28 Abuse Prevention and Mitigation
|gTLD||Full Legal Name||E-mail suffix||Detail|
|.PHARMACY||National Association of Boards of Pharmacy||fairwindspartners.com||View|
28.1 Abuse Prevention and Mitigation
Strong abuse prevention of a new gTLD is an important benefit to the Internet community. The National Association of Boards of Pharmacy (“NABP”) and its back-end registry services provider, Neustar, Inc. (“Neustar”), agree that a registry must not only aim for the highest standards of technical and operational competence, but also needs to act as a steward of the space on behalf of the Internet community and ICANN in promoting the public interest. Neustar brings extensive experience establishing and implementing registration policies. This experience will be leveraged to help NABP combat abusive and malicious domain activity within the new gTLD space.
One of those public interest functions for a responsible domain name registry includes working towards the eradication of abusive domain name registrations, including, but not limited to, those resulting from:
Illegal or fraudulent actions
Distribution of malware
Fast flux hosting
Distribution of child pornography
Online sale or distribution of illegal pharmaceuticals
More specifically, although traditionally botnets have used Internet Relay Chat (IRC) servers to control registry and the compromised PCs, or bots, for DDoS attacks and the theft of personal information, an increasingly popular technique, known as fast-flux DNS, allows botnets to use a multitude of servers to hide a key host or to create a highly-available control network. This ability to shift the attacker’s infrastructure over a multitude of servers in various countries creates an obstacle for law enforcement and security researchers to mitigate the effects of these botnets. But a point of weakness in this scheme is its dependence on DNS for its translation services. By taking an active role in researching and monitoring these sorts of botnets, NABP’s partner, Neustar, has developed the ability to efficiently work with various law enforcement and security communities to begin a new phase of mitigation of these types of threats.
Policies and Procedures to Minimize Abusive Registrations
A registry must have the policies, resources, personnel, and expertise in place to combat such abusive DNS practices. As NABP’s registry provider, Neustar is at the forefront of the prevention of such abusive practices and is one of the few registry operators to have actually developed and implemented an active “domain takedown” policy. We also believe that a strong program is essential given that registrants have a reasonable expectation that they are in control of the data associated with their domains, especially its presence in the DNS zone. Because domain names are sometimes used as a mechanism to enable various illegitimate activities on the Internet, often the best preventative measure to thwart these attacks is to remove the names completely from the DNS before they can impart harm, not only to the domain name registrant, but also to millions of unsuspecting Internet users.
Removing the domain name from the zone has the effect of shutting down all activity associated with the domain name, including the use of all websites and e-mail. The use of this technique should not be entered into lightly. NABP has an extensive, defined, and documented process for taking the necessary action of removing a domain from the zone when its presence in the zone poses a threat to the security and stability of the infrastructure of the Internet or the registry.
Abuse Point of Contact
As required by the Registry Agreement, NABP will establish and publish on its website a single abuse point of contact responsible for addressing inquiries from law enforcement and the public related to malicious and abusive conduct. NABP will also provide such information to ICANN prior to the delegation of any domain names in the gTLD. This information shall consist of, at a minimum, a valid e-mail address dedicated solely to the handling of malicious conduct complaints, and a telephone number and mailing address for the primary contact. We will ensure that this information will be kept accurate and up-to-date and will be provided to ICANN if and when changes are made. In addition, with respect to inquiries from ICANN-accredited registrars, our registry services provider, Neustar, shall have an additional point of contact, as it does today, handling requests by registrars related to abusive domain name practices.
28.2 Policies Regarding Abuse Complaints
One of the key policies each new gTLD registry will need to have is an Acceptable Use Policy that clearly delineates the types of activities that constitute “abuse” and the repercussions associated with an abusive domain name registration. In addition, the policy will be incorporated into the applicable Registry-Registrar Agreement and reserve the right for the registry to take the appropriate actions based on the type of abuse. This will include locking down the domain name, preventing any changes to the contact and nameserver information associated with the domain name, placing the domain name “on hold,” rendering the domain name non-resolvable, transferring to the domain name to another registrar, and⁄or in cases in which the domain name is associated with an existing law enforcement investigation, substituting name servers to collect information about the DNS queries to assist the investigation.
