[CPWG] FW: Engagement on DNS Abuse
John McCormac
jmcc at hosterstats.com
Wed Feb 3 16:46:36 UTC 2021
On 03/02/2021 14:49, Jonathan Zuck wrote:
> Evin has suggested that I had, perhaps, NOT forwarded this to the group.
> Here’s the discussion thread, initiated by Keith Drazek on the
> Contracted Party House DNS Abuse Work Group. This includes, Joanna’s
> expression of mission creep concern.
It looks like the term "DNS Abuse" has been arrived at but the scope is
still unclear. The mission creep angle is important. Without a clear
definition of what constitutes DNS Abuse, the conversation is just going
to go round in circles.
The DAAR and other approaches rely upon reporting. The majority of the
blacklists it uses seem to depend on reporting rather than detection.
This means that potentially only a small part of the problem is
identified. Moving from a reporting model to a detection model is
difficult and given the limited resources and expertise of ICANN, it
would not be possible for ICANN to monitor all websites for a detection
based model. And the definition of DNS Abuse also, I think, covers
e-mail spam and DDoS. So not only would a detection based system have to
cover websites, it would also have to cover DNS and mailserver
monitoring. The snapshot point mentioned in the thread is a good one
because it will miss the transition of latent bad actor domain names to
actively abusive domain names/websites.
With website detection, the problem is one of depth rather than width.
The number of active websites (non-templated PPC/parking/holding
content) in most well used TLDs is around 30%. Some of the new gTLDs
have active site levels below 10%. The ccTLDs generally have a higher
active usage %. When it gets to problems like phishing, the phishing is
often done in a subdirectory of the main website and may not be
accessible from the site's links.
Problem websites involving Intellectual Property are often quite
obvious. The low registration fee of some of the zone-stuffer new gTLDs
has facilitated a shift of much of this kind of activity from the legacy
gTLDs. (This was mentioned in the (SIDN?) study that the CCT cited.)
The definition of "DNS Abuse" needs to be clear. Then it needs to be
quantified.
Making registries and registrars responsible for the problem may seem
like a good approach when the definition of the problem and the scale of
the problem are unknown. It is not a good approach.
Putting registries and registrars in the position of having to monitor
and deal with everything changes their position from being effectively
"common carriers" to one where they are in a position of editorial
control. With Section 230 of the CDA in the US coming up for review,
that could put the registries, registrars and ultimately ICANN (it still
is a US company) in some bother if S230 is revoked or amended. The
current model of having registrars and registries take action on serious
problems but leaving the IP issues to the lawyers to sort out is
probably the best one at the moment and it is working.
The inclusion of "hate speech" as DNS Abuse is serious mission creep
because it is a highly subjective issue. Leave that to the local
legislative frameworks.
The comments in that e-mail about defining the issue are important. The
worst thing that could be done is for everyone to go off with their own
definition of what should constitute DNS Abuse and then start arguing
about why their view matters more than others. ALAC and the other
parties will end up with years of futile arguments while little or
nothing will be done to solve the problems. And as a bonus, the threat
landscape of DNS Abuse is continually changing as new techiques are
developed and older ones fall out of use. (e.g link injection
(monetisation of abuse) on websites overtaking website defacements
(ego/political abuse))
The Precog approach with predictive analytics may sound impressive but
the reality is that to be effective, it would need more than the past
history of registrants. That brings up the concept of bad registrars and
bad TLDs. Getting access to some of the financial data for a better
predictive model might not be possible due to registries and registrars
having multi-jurisdictional markets.
Anecdotally, many mailserver admins have taken to blocking the new gTLDs
on their servers because all they see from them is spam. URLs from some
heavily discounted new gTLDs in some ccTLD or country level web usage
surveys are strong indications of a compromised website.
It would appear that the fact that a boom and bust model of heavily
discounted registration fees would result in abusive registrations was
ignored in the 2013 round. Unfortunately, it was all too obvious to
people who have to deal with the results. But then ICANN's numerology
projections cluelessly expected 35 millon new gTLD registrations in the
first year.
A minimum resale price would be one way of limiting the effect of
organised DNS Abuse but it might directly impact the financial viability
of some gTLDs in future rounds. Existing gTLD operators would also
object as the boom and bust model is their only model since Brand
Protection registrations were effectively taken out of their
projections. Without the guaranteed revenue from brand protection
registrations, some of the new gTLDs didn't have much of a market left.
Regards...jmcc
--
**********************************************************
John McCormac * e-mail: jmcc at hosterstats.com
MC2 * web: http://www.hosterstats.com/
22 Viewmount * Domain Registrations Statistics
Waterford * Domnomics - the business of domain names
Ireland * https://amzn.to/2OPtEIO
IE * Skype: hosterstats.com
**********************************************************
--
This email has been checked for viruses by AVG.
https://www.avg.com
More information about the CPWG
mailing list