28 Abuse Prevention and Mitigation
|gTLD||Full Legal Name||E-mail suffix||Detail|
Abusive activities during the operation of a gTLD registry system can be categorized as follows:
• Abusive registrations of names under a gTLD.
• Abusive use of a domain name under that TLD („Malicious Use“)
• Abuse of the registration processes, the technical interfaces, infrastructure of the Registry systems and the DNS network itself.
With respect to the first (and also parts of the second) category, ICANN’s “RAP” WG (Registration Abuse Policies Working Group) has produced an illustrative categorization of known abuses in their “Registration Abuse Policies Working Group Final Report” (http:⁄⁄gnso.icann.org⁄issues⁄rap⁄rap-wg-final-report-29may10-en.pdf, dated 29 May 2010). The anti-abuse measures of the proposed gTLD registry largely follow the RAPWG’s recommendations for the individual abuse scenarios. More details on the individual countermeasures are included below.
Furthermore, the proposed registry also takes into consideration the ICANN Security and Stability Advisory Committee’s document “SAC 048” (“SSAC Comment on Orphan Glue Records in the Draft Applicant Guidebook”) as well as “SAC 023” (“Is the WHOIS Service a Source for email Addresses for Spammers?”).
2 General Provisions against Abuse under gTLD
2.1 Legal Safeguards
To meet the requirements of ICANN to a community-based designation of the application, the registrant must use the gTLD domain in connection to the .versicherung community.
This designation of gTLD to the gTLD Community will be enforced by specific language in the Registry-Registrar-Agreement that holds gTLD registrars responsible to include the restrictions as outlined above in respective agreements with their gTLD registrants.
The gTLD Registry will, from time to time in its sole discretion or upon evidence or advice manually conduct continuing or recurring audits of domain names registered to ensure continued compliance with these requirements. Failure to comply will result in a notice providing 20-days to comply. Non-compliance following such a notice period may result in take-down of the relevant domain name, at the discretion of the Registry.
2.2 WHOIS Accuracy Measures
In parallel to auditing domain names for compliance with the eligibility requirements as outlined in 2.1, any such domain names will simultaneously also be checked for the accuracy of their WHOIS data.
3 Abuse Contact and Abuse Handling Provisions
The .versicherung registry operator will establish and publish a single abuse point of contact on its website. This contact is responsible for addressing matters requiring expedited attention and for providing a timely response to abuse complaints concerning all names registered in the .versicherung, through all registrars of record, including those involving a reseller.
The contact information for the abuse contact will consist of:
• an email address
• a phone number
• the postal address of the abuse contact (offices of the registry operator)
Communication submitted to the abuse contact will be handled as follows:
• review inbound communication for new abuse requests and⁄or ongoing cases
• treat remaining communication such as spam or non-applicable requests (e.g. for domains in other TLDs) appropriately, e.g. by discarding or rejecting it
• identify registrar of respective domain
• provide a preliminary response to the request’s originator
• approach registrar of record with the abuse case
• track abuse handling measures of registrar
• respond to originator with the outcome
Confirming receipt of communication and forwarding third-party communication is regularly handled during business hours, but after 24 hours at the latest. The initial time frame for the registrar of record to complete its abuse handling measures is 72 hours. Exceptionally and only at a registrar’s request this can be extended by another 24 hours. Details will be specified in the Registrar Accreditation Agreement.
4 Potential Registration Abuse Categories and Countermeasures
As outlined above ICANN’s RAPWG has identified a number of potential abuse categories (see chapter 5 of their document). These correspond to the first bullet point of the potential abuses of a Registry as listed in section 1 above (“Abusive Registrations”). The proposed registry system addresses these individual categories as follows:
Abuses from cybersquatting cases in the proposed .versicherung will be addressed by using ICANN’s existing and well know Uniform Dispute Resolution Process (“UDRP”). However, registry staff will also closely follow developments regarding Rights Protection Mechanisms within ICANN and will investigate potential paths towards adoption of such processes once they are clearly defined for the .versicherung registry space.
Even though the RAPWG does not recommend any specific action regarding this issue, the proposed registry will a) treat all logfiles and any other information that reflects user interests in a particular domain name as confidential. Such data and log information will only be available to staff with actual operational requirements to access those files, and b) will include a respective provision in the gTLD’s registrar accreditation agreement.
4.3 Gripe Sites; Deceptive and Offensive Domain Names
In line with the RAP WG recommendation, the proposed .versicherung registry will not develop best practices to restrict the registration of offensive strings. Additionally, it is believed that the existing UDRP, in addition to court decisions (which the registry will obviously be bound by) provides sufficient, independent action against such potentially abusive names.
4.4 Fake Renewal Notices
The registry will not, in line with the RAPWG’s recommendations, implement any specific countermeasure within its registry systems and services. As the registry is required to provide accurate and complete WHOIS information for all domain names (which is believed to be the information source for such notices) it is not feasible to implement such measures at this level. It is understood that ICANN continually monitors this issue and will take necessary countermeasures against registrars associated with such practices.