NABP will adopt an Acceptable Use Policy that clearly defines the types of activities that will not be permitted in the gTLD and reserves the right of the Applicant to lock, cancel, transfer, or otherwise suspend or take down domain names violating the Acceptable Use Policy and allow the registry where and when appropriate to share information with law enforcement. Each ICANN-accredited registrar must agree to pass through the Acceptable Use Policy to its Resellers (if applicable) and ultimately to the gTLD registrants. Below is the registry’s initial Acceptable Use Policy that we will use in connection with the .PHARMACY gTLD.
.PHARMACY Acceptable Use Policy
This Acceptable Use Policy gives the registry the ability to quickly lock, cancel, transfer, or take ownership of any .PHARMACY domain name, either temporarily or permanently, if the domain name is being used in a manner that appears to threaten the stability, integrity, or security of the registry, or any of its registrar partners – and⁄or that may put the safety and security of any registrant or user at risk. The process also allows the registry to take preventive measures to avoid any such criminal or security threats.
The Acceptable Use Policy may be triggered through a variety of channels, including, among other things, private complaint, public alert, government or enforcement agency outreach, and the ongoing monitoring by the registry or its partners. In all cases, the registry or its designees will alert registry’s registrar partners about any identified threats, and will work closely with them to bring offending sites into compliance.
The following are some (but not all) activities that may be subject to rapid domain compliance:
Phishing: the attempt to acquire personally identifiable information by masquerading as a website other than .PHARMACY’s own.
Pharming: the redirection of Internet users to websites other than those the user intends to visit, usually through unauthorized changes to the Hosts file on a victim’s computer or DNS records in DNS servers.
Dissemination of Malware: the intentional creation and distribution of ʺmaliciousʺ software designed to infiltrate a computer system without the owner’s consent, including, without limitation, computer viruses, worms, key loggers, and Trojans.
Fast Flux Hosting: a technique used to shelter Phishing, Pharming, and Malware sites and networks from detection and to frustrate methods employed to defend against such practices, whereby the IP address associated with fraudulent websites are changed rapidly so as to make the true location of the sites difficult to find.
Botnetting: the development and use of a command, agent, motor, service, or software which is implemented: (1) to remotely control the computer or computer system of an Internet user without their knowledge or consent, (2) to generate direct denial of service (DDOS) attacks.
Malicious Hacking: the attempt to gain unauthorized access (or exceed the level of authorized access) to a computer, information system, user account or profile, database, or security system.
Child Pornography: the storage, publication, display, and⁄or dissemination of pornographic materials depicting individuals under the age of majority in the relevant jurisdiction.
The registry reserves the right, in its sole discretion, to take any administrative and operational actions necessary, including the use of computer forensics and information security technological services, among other things, in order to implement the Acceptable Use Policy. In addition, the registry reserves the right to deny, cancel, or transfer any registration or transaction, or place any domain name(s) on registry lock, hold, or similar status, that it deems necessary, in its discretion; (1) to protect the integrity and stability of the registry; (2) to comply with any applicable laws, government rules or requirements, requests of law enforcement, or any dispute resolution process; (3) to avoid any liability, civil or criminal, on the part of the registry as well as its affiliates, subsidiaries, officers, directors, and employees; (4) per the terms of the registration agreement; or (5) to correct mistakes made by the registry or any registrar in connection with a domain name registration. The registry also reserves the right to place upon registry lock, hold, or similar status a domain name during resolution of a dispute.
Taking Action Against Abusive and⁄or Malicious Activity
The registry is committed to ensuring that those domain names associated with abuse or malicious conduct in violation of the Acceptable Use Policy are dealt with in a timely and decisive manner. These include taking action against those domain names that are being used to threaten the stability and security of the gTLD, or are part of a real-time investigation by law enforcement.
