[Ssr2-review] FYI - DNS Abuse definitions

Denise Michel denisemichel at fb.com
Wed Oct 23 19:47:04 UTC 2019


As discussed, here’s background on the definitions of “DNS abuse” that have been used in ICANN over the years.

As you know, the Board didn’t approve most of the CCT Review’s recommendations and one of their cited reasons (surprisingly) was that DNS abuse first needed to be defined.  Staff and some ICANN groups have subsequently pursued this issue.

I think SSR2’s proposed approach strikes the appropriate balance and is a useful contribution to this discussion --  essentially that: ICANN is responsible for enforcing its contracts and following through on its plans and obligations based on the existing definitions of DNS abuse that have been well-vetted and used by ICANN for many years, while simultaneously evolving the definition of DNS abuse in conjunction with outside experts to keep pace with user harm tied to the internet’s unique identifiers.

Best,
Denise


Denise Michel
denisemichel at fb.com<mailto:denisemichel at fb.com>


1         Community developed definitions of key terms (eg DNS Security; DNS Abuse)

1.1        CCT Report – 2018 (CCT Review<https://www.icann.org/en/system/files/files/cct-final-08sep18-en.pdf>)
The CCT is a community review, so the definitions adopted in the report are community-developed or approved, and the review has been subject to public comment.

DNS Abuse is defined by the CCT (at footnote 11, p8) as follows.  The footnote makes clear that the definition was developed through the ICANN Community:

“DNS Abuse” is a term used by the Review Team that refers to “intentionally deceptive, conniving, or unsolicited activities that actively make use of the DNS and/or the procedures used to register domain names” (see p. 3 of the “New gTLD Program Safeguards Against DNS Abuse: Revised Report” referenced below).

“DNS Security Abuse” in the context of this report refers to specific, technical forms of abusive behavior: malware distribution, phishing, pharming, botnet command-and-control, and spam in the DNS. For more on how abuse has been characterized by the ICANN Community, see the Registration Abuse Policies Working Group’s Final Report (29 May 2010),

At the glossary, DNS Abuse and DNS Security Abuse are defined as:
DNS Abuse
Intentionally deceptive, conniving or unsolicited activities that actively exploit the DNS and/or the procedures used to register domain names.
DNS Security Abuse
DNS abuse related to cybersecurity, such as malware distribution, phishing, pharming, botnet command-and- control, and high volume spam.

Note that ‘DNS Security Abuse’ includes ‘high volume spam’.

1.2        New gTLD Program Safeguards Against DNS Abuse: Revised Report - 2016 (New gTLD Safeguards Report<https://newgtlds.icann.org/en/reviews/dns-abuse/safeguards-against-dns-abuse-18jul16-en.pdf>)
The report was commissioned by the CCT as part of their work. It was written by ICANN staff in consultation with ‘expert constituencies’, and was subject to public comment[1].  The revised report was published in 2016.

The definition of DNS Abuse adopted by the CCT was coined in the New gTLD Program Safeguards report.

1.3        Registration Abuse Policies Working Group – 2010 (RAP WG<https://gnso.icann.org/sites/default/files/filefield_12530/rap-wg-final-report-29may10-en.pdf>)
The ICANN Registration Abuse Policies Working Group Final Report is 126 pages long, and provides detailed examination of the various ways in which domain names can be and are abused.

Recommendation #1 under ‘Malicious use of domain names’ the team unanimously recommends the creation of non-binding best practices to help contracted parties address the illicit use of domain names (see p12, and pp 50-70).  The subject areas include policies for identifying and investigating malicious use such as malware and phishing).

It contains the following definitions, which were adopted by unanimous consensus of the community represented through the working group (see page 19)

Abuse is an action that:

  *   Causes actual and substantial harm, or is a material predicate of such harm, and
  *   Is illegal or illegitimate, or is otherwise considered contrary to the intention and design of a stated legitimate purpose, if such purpose is disclosed.

Section 5 of the report lists out numerous registration abuses. Section 6 of the RAPWG report considers ‘Malicious use of domain names’, particularly ‘e-crime’. As a general point, in relation to fast-flux, ‘but also spamming, malware distribution, online child pornography, phishing, botnet command-and-control, 419 scams and others’, the malicious or illicit behaviour ‘may be mitigated by stopping the domain name from resolving…. in the ICANN context, stopping the resolution of the domain is the relevant issue, since that is what registrars and registries have the technical ability to make happen.’

1.4        Draft working definitions – GNSO drafting team – 2009 (reference<https://gnso.icann.org/sites/default/files/filefield_5950/whois-working-definitions-study-terms-18feb09.pdf>)
The RAPWG report references a document entitled ‘Draft Working Definitions prepared by the GNSO Drafting Team for further use by the GNSO Council as of 18 February 2009’

This document’s definition of misuse is cited with approval by the RAPWG

2) Misuse
See study #s 1, 14, GAC 3 for examples of use in context.

Misuse is an action that causes actual harm, is the predicate to such harm, is illegal or illegitimate, or is otherwise considered contrary to intention and design of a stated legitimate purpose, if such purpose is disclosed. When applied to Whois data, such harmful actions may include the generation of spam, the abuse of personal data, intellectual property theft, loss of reputation or identity theft, loss of data, phishing and other cybercrime related exploits, harassment, stalking, or other activity with negative personal or economic consequences. The predicate to harmful action often includes automated email harvesting, domain name registration by proxy/privacy services to aid wrongful activity, and support of false or misleading registrant data. Predicate acts might include the use of Whois data to develop large email lists for commercial purposes.




________________________________
[1] https://www.icann.org/en/system/files/files/report-comments-new-gtld-safeguards-dns-abuse-17jun16-en.pdf


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ssr2-review/attachments/20191023/da4cfa32/attachment.html>


More information about the Ssr2-review mailing list