regular updates. If updates are not performed, they are vulnerable to compromise. Reach out to the registrant to explain need for regular updates ALAN WOODS: when we take action against a domain, there is a lot of collateral damage. CHRIS LEWIS-EVANS: We should treat differently. With the compromise, we have two types of victims, the primary victim and then those that may be affected by sort of collateral harms. We need to be able to treat them both and provide both with sufficient help. LORI SCHULMAN: It's important to distinguish between malicious and compromised domains at least at the front end in terms of how quickly we can respond to a particular issue. But the actual victim is the end user. in the case of small businesses. Compromised web-site =>> reputation compromised. we should make the assumption that the small business wouldn't prefer to have their site down for a certain amount of time if it, in fact, is protecting their customers or their reputation QUESTION: What to do with maliciously registered domain? ROD RASMUSSEN: A registry/registrar has very few options with the same effect - to remove the domain itself from the global DNS. This can be done via: - delete domain (remove this registration) - suspend the domain - redirect (change the DNS and point it at that phishing landing page) - transfer to another entity Good idea to look for other domains that are lined up or being used by the same registrant QUESTION: Malware and phishing on a compromised website - what to do in this circumstance? What is the balance of harms that people are typically doing? would suspend the domain for a compromised website? ALAN WOODS: It's about disproportionality of harms. The registry should not be the point of taking down where at all possible, but where it's necessary, we have that option. REG LEVY: We tend to use suspension as an option of last resort after reaching out to the reseller and to the registrant directly. Or turn off mail, reset a nameserver if that's where compromise is happening. Sometimes registrant asks to put domain online to fix it. Sometimes we need to allow the domain to resolve in order for them to log into their website and fix the issue. LORI SCHULMAN: compromised domain names - completely different decision path (what, when and how to do). Big vs small businesses - they look differently. No onesize-fit-all on compromised domain names. Nuanced decision trees needed CHRIS LEWIS-EVANS: On malicious domain the Registry and the Registrar Stakeholder Groups have done good work to advice on evidentiary standards for abuse notification. This work hasn't been done for compromised domains What if this is a large multinational company that you're asking for us to suspend? QUESTION: Escalation paths between registrant, hosting company, registrar, registry - are those relationships clear? Are there standards for that process? REG LEVY: The answer may be different for other registrars. Our resellers typically are also hosting companies. If not we need to use a DiG tool to figure out who the hosting company is and to contact it. ALAN WOODS: Registry does not have connection with the hosting provider. How to improve reporting process to hosting providers? QUESTION: Where should this community go? CHRIS LEWIS-EVANS: We don't have a proper process for dealing with compromised domains. We need minimum expectations documented. Standards to all the registrars and registries so they understand what is required of them. Educational materials. Understanding the best practice REG LEVY: The registrar stakeholder group is currently working on a tool where you can put a domain name in, and it will spit out information about who the hosting company is and how to contact them. ROD RASMUSSEN: There is SAC115. SSAC Report on an Interoperable Approach to Addressing Abuse Handling in the DNS. LORI SCHULMAN: Is it time to think about a UDRP-type process for compromised domains? Link to the session recording https://73.schedule.icann.org/meetings/Ak56QBFwurEqC4LuP#/?limit=10 <https://73.schedule.icann.org/meetings/Ak56QBFwurEqC4LuP#/?limit=10&sortByF ields[0]=isPinned&sortByFields[1]=lastActivityAt&sortByOrders[0]=-1&sortByOr ders[1]=-1&uid=hkFxCerxzS6Z6wMJe> &sortByFields[0]=isPinned&sortByFields[1]=lastActivityAt&sortByOrders[0]=-1& sortByOrders[1]=-1&uid=hkFxCerxzS6Z6wMJe Irina Danelia Deputy Director cctld.ru / кц.рф