28 Abuse Prevention and Mitigation

Prototypical answer:

Table of Contents

1 - Overview
2 - Definitions of what constitutes abuse in the TLD
2.1 - Spam
2.2 - Phishing
2.3 - Pharming
2.4 - Willful distribution of malware
2.5 - Fast flux hosting
2.6 - Botnet command and control
2.7 - Distribution of child pornography
2.8 - Unlawful content
3 - Whois abuse prevention policies
3.1 - Whois accuracy
3.1.1 - Syntactic and semantic registration constraints
3.1.2 - Verification tools
3.1.3 - Whois Data Reminder Policy (WDRP)
3.2 - Protection against unfair use of whois service
3.2.1 - Protection against Data mining
3.2.2 - Prevention of Unauthorized data modification
4 - Prevention from other abusive conducts
4.1 - DNSSEC (cache poisoning)
4.2 - Domain name sniping (grabbing)
4.3 - Domain name tasting
5 - Disposal of orphan glue records
6 - Single abuse point of contact
7 - Policies for handling complaints regarding abuse
7.1 - Abuse case response
7.2 - Rapid takedown policies
7.3 - Trademark abuse
8 - Resourcing plans

------------------------
1 - Overview

Our objective in answering question 28 is to provide a thorough explanation of our policies and procedures to minimize abuse registration and other activities that have a negative impact on internet users.

Protection of the internet users is a core value of the project and is key to insure the user experience as described in question 18 (b) iii. By implementing anti-abuse policy the registry will also contribute and protect the integrity, security and stability of the DNS.

In its online presentation of Registration Abuse Policy (RAP - available at http:⁄⁄www.icann.org⁄en⁄resources⁄policy⁄background⁄rap), ICANN offers the following definition:

“In general, the term covers a broad variety of illegal or illegitimate behaviors considered contrary to the intent and design of normal domain registration processes. Registration abuse often involves malicious actors trying to register in ways that avoid lawful authorities or conceal a registrantʹs identity. Registration abuse can also enable other kinds of abuses, such as phishing and spam.”

The .LECLERC registry is committed to create and implement policies and procedure that prevent abusive registrations and other activities that have a negative impact on internet users. According to the industry best practices presented in the Registration Abuse Policies Issues Report (ICANN 2008), the .LECLERC registry will offer a wide range of effective safeguards to prevent abusive uses of domain names such as phishing, spamming, and also unlawful or fraudulent actions. The registry operator will regularly update these policies and procedures in order to maximize its readiness to deal with new threats at all levels and new forms of abuse.

For that purpose, the .LECLERC registry will implement prevention and mitigations policies.

Prevention starts at the time of registration, Whois accuracy (2) is therefore the first and main focus of the .LECLERC prevention policies. The following answer describes in details the mechanisms in place to maximize Whois accuracy. Others mechanisms (3) will be implemented and described here, including management of orphan glue records (4).

A.C.D. Lec has chosen the single registrant model for the .LECLERC TLD. The set of domain names will be registered by the A.C.D. Lec in the name of A.C.D. Lec and after verification that the policies of registry are fully respected. The A.C.D. Lec will be able to delegate the use of domain names to members of the community. The community and the conditions for joining the community are clearly established in question 20. This first element minimizes the risk of domain names abuse and facilitates the implementation of takedown policies.

In addition to strong preventive measure against various forms of abuse, .LECLERC will implement mitigation policies to address actual case of abuse that may eventually occur. This answer will describe these mitigation measures in detail: single abuse point of contact (5), complaint handling policy and takedown procedures (6).

Resources allocated to handle prevention and mitigation (7) will be described at the end of this answer.

The .LECLERC registry will check the use of delegated domain name use on a random basis to ensure that all sites respect the values of the Movement as detailed in questions 18 and 20.


