KnujOn

1
KnujOn ICANN Policy Enforcement MIT Spam
Conference March 1009 Dr. Robert Bruen Garth Bruen
2
KnujOn

• Dr. Bob and son Garth
• Started with fighting spam
• Using whois data accuracy
• Policy Enforcement Sunshine
• Registrars are the key
• Spam is the gateway for crime

3
Policies and Contracts

• Policies are in contracts/agreements/rules
• Critical that Policies are well constructed
• Bad policy creates problems
• Good policy helps decisions in novel situations

4
Whois Data Accuracy

• Long and sordid history (1982-now)?
• Registrars required to correct WI data (RAA)?
• Still very controversial
• KnujOn cares about individual privacy
• Want commercial entities policy enforcement

5
Enforcing WI Data Accuracy

• KnujOn receives spam (anonymous clients)?
• Extract transaction sites
• Verify WI Data for each site
• Complain to ICANN (Policy Enforcement)?
• Aggregate data publish results (Sunshine)?

6
Research Impact

• Shutdowns now in the 100,000s
• Registrars are paying attention
• You KnujOn are casting a big shadow
• Steve Crocker. ICANN BoD
• KnujOn now an ICANN ALAC ALS
• Major influence on new RAA recommendations
• Major influence on ICANN's new WDPRS

7
Top Ten Worst Registrars May 08

• Xin Net Bei Gong Da Software
• Beijing Networks
• Todaynic
• Joker
• eNom, Inc.
• MONIKER
• Dynamic Dolphin
• The Nameit Co/AITDOMAINS.COM
• PDR (Directi)?
• Intercosmos/DIRECTNIC

8
Top Ten Worst Registrars Feb 09

• Xin Net
• eNom
• Network Solutions
• Register.com
• Planet Online
• Regtime - 1st Russian registrar to make the
  list
• OnlineNIC
• Spot Domain/Domainsite
• Wild West Domain
• HiChina Web Solutions

9
What Happened

• EstDomains lost accreditation
• Domains transferred to Directi
• PDR (Directi) Cooperating
• Intercosomos/Directnic - Improving
• Joker breach notice - Improving
• Beijing Networks breach notice - improving
• Moniker Market losses
• Dynamic Dolphin Market losses lawsuits

10
On Top of That...

• AIT investigated by ICANN
• Possible breach notice
• Atrivo/Intercage report by HostExploit.com
• ISPs stopped doing business with them
• A/I never recovered
• McColo report by HostExploit.com
• ISPs stopped doing business with them
• McColo never recovered completely
• Spam has only reached bottom of previous range

11
Even More...

• Ukranian takedown UkrTeleGroup Ltd. 30Jan09
• Spam levels drop dramatically, like McColo
• Within a day, backup to highest since McColo
• Parava Breach Notice from ICANN 27Feb09

12
KnujOn at ICANN Cairo

• Gave presentation to ICANN ALAC in CAIRO
• ALAC At Large Advisory Committee
• Well received Asked to be become an ALS
• KnujOn European mirror established
• ALAC RAA improvement recommendations
• Participated in ALAC - Registrar meeting

13
Registrars

• Lots of pushback
• Deny responsibilities
• Success with Fake Pharmacies shutdowns
• Reseller issues

14
Attacks on Registars

• Recent
• DomainTheNet Israel Jan 2009 Team Evil
• NetSol/CheckFree Dec 2008
• Comcast May 2008
• Not really that new
• SSAC Report Domain Name Hijacking 2005
• panix.com
• hushmail.com (NetSol)?
• HZ.com
• etc.

15
(No Transcript)
16
SSAC 2005 Selected Quotes

• Finding (1) Failures by registrars and resellers
  to adhere to the transfer policy have contributed
  to hijacking incidents and thefts of domain
  names.
• Finding (2) Registrant identity verification used
  in a number of registrar business processes is
  not sufficient to detect and prevent fraud,
  misrepresentation, and impersonation of
  registrants.

17
SSAC cont.

• Finding (6) Accuracy of registration records and
  Whois information are critical to the transfer
  process.
• Finding (7) ...Resellers, however, may operate
  with the equivalent of a registrars privileges
  when registering domain names. ... The current
  situation suggests that resellers are effectively
  invisible to ICANN and registries and are not
  distinguishable from registrants. ... The
  responsibility of assuring that policies are
  enforced by resellers (and are held accountable
  if they are not) is entirely the burden of the
  registrar.

18
Wholesale Registrars

• Registrars who use resellers, some exclusively
• Examples Tucows, NetSol, eNom
• Has legitimate purpose
• Also has problems
• New attacks on registrars
• Resellers not held accountable by registrars
• Used as a channel by the bad guys

19
Criminal Ecosystem

• Two Main Views
• Law Enforcement (LE) view
• KnujOn View
• LE Details (Lots...)?
• Financial theft fraud, key loggers,
  hijacks,botnets
• Arrest the Criminals
• KnujOn Same as Legitimate Activity
• Fast Flux, domain resellers, DNS, Pharmacies
• Fix and Enforce Policy

20
US Government
Criminal Ecosystem
JPA
RAA
Registry .com .net
Registrar
Reseller
ICANN
TLD/ CC

IANA ASNs
Registrant
ISPs
DNS
Hosting Services
21
Financials

• Brian Krebs story March 20
• SecurityFix
• TrafficConverter2.biz shutdown
• Antivirus 360 2009
• Visa/MasterCard and a Bank (Germany)
• Financial capability to stop criminals
• No money No incentive No Crime
• About time

22
Criminal Ecosystem
Financial System Banks Credit Card
Companies PayPal
Merchants Good Domains Bad Actors

Technical Connections Registrars ISPs Hosting
Companies Resellers
23
Any Questions?

• Bob Bruen
• bob.bruen_at_coldrain.net
• http//www.coldrain.net/bruen
• Garth Bruen
• garth.bruen_at_coldrain.net
• http//www.knujon.com