The registry will, however, post warnings on their website about any clearly fraudulent (and clearly illegal) renewal and expiration notices of which its staff becomes aware and will take legal measures against registrars performing such illegal, fraudulent acts.
4.5 Name Spinning
This is considered to be a practice employed mainly by registrars in a legitimate way to offer users more choice and⁄or alternatives should their desired name already be taken. As such, it is believed that it is within the registrar’s responsibility to use those techniques in a considered manner. In reality it is not possible for the registry to differentiate between a legitimate domain name request, say one manually entered by a user, and a domain name request that was “spun” by the registrar.
In the event that such name spinning practices could lead to trademark infringements on a domain name, the UDRP allows for appropriate action to be taken against the holder of such a name.
This follows the RAPWG’s recommendation.
In agreement with the RAPWG’s position, this is considered to be an indirect and purely web related issue that does not have a direct relationship to the registration of domain names. In most cases, pay-per-click is a legitimate revenue source for domain name owners and web site operators. Any potential misuse of such practices must be out of scope for the Registry and again any trademark cases are expected to be brought using the UDRP.
4.7 Traffic Diversion
In accordance with the RAPWG’s position, this is again a web related issue and no specific countermeasures have been implemented within the registry’s operations.
4.8 Domain Kiting ⁄ Tasting
In order to prevent mass domain kiting ⁄ tasting (as it was observable in gTLD and ccTLD registries), the Registry will implement the “Add Grace Period Limits Policy” (http:⁄⁄www.icann.org⁄en⁄tlds⁄agp-policy-17dec08-en.htm), which efficiently removes the financial advantage of domain kiting ⁄ tasting and hence significantly reduces the volume of such registrations. All registrars will obviously be treated identically in this respect with no exemptions from that policy.
5 Abusive Use of a Domain Name
Corresponding to the second bullet in the list above (“Abusive Use”), the RAPWG has also provided an analysis in their Final Report. The Registry will apply a policy as outlined below:
5.1 Abuse Policy for .versicherung
The intention of the Abuse Policy of .versicherung is to take action against the use of a domain name in conjunction with illegal, malicious, fraudulent or otherwise harmful activities on the Internet. Such activities comprise:
• Spam: Spam is generally defined as bulk unsolicited e-mail, but can also occur in instant messaging or mobile environments. Spam may be sent from domains, and spam is used to advertise Web sites.
• Phishing: Phishing is a website fraudulently presenting itself as a trusted site – often as a bank website – in order to deceive Internet users into divulging sensitive information (e.g. online banking credentials, email passwords).
• Pharming: Pharming is a redirection of Internet users to fraudulent websites, predominantly achieved by techniques like DNS hijacking or poisoning.
• Deliberate distribution of Malware: Malware is a piece of software that without the users’ consent infiltrates their system to harm it or e.g. use it for bot net activities. Examples are viruses, worms, Trojans or key logger.
• Malicious Fast-Flux hosting: Malicious Fast-Flux hosting is a DNS-based component of bot net activities in particular, to e.g. disguise the location on the Internet of these activities and to harden them against discovery and defense.
Any incoming communication about a potential abuse will be handled according to section 3 of the response to this question. Experts at the Registry Operator will then asses whether there is indeed an abuse at hand in conjunction with a .versicherung domain name and of what kind it is. Subsequently the best method to tackle the issue will be derived from the initial assessment.
The main differences are a) whether the domain name has specifically been registered to commit the malicious activity or if this activity exploits a legitimate use of the domain name and its registrant is fully unaware of it, i.e. its website has been hacked – and b) whether there is a need for immediate action (domain is locked and removed from the delegation) or not (domain is locked only).
5.2 Handling of URS Requests
The registry Operator’s handling of Uniform Rapid Suspension (URS) requests is specified in detail in section 1.3 of the response to question #29.
6 Registry Interfaces Abuse
The registry will employ the following countermeasures to protect against abuses of the registry systems and the DNS network itself:
6.1 WHOIS data harvesting
WHOIS access is a critical and vital service provided by any gTLD registry and the Registry will obviously comply with ICANN’s requirements for WHOIS access.
However, as indicated in the SSAC’s document “Is the WHOIS Service a Source for email Addresses for Spammers?”, WHOIS abuse can be considered to be one of the primary means to generate email address lists for the purposes of sending unsolicited email, in particular the practice of mass harvesting information from the WHOIS. It is also believed that the WHOIS is the main source of data for generating fake renewal notices. To protect against harvesting of registration data (and particularly, email addresses), the registry will employ the following countermeasures:
• WHOIS query rate limits: All access to whois data will be query rate limited on a per-IP-address basis (for IPv4) and a per-prefix basis (for IPv6), with a daily limit of 25 WHOIS queries per IP address⁄prefix. Once this limit is reached, the WHOIS server responds with a relevant notification message instead of the standard WHOIS answer (The query limits may be reviewed and adapted by the Registry operator from time to time). IP-Ranges of accredited registrars (and other IP-ranges, eg. ICANN itself, UDRP and URS service providers etc) will be excluded from those rate limiting measures. This will allow legitimate usage of the service while at the same time make it very difficult to harvest data on a large scale.