------------------------
2 - Definitions of what constitutes abuse in the TLD

------------------------
2.1 - Spam

The use of electronic messaging systems to send unsolicited bulk messages. The term applies to e-mail spam and similar abuses such as instant messaging spam, mobile messaging spam, and the spamming of Web sites and Internet forums. An example, for purposes of illustration, would be the use of email in denial-of-service attacks;


------------------------
2.2 - Phishing

The use of counterfeit Web pages that are designed to trick recipients into divulging sensitive data such as usernames, passwords, or financial data;


------------------------
2.3 - Pharming

The redirecting of unknowing users to fraudulent sites or services, typically through DNS hijacking or poisoning;


------------------------
2.4 - Willful distribution of malware

The dissemination of software designed to infiltrate or damage a computer system without the ownerʹs informed consent. Examples include, without limitation, computer viruses, worms, keyloggers, and trojan horses.


------------------------
2.5 - Fast flux hosting

Use of fast-flux techniques to disguise the location of Web sites or other Internet services, or to avoid detection and mitigation efforts, or to host illegal activities. Fast-flux techniques use DNS to frequently change the location on the Internet to which the domain name of an Internet host or name server resolves. Fast flux hosting may be used only with prior permission of PIR;


------------------------
2.6 - Botnet command and control

Services run on a domain name that are used to control a collection of compromised computers or ʺzombies,ʺ or to direct denial-of-service attacks (DDoS attacks);


------------------------
2.7 - Distribution of child pornography

Illegal Access to Other Computers or Networks: Illegally accessing computers, accounts, or networks belonging to another party, or attempting to penetrate security measures of another individualʹs system (often known as ʺhackingʺ). Also, any activity that might be used as a precursor to an attempted system penetration (e.g., port scan, stealth scan, or other information gathering activity).


------------------------
2.8 - Unlawful content

Any content that contravene public order according to French law and in particular to Law on the Freedom of the Press of 29 July 1881 (crimes against humanity apology⁄promotion or contestation, incitement to discrimination, hatred or violence).
*http:⁄⁄www.pir.org⁄why⁄anti_abuse_policy


-------------------------
3 - Whois abuse prevention policies

------------------------
3.1 - Whois accuracy

RFC3912 specifies the Whois protocol and explain it as follows:

Whois is a TCP-based transaction-oriented query⁄response protocol that is widely used to provide information services to Internet users. While originally used to provide ʺwhite pagesʺ services and information about registered domain names, current deployments cover a much broader range of information services. The protocol delivers its content in a human-readable format.

Information about registered domain names is very sensitive. A Registry Operator shall insure the accuracy of the registrant contact information, including administrative, technical and billing contact details. In case of malicious or abusive activity, the Whois contact is usually the first and most important source of information. Whois accuracy is therefore a major step to counter malicious conducts. This information may be required by law-enforcement authorities to identify individuals and organizations responsible for domain names.

A.C.D. Lec, as single registrant agrees to give out the requested contacts in whois and to regularly verify (twice a year) the accuracy of its contact information.


------------------------
3.1.1 - Syntactic and semantic registration constraints

The .LECLERC registry is firmly committed to run a “thick-registry” with high quality of data. The first step to accuracy is achieved through syntactic and semantic checks which are being carried out at the time of registration of the domain name.

Standard EPP checks: a first set of tests is implemented in compliance with standards :
* RFC 5733, the Extensible Provisioning Protocol (EPP) Contact Mapping, requires contact data to contain a name, a city, a country code and an e-mail address in order to allow or perform a syntactically complete EPP request

Additional checks : the following syntactic checks are implemented :
* a test to ensure that the domain name has the proper number of labels (which is two for a traditional registry that allows only second level domains to be registered),
* a test to ensure that no hyphens occur in position 3 and 4 of any of the domainʹs U-labels (to protect ʺxn--ʺ and future ACE prefixes),
* a test to disallow hyphens at the beginning or end of the name,
* a test to find ASCII characters which are neither a letter, nor a digit or a hyphen,
* a test to find invalid IDN characters, i.e. characters not contained in any of the support IDN character tables
* a test to validate IP address format using the following scheme :
* 〈ipv4-addr〉 [1-255](\.[0-255]){3,3}
* 〈ipv6-addr〉 [a-fA-F0-9:]+(:〈ipv4-addr〉)?
* a test to validate telephone and mail format using the following scheme (with specific tests for fr numbers):
* 〈num tel〉 \+[1-9][0-9]{0,3}〈sp〉[1-9]([〈sp〉\.-]?[0-9])+
* 〈num tel fr〉 \+33〈sp〉[1-9]([〈sp〉\.-]?[0-9]){8}
* 〈e-mail〉 (([^\s\(\)\[\]\.\\〉〈,;:ʺ@]+(\.[^\s\(\)\[\]\.\\〉〈,;:ʺ@]+)*)|(ʺ[^ʺ@\\\r\n]+ʺ))@〈label〉(\.〈label〉)*

