<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:Helvetica;
        panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:"Yu Gothic";
        panose-1:2 11 4 0 0 0 0 0 0 0;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:"\@Yu Gothic";
        panose-1:2 11 4 0 0 0 0 0 0 0;}
@font-face
        {font-family:"Helvetica Neue";}
@font-face
        {font-family:"Helvetica Neue Light";}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:#0563C1;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:#954F72;
        text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Calibri",sans-serif;}
p.msonormal0, li.msonormal0, div.msonormal0
        {mso-style-name:msonormal;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
p.p1, li.p1, div.p1
        {mso-style-name:p1;
        margin:0in;
        margin-bottom:.0001pt;
        font-size:9.0pt;
        font-family:"Helvetica Neue";}
p.p2, li.p2, div.p2
        {mso-style-name:p2;
        margin:0in;
        margin-bottom:.0001pt;
        font-size:9.0pt;
        font-family:"Helvetica Neue";}
p.li1, li.li1, div.li1
        {mso-style-name:li1;
        margin:0in;
        margin-bottom:.0001pt;
        font-size:9.0pt;
        font-family:"Helvetica Neue";}
span.EmailStyle22
        {mso-style-type:personal;
        font-family:"Helvetica Neue";
        color:windowtext;}
span.apple-converted-space
        {mso-style-name:apple-converted-space;}
span.EmailStyle24
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:948396141;
        mso-list-type:hybrid;
        mso-list-template-ids:469802438 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
        {mso-level-number-format:bullet;
        mso-level-text:;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Symbol;}
@list l0:level2
        {mso-level-number-format:bullet;
        mso-level-text:o;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:"Courier New";}
@list l0:level3
        {mso-level-number-format:bullet;
        mso-level-text:;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Wingdings;}
@list l0:level4
        {mso-level-number-format:bullet;
        mso-level-text:;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Symbol;}
@list l0:level5
        {mso-level-number-format:bullet;
        mso-level-text:o;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:"Courier New";}
@list l0:level6
        {mso-level-number-format:bullet;
        mso-level-text:;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Wingdings;}
@list l0:level7
        {mso-level-number-format:bullet;
        mso-level-text:;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Symbol;}
@list l0:level8
        {mso-level-number-format:bullet;
        mso-level-text:o;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:"Courier New";}
@list l0:level9
        {mso-level-number-format:bullet;
        mso-level-text:;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Wingdings;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:JA">Thanks, James.  Here are my concerns:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:JA"><o:p> </o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;mso-fareast-language:JA">Some abuse may be high-volume, but high volume is not inherently abusive.  If there are industry-standard methods for distinguishing
 denial-of-service attacks from other high-volume activity, we should adopt them here.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;mso-fareast-language:JA">Request formats may change over time.  Use of outdated formats during a transition period is not abusive.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;mso-fareast-language:JA">Subsequent requests for data where the format has been improved (e.g. missing fields have been populated; more appropriate basis
 has been submitted; more information that has been discovered during an ongoing investigation is added; etc.) is acceptable.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;mso-fareast-language:JA">Repeated requests for a domain name record over are justifiable when it is reasonable to assume that domain name registration
 data is likely to have changed during an investigation.  <o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;mso-fareast-language:JA">In the Port 43 public WhoIs system some requestors used multiple and/or spoofed IP addresses to avoid rate limits imposed by
 registrars.  Until issues of SLAs and funding are resolved, we cannot assume that rate limiting, or quota systems, will apply to SSAD.  Whatever systems are ultimately put in place, the following observations about IP addresses and distributed requests should
 be considered: <o:p></o:p></span></li><ul style="margin-top:0in" type="circle">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level2 lfo1"><span style="font-size:11.0pt;mso-fareast-language:JA">It is not unusual to have a case worked on by multiple vendors/attorneys/platforms (e.g. one organization for initial take down
 requests, another to handle escalations, outside counsel for follow-up and/or suit).<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level2 lfo1"><span style="font-size:11.0pt;mso-fareast-language:JA">It is not unusual to have a case worked on from multiple geographies.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level2 lfo1"><span style="font-size:11.0pt;mso-fareast-language:JA">It is not unusual for a requestor to use a VPN.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level2 lfo1"><span style="font-size:11.0pt;mso-fareast-language:JA">Credentialed access should be based on credentials and be neutral to IP addresses - so mitigations based on IP addresses are
 only applicable for the noncredentialled users of SSAD, if at all.<o:p></o:p></span></li></ul>
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;mso-fareast-language:JA">I am very concerned about the undefined terms “harvesting” and “mining”, which seem to me to be more about intent than any specific
 activity.  Until we specifically describe the behavior to be blocked, we should remove the last bullet.<o:p></o:p></span></li></ul>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:JA"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:JA">/marksv<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:JA"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt">From:</span></b><span style="font-size:11.0pt"> Gnso-epdp-team <gnso-epdp-team-bounces@icann.org>
<b>On Behalf Of </b>James M. Bladel<br>
<b>Sent:</b> Tuesday, October 8, 2019 7:15 PM<br>
<b>To:</b> gnso-epdp-team@icann.org<br>
<b>Subject:</b> [Gnso-epdp-team] "Abusive" use of SSAD<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-family:"Helvetica Neue"">Colleagues – <o:p>
</o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Helvetica Neue""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Helvetica Neue"">Following up with my homework from last Thursday, here is the non-exhaustive list of “abusive” SSAD behaviors. 
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Helvetica Neue""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Helvetica Neue"">I’ve been in discussions with Mark SV, and note that he has some concerns.  Expect his comments/edits in a separate message that will be a fast-follow to this post.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Helvetica Neue""><br>
Thanks—<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Helvetica Neue""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Helvetica Neue"">J.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Helvetica Neue Light"">-------------<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Helvetica Neue Light";color:#00B050">James Bladel<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Helvetica Neue Light"">GoDaddy</span><span style="font-family:"Helvetica Neue Light""><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"Helvetica",sans-serif;color:black">“Abusive” use of SSAD may include (but is not limited to) the following behaviors/practices:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"Helvetica",sans-serif;color:black"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.25in;text-indent:-.25in"><span style="font-family:"Helvetica",sans-serif;color:black">1.     High volume submissions of malformed or incomplete requests.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.25in;text-indent:-.25in"><span style="font-family:"Helvetica",sans-serif;color:black">2.     Frequent duplicate requests that were previously fulfilled or denied.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.25in;text-indent:-.25in"><span style="font-family:"Helvetica",sans-serif;color:black">3.     Use of distributed or spoofed source addresses or platforms to circumvent quotas or rate limits.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.25in;text-indent:-.25in"><span style="font-family:"Helvetica",sans-serif;color:black">4.      Use of false or counterfeit credentials to access the system.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.25in;text-indent:-.25in"><span style="font-family:"Helvetica",sans-serif;color:black">5.      Storing/delaying and sending high volume requests with the intention of causing SSAD or other parties to fail SLA performance.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.25in;text-indent:-.25in"><span style="font-family:"Helvetica",sans-serif;color:black">6.      Attempts or efforts to mine or harvest the data protected by SSAD.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.25in;text-indent:-.25in"><span style="font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:1.25in;text-indent:-.25in"><span style="font-family:"Helvetica",sans-serif;color:black">As with other access policy violations, abusive behavior can result in suspension or termination of access to the SSAD.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.25in;text-indent:-.25in"><span style="color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
</div>
</body>
</html>