DNS abuse discussions at ICANN60

9 Nov 2017 01:00h

Event report

The ICANN60 Annual General Assembly Meeting had several sessions focusing on Domain Name System (DNS) abuse and mitigation. The first two workshops (WS 1 and WS 2), organised by Mr David Piscitello, Vice President, Security and ICT Coordination, ICANN, were held under the theme ‘How It Works: DNS Abuse’. Piscitello’s presentations explained various ways cybercriminals are using DNS fraud, hijacking via phishing, social engineering, and data breaches, and gave examples of the most prominent cases such as Avalanche and how it was tackled. Piscitello underlined challenges faced by law enforcement agencies, such as jurisdiction, lack of common criminal law, and the slowness of Mutual Law Enforcement Assistance, as criminals operate at Internet pace. Addressing privacy concerns as well as security, he pointed to alternatives such as tiered access to personal data. He mentioned another cause of security vulnerabilities: developers repeating their peers’ previous mistakes such as continuing using lax configurations.

The Domain Name Abuse Reporting System (DAAR) which uses public, open, and commercial sources such as DNS Zone data, WHOIS data and reputation blocklist (RBL) was the focus of the ‘Abuse Reporting for Fact-Based Policy Making and Effective Mitigation’ cross community session. DAAR and its planned open data initiative’s goal of ‘providing data to support community, academic, or sponsored research and analysis for informed policy consideration’ was discussed. Mr Rod Rasmussen, incoming chair, Security and Stability Advisory Committee (SSAC), stated that although the technological aspect of abuse (e-mails, browsers, firewalls detecting abuse in seconds) was solved, the policy aspect was not. He mentioned the use of reverse engineering domain name generators and observing the results to identify abusive users. Piscitello underlined this point saying that a system able to identify which policies worked and which did not was needed. The benefits of opening DAAR data to the public were listed as historical trend analysis, flagging registrars who are not responsive to abuse reports, contractual compliance reporting, and providing data for efficient policy making. Ms Tatiana Tropina, cybersecurity expert representing the Non-commercial User Constituency (NCUC), drew attention to the limited mission of ICANN, the dangers of blurring lines between DNS and content abuse, and risks related to self-policing by the domain name industry instead of law enforcement. Another participant stated that the data DAAR will open to the public was aggregate and could not be used for contractual compliance.

Ms Denise Michel, Business Constituency (BC), drew attention to data showing new generic top-level domains (gTLDs) experiencing 10 times higher abuse than legacy gTLDs, and stated that ICANN is planning to introduce a policy addressing this. How abuse reporting can support registries and registrars in their prevention and mitigation efforts was among the key questions discussed.

GAC discussion on DNS Abuse Mitigation’ was the final session of the annual meeting related to DNS abuse. Updates and action points of the Public Safety Working Group (PSWG) were presented to government representatives. The implications and possible benefits the DAAR and its planned open data initiative could have for domain names hosting child abuse material were among subjects flagged by Italy, the UK, Iran, and Australia’s GAC representatives.