Additional checks : the following semantic checks are implemented :
* a test to disallow reserved names if authorisation code is not present
* a test to disallow registry reserved names if authorisation code is not present
* a test to disallow ICANN reserved names
* a test to disallow otherwise reserved or unsuitable names
* a test to ensure that at least one address element is given


------------------------
3.1.2 - Verification tools

This verification procedure is designed to guarantee the reliability and the accuracy of the Whois database.

A.C.D. Lec, as single registrant agrees to give out the requested contracts in whois and to regularly verify (twice a year) the accuracy of its contact information.

During the redemption period, the domain name can be reactivated with the same configuration. Once deleted, the domain name will re-enter the public domain and can be registered by a new applicant.


------------------------
3.1.3 - Whois Data Reminder Policy (WDRP)

In 2003, ICANN adopted the ʺWhois Data Reminder Policyʺ (WDRP, http:⁄⁄www.icann.org⁄en⁄registrars⁄wdrp.htm) which obliges ICANN-accredited registrars to send yearly Whois data reminder notices to registrants. These notices contain the Whois data currently on file for the respective domain, as well as instructions for the registrant about ways to correct the data if required. While the .LECLERC Registry does not intend to replicate this reminder procedure on the registry level, however TLD will comply with WDRP as expected from an ICANN accredited registrar.


------------------------
3.2 - Protection against unfair use of whois service

As stated above, Whois Service gives access to sensitive data, including contact details of registrants. The .LECLERC registry is committed to insure the protection of these data against abusive behaviors. Firstly, the .LECLERC registry will implement technical measures to prevent data mining on the Whois, such as automated collection of registrants’ email addresses, which may on their turn be used by third parties for the purposes of spamming. Secondly, the .LECLERC registry and its registry backend service provider, AFNIC, will deploy all necessary means to secure access to its database, specifically by implementing procedures in order to prevent Unauthorized Data Modifications. These procedures will reinforce the security of both EPP and Web-based access to Whois data.


------------------------
3.2.1 - Protection against Data mining

The .LECLERC registry database user commits to using the published data according to the laws and regulations in effect. Besides, the user shall respect the provisions of the French Data Protection Act. Violation of this act carries criminal penalties.

As the user is accessing personal data, he must refrain from any collection, misuse or any act that could lead to invasion of privacy or damaging the reputation of individuals.

The Registry can at any time filter the access to its services in case of malevolent use suspicions.

* Captcha: users shall pass a Captcha before access is granted to the web based RDDS.
* Rate-limiting: The registry has chosen limitation measures for the number of requests in order to prevent abuse in the use of personal data and to guarantee the quality of the service.
By a transparent parameter adjustment policy, the registry guarantees quality of service to occasional users and professionals. The rates and thresholds of this system are described in the registry use case of question Q26.
* White list: The white list mechanism offers specific access for registrars to port 43 of the whois considering that the incoming traffic must come from two pre-defined IP address. This white list access offers higher thresholds of rate limiting for the users.


------------------------
3.2.2 - Prevention of Unauthorized data modification

Data modification is managed through strict authentication and access policies.
* SSL⁄TLS protocol is used on all interfaces with clients (both EPP and web based SRS).
* a password policy is applied both on the password itself (minimum length, mandatory digits and non-alphanumerical characters), and on the length of the password
* use of an SSL client certificate pre-installed by the registry for EPP access.
* IP authentication limited to two addresses.


-------------------------
4 - Prevention from other abusive conducts

------------------------
4.1 - DNSSEC (cache poisoning)

One of the main authentication issue encountered on the DNS is the cache poisoning issue. This directly affects DNS service integrity without the attacker having to corrupt or modify data in the registry database.

