28 Abuse Prevention and Mitigation

Prototypical answer:

For domain transactions made through registrars, the following clauses shall be part of the registry-registrar agreement and stipulate mandatory specifications to be shown to the registrant and to be agreed to by the registrant.

.BOM Registrant Data (WHOIS) Policy:

ʺThe registrant shall provide and update the required personal data and⁄or business data so they always reflect real and valid information. Use of false, invalid, incorrect or data belonging to a third party can invalidate the contract and incur cancelation of the domain, besides law-defined penalties and liabilities. If requested by ʺNúcleo de Informação e Coordenação do Ponto BR - NIC.brʺ, either directly or through a registrar, the registrant shall provide certified documents and or update data in order to maintain WHOIS accuracy. Failing to provide timely responses for documents or data update requests can cause suspension (defined as the removal of domain publication within the DNS system) or cancelation of the domain.

In all domains that are registered by a brazilian individual or organization, the registrant needs to be uniquely identified by a document ID, which can be CPF (individual) or CNPJ (organization). This document must also be valid according to the brazilian
internal revenue service.

Registration implies agreeing with legally-binding responsibilities for the domain; such responsibilities cannot be transferred to a third party without transferring the domain itself and such transaction reflected in the WHOIS data. Domains registered in the name of a person or an organization will be considered to belong to such person or organization, so registrants need to carefully consider if proxy services could bring ownership risks to them. ʺ



.BOM Prevention of Abuse Policy:

ʺThe registrant agrees to use the .BOM domain being registered or renewed only for lawful and non-abusive purposes.
NIC.br defines abuse as the bad, wrongful or excessive use of privileges or power including but not limited to:
- Botnet command and control (a command and control infrastructure to manage a group of infected computers that receives orders from unauthorized users(s) through the network) ;
- Child entrapment or abuse ;
- Distribution of child pornography ;
- Deployment of circular references within the Domain Name System (DNS) using resources of NIC.br and⁄or other Top Level Domains (TLDs) ;
- Fast flux hosting (rapidly changing DNS records in order to prevent detection or mitigation of an abuse);
- Phishing (unsolicited communication or Web page that poses as being from a known institution to trick users into disclosing personal, privileged or financial data);
- Sending unsolicited bulk messages thru electronic mail, forums, instant messaging, mobile messaging, social networks or comment boxes ;
- Theft of any online service ;
- Unlawful or fraudulent actions ;
- Willful distribution of malware (any kind of software that executes malicious action on a computer system, like virus, worms, bots, trojan horses and root kits).ʺ
ʺ


----------------------------------

Abuse handling procedures:


Abuse detection procedures will include:
- An e-mail box abuse@nic.BOM to receive abuse complaints ;
- A web form to receive abuse or take action complaints ;
- An optional anonymized web form to receive take action complaints that can be verified by NIC.br with no corroboration ;
- Automated analysis of malware and phishing URL feeds including both public sources and association sources. NIC.br, thru its security area called CERT.br, is a member of the Anti-Phishing Working Group (APWG); the SpamPots project; the brazilian honeypot consortium organizations; FIRST (Forum of Incident Response and Security Teams) and a few research projects with brazilian universities. Results of automated analysis or information gathering generate abuse cases that will be dealt manually.
- A ticketing system to integrate, measure the service-level and manage the complaints from all three ways above.

Target service-level for abuse and take action complaints is to set a course of action within 30 minutes for 50% of the complaints, up to 8 hours for 75% of the complaints and up to 24 hours for 99% of the complaints. Staffing for this system will include at least 1 full-time employee (registry security officer) and operation center analysts for coverage during the night shifts and will be shared among all TLDs (Top-Level Domains) managed by NIC.br, including but not limited to .BOM and .br. Abuse and take action complaints from law enforcement will be given priority and skip queues.

-----------

.BOM Take Action procedures:

ʺAs soon an abuse issue is found, in all cases an administrative procedure will be started to verify documentation of the registrant if none has been received before. For each case one or more of these actions might apply:
- Remove DNS publication of the domain in cases where domain appears as only being used to exploit phishing, malware, bonnet command and control, fast-flux hosting, DNS circular references, child pornography distribution, child abuse and entrapment;
- Notice of abusive case to registrant ;
- Notice of abusive case to registrar ;
- Notice of abusive case to hosting provider(s) ;
- Notice of abusive case to appropriate computer incident response team ;
- Notice of abusive case to appropriate law enforcement authorities.

Preemptive measures like removing DNS publication will only be done to prevent further damages to the Internet community or endangered individuals and will have collateral damages of such actions assessed prior to reaching such a decision.ʺ


------------------------

.BOM prevention of abusive transfer and⁄or cancellation:

Transfer tokens will be required to perform domain transfers; registrars will be encouraged to validate the transfer or cancellation through secondary channels. Frequent occurrence of abusive transfer and⁄or cancellations at an specific registrar can trigger a compliance investigation by NIC.br and sending of an informative notice to ICANNʹs compliance area .

-------------------

Measures for dealing with glue records:
Internet Protocol (IP) address is this context refer to both IPv4 or IPv6 regardless of IP protocol version

- Host records wonʹt be allowed outside of domain objects. Glue records are only allowed as domain attributes and only allowed to be in-zone glue records (i.e, ns.example.BOM for a example.BOM domain)
- When a domain is removed from publication all of its glue records are also removed, so no orphan glue records can exist.
- When a domain is registered the supplied DNS servers are tested to validate proper authoritative response; DNS delegation requires previous authoritative DNS configuration. This prevents amplification attacks that could arise by setting DNS glue records to victim IP addresses.
- If an IP address used to be a DNS server moves to a new delegated organization there might be undesirable traffic towards that address. Take action notices for such glue records, even they are not orphaned, will be accepted from the RIR(Regional Internet Registry) registered WHOIS contact for that address space.
- As only in-zone non-orphan glue records are allowed, any evidence of a glue record being part of malicious conduct will be considered as malicious conduct of the domain it belongs to and will subject such a domain to anti-abuse or take action policies.

Similar gTLD applications: (1)