[Gnso-epdp-team] "Abusive" use of SSAD

Volker Greimann vgreimann at key-systems.net
Wed Oct 9 08:53:04 UTC 2019

Hi Mark,

I think the times of legitimate high volume requests have passed. There 
are now less invasive methods of confirming domain ownership - such as 
modifications to the DNS records - that do not require knowing the 
personal data whom the domain belongs to. High volume requests are 
almost always an indicator for abuse.

You have a point about request formats and we should allow some leeway 
for formats that have been accurate recently.

If the data has actually changed, then that would not be a request for 
the same data anymore. But I I think we need to have some form of cap 
for requests for the dame domain by the same requestor.  Two to three 
requests over the course of as many months probably would not count as 

Circumventing legitimate rate limits is abusive use of the system as 
those limits are there for a reason. If multiple vendors are used that 
access the data, each of those vendors would have to be accredited 
seperately and therefore not fall under the circumvention rule. If those 
vendors are however affiliated entities, this would be different. Which 
brings me to another affiliation requirement: Provide list of all 
affiliated entities that are already accredited, or have applied for 
accreditetion, similar to the obligation of registrars to provide lists 
of all affiliated registrars to ICANN.

I think the terms harvesting and mining speak for themselves but I 
assume we can find a commonly acceptable definition.



Am 09.10.2019 um 04:25 schrieb Mark Svancarek (CELA) via Gnso-epdp-team:
> Thanks, James.  Here are my concerns:
>   * Some abuse may be high-volume, but high volume is not inherently
>     abusive.  If there are industry-standard methods for
>     distinguishing denial-of-service attacks from other high-volume
>     activity, we should adopt them here.
>   * Request formats may change over time.  Use of outdated formats
>     during a transition period is not abusive.
>   * Subsequent requests for data where the format has been improved
>     (e.g. missing fields have been populated; more appropriate basis
>     has been submitted; more information that has been discovered
>     during an ongoing investigation is added; etc.) is acceptable.
>   * Repeated requests for a domain name record over are justifiable
>     when it is reasonable to assume that domain name registration data
>     is likely to have changed during an investigation.
>   * In the Port 43 public WhoIs system some requestors used multiple
>     and/or spoofed IP addresses to avoid rate limits imposed by
>     registrars.  Until issues of SLAs and funding are resolved, we
>     cannot assume that rate limiting, or quota systems, will apply to
>     SSAD.  Whatever systems are ultimately put in place, the following
>     observations about IP addresses and distributed requests should be
>     considered:
>       o It is not unusual to have a case worked on by multiple
>         vendors/attorneys/platforms (e.g. one organization for initial
>         take down requests, another to handle escalations, outside
>         counsel for follow-up and/or suit).
>       o It is not unusual to have a case worked on from multiple
>         geographies.
>       o It is not unusual for a requestor to use a VPN.
>       o Credentialed access should be based on credentials and be
>         neutral to IP addresses - so mitigations based on IP addresses
>         are only applicable for the noncredentialled users of SSAD, if
>         at all.
>   * I am very concerned about the undefined terms “harvesting” and
>     “mining”, which seem to me to be more about intent than any
>     specific activity.  Until we specifically describe the behavior to
>     be blocked, we should remove the last bullet.
> /marksv
> *From:*Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> *On Behalf Of 
> *James M. Bladel
> *Sent:* Tuesday, October 8, 2019 7:15 PM
> *To:* gnso-epdp-team at icann.org
> *Subject:* [Gnso-epdp-team] "Abusive" use of SSAD
> Colleagues –
> Following up with my homework from last Thursday, here is the 
> non-exhaustive list of “abusive” SSAD behaviors.
> I’ve been in discussions with Mark SV, and note that he has some 
> concerns.  Expect his comments/edits in a separate message that will 
> be a fast-follow to this post.
> Thanks—
> J.
> -------------
> *James Bladel*
> GoDaddy
> “Abusive” use of SSAD may include (but is not limited to) the 
> following behaviors/practices:
> 1.     High volume submissions of malformed or incomplete requests.
> 2.     Frequent duplicate requests that were previously fulfilled or 
> denied.
> 3.     Use of distributed or spoofed source addresses or platforms to 
> circumvent quotas or rate limits.
> 4.      Use of false or counterfeit credentials to access the system.
> 5.      Storing/delaying and sending high volume requests with the 
> intention of causing SSAD or other parties to fail SLA performance.
> 6.      Attempts or efforts to mine or harvest the data protected by SSAD.
> As with other access policy violations, abusive behavior can result in 
> suspension or termination of access to the SSAD.
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Volker A. Greimann
General Counsel and Policy Manager

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net

Key-Systems GmbH is a company registered at the local court of 
Saarbruecken, Germany with the registration no. HR B 18835
CEO: Alexander Siffrin

Part of the CentralNic Group PLC (LON: CNIC) a company registered in 
England and Wales with company number 8576358.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20191009/1410e7f3/attachment.html>

More information about the Gnso-epdp-team mailing list