The answer to this issue is implementation and deployment of DNSSEC. The registry operator already successfully manages DNSSEC-enabled zones: on september, 29th 2010, the .LECLERC registry back-end service provider, AFNIC, finished adding its 6 ccTLDs key materials (DS records) into the IANA root zone, ending with .FR after extensive tests with its other TLDs. Since then, related DNSSEC operations and monitoring are spread inside the organization, alongside all other standard day to day operations, so that DNSSEC is a core service enabled by default.


------------------------
4.2 - Domain name sniping (grabbing)

Domain name sniping refers to the practice of trying to re-register potentially interesting domain names immediately after they are deleted.

The .LECLERC registry prevents this practice in various ways. First, the fact that ACD is the one and only entity that can register a .LECLERC domain name has the consequence that no other member of the community or internet user can retrieve ownership of a domain name, even if it is available.

The .LECLERC Registry supports the Redemption Grace Period as proposed by ICANN and implements it in full compliance with RFC 3915 (ʺDomain Registry Grace Period Mapping for the Extensible Provisioning Protocol (EPP)ʺ). This greatly reduces the possibility of a domain name being “forgotten” by its registrant.


------------------------
4.3 - Domain name tasting

Domain name testing is a practice using the 5-days Add Grace Period (AGP) during which a newly created domain name may be deleted with a refund of the domain fee to check if the domain name is of interest or not. AGP is implemented and therefore domain name testing has to be dealt with. However, considering the fact that the .LECLERC is intended to be a single registrant-TLD, the chances that this process will be effectively used is rather limited, although the AGP is common practice and corresponds to the policies of almost all existing generic top-level domains.

In 2008, ICANN introduced the ʺAGP Limits Policyʺ (http:⁄⁄ www.icann.org⁄en⁄tlds⁄agp-policy-17dec08-en.htm) which addresses these issues resulting from the Add Grace Period. The [-TLD-] TLD, will fully implement this policy by restricting Add Grace Period refunds to registrars according to the limits specified by the policy.

The number of operations concerned are included in ICANN reports and related report columns are :
* number of AGP deletes (ʺdomains-deleted-graceʺ)
* number of exemption requests (ʺagp-exemption-requestsʺ)
* number of exemptions granted (ʺagp-exemptions-grantedʺ)
* number of names affected by granted exemption request (ʺagp- exempted-domainsʺ)


-------------------------
5 - Disposal of orphan glue records

According to the definition found in the ʺSSAC Comment on the Orphan Glue Records in the Draft Applicant Guidebook”, a glue record becomes an ʺorphanʺ when the delegation point NS record (the ʺparent NS recordʺ) that references is removed while retaining the glue record itself in the zone. Consequently, the glue record becomes ʺorphanedʺ since it no longer has a parent NS record. In such a situation, registrars and registrants usually lose administrative control over the record, and the recordʹs attribution to a certain registrar may become unclear, which makes it a potential vector for abuse.

The glue record policy in effect for the .LECLERC avoids this situation entirely by disallowing orphan glue records altogether. This corresponds to policy #3 mentioned in section 4.3 (page 6) of the SSAC document mentioned above. The technical implementation within the .LECLERC registry and its associated zone generation process ensure this by implementing the following measures:
* Any host object which is a glue record can be created only if the domain name exists and is sponsored by the registrar creating the host;
* A domain name that has subordinate hosts can only be deleted when these hosts have been deleted. If these hosts are used in delegations for other domain names registered in .LECLERC, these delegations have to be removed to delete the host objects before the domain name can be deleted.
If the sponsoring registrar of the domain name is unable to remove these delegations (explicit refusal or inactivity from subordinate host’s registrar), a specific request can be submitted with the Registry Operator. Consequently, the Registry Operator will contact the domain name(s) registrar that has been used in order to delegate the host object(s) and ask them to remove these delegations. By default, registrars have 10 days to remove these delegations. Upon expiry of this term, the delegation is not removed, but the Registry Operator will directly deactivate the DNS configuration of the domain name(s) concerned. At the end of the procedure, the Registry Operator will contact the sponsoring registrar and confirm that the host object(s) and the domain name can be deleted.


