[Gnso-epdp-team] "Abusive" use of SSAD

Mark Svancarek (CELA) marksv at microsoft.com
Wed Oct 9 02:25:00 UTC 2019

Thanks, James.  Here are my concerns:

  *   Some abuse may be high-volume, but high volume is not inherently abusive.  If there are industry-standard methods for distinguishing denial-of-service attacks from other high-volume activity, we should adopt them here.
  *   Request formats may change over time.  Use of outdated formats during a transition period is not abusive.
  *   Subsequent requests for data where the format has been improved (e.g. missing fields have been populated; more appropriate basis has been submitted; more information that has been discovered during an ongoing investigation is added; etc.) is acceptable.
  *   Repeated requests for a domain name record over are justifiable when it is reasonable to assume that domain name registration data is likely to have changed during an investigation.
  *   In the Port 43 public WhoIs system some requestors used multiple and/or spoofed IP addresses to avoid rate limits imposed by registrars.  Until issues of SLAs and funding are resolved, we cannot assume that rate limiting, or quota systems, will apply to SSAD.  Whatever systems are ultimately put in place, the following observations about IP addresses and distributed requests should be considered:
     *   It is not unusual to have a case worked on by multiple vendors/attorneys/platforms (e.g. one organization for initial take down requests, another to handle escalations, outside counsel for follow-up and/or suit).
     *   It is not unusual to have a case worked on from multiple geographies.
     *   It is not unusual for a requestor to use a VPN.
     *   Credentialed access should be based on credentials and be neutral to IP addresses - so mitigations based on IP addresses are only applicable for the noncredentialled users of SSAD, if at all.
  *   I am very concerned about the undefined terms “harvesting” and “mining”, which seem to me to be more about intent than any specific activity.  Until we specifically describe the behavior to be blocked, we should remove the last bullet.


From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> On Behalf Of James M. Bladel
Sent: Tuesday, October 8, 2019 7:15 PM
To: gnso-epdp-team at icann.org
Subject: [Gnso-epdp-team] "Abusive" use of SSAD

Colleagues –

Following up with my homework from last Thursday, here is the non-exhaustive list of “abusive” SSAD behaviors.

I’ve been in discussions with Mark SV, and note that he has some concerns.  Expect his comments/edits in a separate message that will be a fast-follow to this post.


James Bladel

“Abusive” use of SSAD may include (but is not limited to) the following behaviors/practices:

1.     High volume submissions of malformed or incomplete requests.
2.     Frequent duplicate requests that were previously fulfilled or denied.
3.     Use of distributed or spoofed source addresses or platforms to circumvent quotas or rate limits.
4.      Use of false or counterfeit credentials to access the system.
5.      Storing/delaying and sending high volume requests with the intention of causing SSAD or other parties to fail SLA performance.
6.      Attempts or efforts to mine or harvest the data protected by SSAD.

As with other access policy violations, abusive behavior can result in suspension or termination of access to the SSAD.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20191009/410f29cd/attachment-0001.html>

More information about the Gnso-epdp-team mailing list