• Email⁄Phone⁄Fax privacy: The EPP implementation of the “contact” object provides a mechanism that allows a registrar to define whether or not the “email”, “phone”, and “fax” fields of the contact object shall be publicly disclosed (i.e. “contact:disclose” element). The registry will set these fields to “do not disclose” by default, however, registrars can modify this setting via the normal EPP command stream. When a flag for a certain field is set to “do not disclose”, the respective field will be omitted from anonymous WHOIS outputs, providing a minimum level of privacy to registrants. To allow for various business processes, IP Ranges of accredited registrars (and other IP-ranges as needed, eg. ICANN itself, UDRP and URS service providers) will still need to see the full data set, including those fields marked as “do not disclose”.
• WHOIS monitoring: The WHOIS service will be monitored in order to identify unusual activity on the interface
The countermeasures above provide a well-balanced compromise between the requirements to provide access to WHOIS data and the basic data protection rights of registrants. More information about the WHOIS service provided by the registry is contained in response to Question 26.
6.2 EPP Interface Abuse
As described in the answers to the SRS, EPP and security questions (Question 24, 25 and 30, respectively), the EPP interfaces of the Registry are heavily firewalled, are only accessible from IP-ranges of accredited registrars and are protected by EPP authentication mechanisms. As such, abuse of those interfaces (such as DDoS, brute-force attacks against username⁄password combinations etc) can only be performed from networks of parties with which the Registry Operator has a legal agreement. Additionally, EPP interfaces are rate-limited at the network layer.
On top of the outlined technical means, usage figures beyond any regular and meaningful traffic patterns that are ongoing or recurring will be investigated by the Registry Operator. A lack of a decent explanation for such non-regular registrar behavior on the EPP interface might lead to sanctions such as service degradation, interruption or even termination to the extend possible it is provided for in the Registrar Accreditation Agreement.
6.3 DNS Interface Abuse
Public nameservers, hidden masters and the signing infrastructure is configured and firewalled so that they allow NOTIFYs and UPDATEs from the required addresses only. In order to prevent zone walking and load peaks, zone transfers from the DNS infrastructure are disabled.
7 Management and removal of orphan glue records
It is understood, that inline with the SSAC’s comments in http:⁄⁄www.icann.org⁄en⁄committees⁄security⁄sac048.pdf, glue records have a vital function in the correct and normal operation of the DNS but that they can also be used for malicious purposes.
In order to prevent such malicious usage, the registry performs glue record management in accordance with the following policy:
• Provisioning of host objects with glue: In line with the EPP RFCs, glue record (“internal”) host objects can only be provisioned when the superordinate (parent) domain name exists in the registry. Host objects that are not under the TLD managed by the registry (“external hosts”) can never have A or AAAA records
• Deletion of domain with subordinate glue record hosts: When a domain name transitions from a “REGISTERED” to a “REDEMPTION” status (for example, via the EPP “delete domain” command, or via expiration), the domain name itself is removed from the DNS, however any glue records under the deleted domain are kept in the zone temporarily. Other registrars who are affected by a potential impact on DNS service due to the upcoming removal of the host from their domains are notified via the EPP message queue.
• Subsequently, when the domain name transitions from a “REDEMPTION” to a “PENDING DELETE” status, the glue records under the affected domain name are revoked from the DNS, but still exist in the SRS database.
• In the last step of the deletion process (transition from “PENDING DELETE” to “AVAILABLE”), the glue record host objects are deleted together with the domain and are also removed from any other domain name in the registry that still uses those hosts.
This policy effectively prevents misuse of orphan glue records in the registry since the status of a host object always follows the status of the superordinate domain. As a result glue records can never exist for domains that are not in the registry database. Additionally, keeping the glue records in the zone during the redemption period together with notification to Registrars significantly reduces the risk of other domains being impacted and reduces the effort required by a registrar in the event that the domain is subsequently restored.
However, in addition to this procedural policy outlined above, the registry operator will also act on documented evidence that glue records are present and used in connection with malicious activity by subsequently removing such glue records manually.
8 Ressourcing Plan
The Registry operator expects a domain name volume in the first three years of operations of .versicherung as listed in response #46. It will plan staffing needs based on these figures and install abuse response functions which will likely consist of internal and outsourced staff. The planned functions for .versicherung are based on nic.at’s experience with the management of abuse complaints. The abuse response staff will be able to swiftly investigate abuse complaints and to react accordingly.
8.1 CERT.at is a department of the backend provider
It is important to note that the Austrian CERT (Computer Security Emergency Response Team, see http:⁄⁄www.cert.at⁄), staffed with 5 full-time-equivalents is a department within nic.at and shares offices with the registry operations team. Hence, world class security and anti-abuse expertise is committed to be available literally „next door“ to the registry operations centre.
Similar gTLD applications: (8)
|gTLD||Full Legal Name||E-mail suffix||z||Detail|
|.berlin||dotBERLIN GmbH & Co. KG||dotberlin.de||-4.52||Compare|
|.hamburg||Hamburg Top-Level-Domain GmbH||dothamburg.de||-4.52||Compare|
|.TIROL||punkt Tirol GmbH||tirol.com||-4.51||Compare|