-------------------------
6 - Single abuse point of contact

To avoid abusive registration practices, the .LECLERC registry will provide Internet users access to a Single Point of Contact on its website, where all kinds of abuse of the TLD or domain names registered therein can be reported.

This Single Point of Contact includes a contact web interface offering the possibility to internet users to report any abuse concerning a name registered in the .LECLERC registry.

Such contact web interface will be displayed on the registry’s website (phishing, spamming, trademark abuse etc.)

This single point of contact will enable a quicker and better management of complaints and resolution of any issues arising. Complaints will be addressed by filling out a form that will be made available on the .LECLERC registry web site.

This single point of contact will enable quicker and better management of complaints. Complaints will be addressed by filling out form through online services on the .LECLERC registry web site. An e-mail address and a phone number will also be available to inform the registry of any abuse of a domain name.

A specific employee will be in charge of handling these various complaints in a due time. All requests should be acknowledged and processed within one business day. According to the nature of the reported abuse (phishing, spamming, trademark abuse, etc.), an appropriate response and, where possible, even a resolution of the issue will be given by the .LECLERC registry.

Moreover, Internet users will be given access to all necessary information regarding remedies to abusive online conducts on the registry Single Point of Contact webpage. The single abuse point of contact webpage will also contain links to all the relevant organizations addressing these issues.


-------------------------
7 - Policies for handling complaints regarding abuse

------------------------
7.1 - Abuse case response

The registry will process each complaint within 24 hours (no later than ...) and will take all the necessary steps to offer a satisfying answer to the complainants:

Should immediate action be taken by competent authorities, the .LECLERC registry is committed to alert such authorities without delay. The .LECLERC registry will work closely with these authorities. This may include, but is not limited to the following cases:
* Court orders
* Inquiries from law enforcement bodies (e.g, OCLCTIC - The Office central de lutte contre la criminalité liée aux technologies de lʹinformation et de la communication is the French Police unit specialized in cybercrime)
* Anti-phishing groups (e.g, CERTs)


------------------------
7.2 - Rapid takedown policies

The .LECLERC registry agrees to monitor the use of domain names in its TLD and to put in place a rapid takedown policy so they can quickly react if one of the domain names is being used for malicious activities.

The “Rapid Takedown Policies” will determine the means that the .LECLERC Registry may use to detect malicious activities (internal monitoring, specific website...), to define the procedures to set up to notify the member using the domain name and then react proportionally to the abuse against the domain name as soon as possible (time windows to act to be defined depending on the kind of abuses and malicious activities). The “Rapid Takedown Policies” will also define the appeal means that members may use to against a measure taken by the registry. The .LECLERC Registry wants to put in place a long term notification system that will permit suspension of the tab contract signed between the using member and A.C.D. LEC if repeated cases of abuse are detected for the same member. The member may be add to a list of members to monitor.

Depending on the cases and the potential impact of the malicious activity on end-users, the registry will be allowed to notify the member using the domain name, remove it from the .LECLERC zone, delete it or transfer the domain name to another member of the community or recover the use of the domain name.

The .LECLERC Registry will take decision of deleting a domain name with extreme caution as it may have very important consequences.


------------------------
7.3 - Trademark abuse

Detailed and complete Information to right owners on effective safeguards protecting their rights will be provided on the registry website: URS and UDRP procedures.

The whole description of the procedures that the .LECLERC registry will put in place to ensure and protect the right holders will be detailed in Question 29.

The .LECLERC Registry will fully support and interact with the Trademark Clearinghouse. It will propose a Trademark Claims service, and provide support to UDRP, URS and PPDRP procedures.


-------------------------
8 - Resourcing plans

Thanks to the experience and investment of its Registry Service Providers, the .LECLERC Registry already supports technical abuse prevention and mitigation measures cited above at the time of writing. No additional engineering is required for these, which means that no special development resources will be needed.

Continuous audits and surveillance, as well as timely reactions to reports of malicious activity will be provided by the support staff on duty at the Registry operator.

It is estimated that 20 man hours per month will be spent in this area.

Similar gTLD applications: (0)