Once a complaint is received from a trusted source, third party, or detected by the registry, the registry will use commercially reasonable efforts to verify the information in the complaint. If that information can be verified to the best of the ability of the registry, the sponsoring registrar will be notified and be given 12 hours to investigate the activity and either take down the domain name by placing the domain name on hold or by deleting the domain name in its entirety, or providing a compelling argument to the registry to keep the name in the zone. If the registrar has not taken the requested action after the 12-hour period (i.e., is unresponsive to the request or refuses to take action), the registry will place the domain on “ServerHold.” Although this action removes the domain name from the gTLD zone, the domain name record still appears in the gTLD WHOIS database so that the name and entities can be investigated by law enforcement should they desire to get involved.
Escalated Compliance and Takedown Procedures
NABP has identified a number of policies that are core principles upon which the .PHARMACY registry will be operated. Compliance and enforcement of these principles are paramount to the long-term viability and success of the gTLD. NABP’s approach toward tackling abusive or noncompliant activity within the namespace is part of a much broader commitment, which is founded on the following principles: timely verification, timely investigation, timely remediation, and timely follow-up.
Timely Verification: NABP is committed to bringing all of its available resources to timely investigate and resolve any abusive activity and⁄or non-compliance within the .PHARMACY namespace. The first prerequisite is the need to verify the authenticity of the request. Therefore, NABP will undertake a preliminary analysis to verify if a complaint has been received from a trusted⁄verified source. In making this initial determination, NABP will rely upon internal and external staffing. While NABP does not anticipate a high volume of complaints, NABP will prioritize the complaints that it receives based on the source of the complaint, as well as the subject matter of the concern.
Timely Investigation: NABP will prioritize all investigations in a similar manner as identified in the preceding section. While NABP staffing levels are suitable to handle expected volumes of complaints and the associated verification⁄investigation⁄remediation⁄follow-up tasks, NABP has access to external consultants to supplement its needs.
NABP commits to providing a preliminary investigation status update within one business day following verification in connection with complaints from legitimate law enforcement agencies. In connection with third-party complaints involving security, stability, or criminal activity, NABP will use commercially reasonable efforts to provide a preliminary investigation status update within three business days of verification, and will follow a similar three business day time frame to provide any subsequent follow-up regarding the investigation. In connection with third-party complaints that do not involve security, stability, or criminal activity, NABP will use commercially reasonable efforts to provide a preliminary investigation status update within five business days of verification, and will follow a similar five business day time frame to provide any subsequent follow-up regarding the investigation.
Timely Remediation: NABP is fully committed to tackling abusive and⁄or non-compliant activity within the .PHARMACY namespace, including, but not limited to, domain name suspension and or cancelation. NABP has developed the following remediation plan:
In connection with credible threats that significantly impact or threaten the security and⁄or stability of the Internet or of the namespace, or which cause direct and material harm to others, NABP’s default option will be to suspend the domain name within 12 hours of completing a preliminary investigation. The only exception would occur in a case where NABP, after consulting with its team of legal, technical, and policy advisors (both internal and external), decided that there was a compelling reason not to suspend the domain name. In such cases, NABP will communicate this decision and an explanation will be provided to either law enforcement or the third party.
In all other complaints, NABP will seek to resolve the matter through an escalated notification process: email, telephone, certified mail. While NABP is committed to ensuring registrant compliance, NABP wants to avoid prematurely suspending and⁄or cancelling a domain name that may have a larger impact on a much larger community of users. Similar to the procedure outlined above, NABP will consult with its team of legal, technical, and policy advisors before deciding to suspend⁄cancel a domain name. During this time, NABP will remain in dialogue with the original third-party complainant.
Timely Follow-Up: NABP does not view its commitment to the community as ending after a threat has been neutralized. Instead, NABP will follow up in connection with each complaint to either re-activate a domain name after the abusive⁄non-compliant activity has been resolved, or help educate the registrant as to how to avoid future remediation.
28.2 Measures for Removal of Orphan Glue Records
As the Security and Stability Advisory Committee of ICANN (SSAC) rightly acknowledges, although orphaned glue records may be used for abusive or malicious purposes, the “dominant use of orphaned glue supports the correct and ordinary operation of the DNS.” See http:⁄⁄www.icann.org⁄en⁄committees⁄security⁄sac048.pdf.
While orphan glue often support correct and ordinary operation of the DNS, we understand that such glue records can be used maliciously to point to name servers that host domains used in illegal phishing, botnets, malware, and other abusive behaviors. Problems occur when the parent domain of the glue record is deleted but its children glue records still remain in DNS. Therefore, when the registry has written evidence of actual abuse of orphaned glue, the registry will take action to remove those records from the zone to mitigate such malicious conduct.
Neustar runs a daily audit of entries in its DNS systems and compares those with its provisioning system. This serves as an umbrella protection to make sure that items in the DNS zone are valid. Any DNS record that shows up in the DNS zone but not in the provisioning system will be flagged for investigation and removed if necessary. This daily DNS audit serves to not only prevent orphaned hosts but also other records that should not be in the zone.
In addition, if either NABP or Neustar becomes aware of actual abuse on orphaned glue after receiving written notification by a third party through its Abuse Contact or through its customer support, such glue records will be removed from the zone.
28.3 Measures to Promote WHOIS Accuracy and Authentication of Registrant Information
NABP acknowledges that ICANN has developed a number of mechanisms over the past decade that are intended to address the issue of inaccurate WHOIS information. However due to the nature of the .PHARMACY gTLD, NABP is committed to verifying the identify and qualifications of all registrants prior domain name registration. This prerequisite ensures that only complete and accurate data will be entered into the WHOIS database at the time of registration. Periodic re-verification of the WHOIS data will be performed no less than twice per year.
28.3.1 Monitoring of Registration Data
NABP will maintain and operate a WHOIS compliance portal through which third parties can submit allegations of inaccurate or incomplete WHOIS data. NABPʹs back-end provider, Neustar has first-hand experience implementing a similar reporting mechanism in connection with the .US ccTLD, see http:⁄⁄www.neustar.us⁄whoiscompliance⁄ComplaintMain.jsp. This reporting mechanism will incorporate suitable safeguards to ensure that third party complaints are not frivolously submitted, therefore burdening the registry or registrars.
Today most third parties with concerns about inaccurate or incomplete WHOIS data have only one option: the used of ICANN’s WHOIS report tool which forwards these complaints to the sponsoring registrar, with little or no involvement with the registry. NABP is proposing to take a much more active role to promote the accuracy and completeness of the WHOIS data within the .PHARMACY gTLD. Specifically, NABP will forward the information to the sponsoring Registrar, who shall be required to address those complaints with their registrants. Thirty days after forwarding the complaint to the registrar, the Registry will examine the current WHOIS data for names that were alleged to be inaccurate to determine if the information was corrected, the domain name was deleted, or there was some other disposition. If the Registrar has failed to take any action, or it is clear that the registrant was either unwilling or unable to correct the inaccuracies, NABP reserves the right to suspend the applicable domain name(s) until such time as the Registrant is able to cure the deficiencies.
28.3.2 Policies and Procedures Ensuring Compliance
These proposed enhanced safeguards designed to promote the accuracy of WHOIS data will be hard coded into the Registry-Registrar Agreement (RRA) as well as the end-registrant agreement. NABP will proactively be monitoring other gTLDs encompassing regulated industries to ensure best in class policies to promote the accuracy and availability of WHOIS data.
28.4 Resourcing Plans
Responsibility for abuse mitigation rests with a variety of functional groups. The Abuse Monitoring team is primarily responsible for providing analysis and conducting investigations of reports of abuse. The customer service team also plays an important role in assisting with the investigations, responded to customers, and notifying registrars of abusive domains. Finally, the Policy⁄Legal team is responsible for developing the relevant policies and procedures.
The necessary resources will be pulled from the pool of available resources described in detail in the response to Question 31. The following resources are available from those teams:
Customer Support – 12 employees
Policy⁄Legal – 2 employees
In addition to the above staffing provided by Neustar, NABP will provide the full support of its internal staff (1.0 FTE count) as well as its external vendors where the situation requires the extra staffing resources.
The resources are more than adequate to support the abuse mitigation procedures of the .PHARMACY registry.
Similar gTLD applications: (0)
|gTLD||Full Legal Name||E-mail suffix||z||Detail|