28 Abuse Prevention and Mitigation
Prototypical answer:
gTLD | Full Legal Name | E-mail suffix | Detail | .brussels | DNS.be vzw | dns.be | View |
Response to Question 28 Abuse Prevention
1 Overview
Abusive activities during the operation of a gTLD registry system can be categorized as follows:
•Abusive registrations of names under a gTLD.
•Abusive use of a domain name under that TLD („Malicious Use“)
•Abuse of the registration processes, the technical interfaces and infrastructure of the Registry system and the DNS network itself.
Regarding the first (and also parts of the second) category, ICANN’s “RAP” WG (Registration Abuse Policies Working Group) has produced an illustrative categorization of known abuses in their “Registration Abuse Policies Working Group Final Report” (http:⁄⁄gnso.icann.org⁄issues⁄rap⁄rap-wg-final-report-29may10-en.pdf, dated 29 May 2010).
The anti-abuse measurements of the proposed gTLD registry largely follow the RAPs recommendations for the individual abuse scenarios. More details on the individual countermeasures are included below.
Furthermore, the proposed registry does also consider ICANN Security and Stability Advisory Committee’s document “SAC 048” (“SSAC Comment on Orphan Glue Records in the Draft Applicant Guidebook”) as well as “SAC 023” (“Is the WHOIS Service a Source for email Addresses for Spammers?”).
2 General Provisions against Abuse under .brussels
2.1 Legal Safeguards
The Registration Terms & Conditions will contain specific safeguards with regard to abusive registrations under .brussels.
It will allow the registry – upon receipt of appropriate instructions or proof from competent legal or administrative entities – to start up a revoke procedure. If the reported breach of the Registration Terms & Conditions is not remedied within 14 days, the registry will revoke the domain name for which abusive registration has been determined.
Breaches of the Registration Terms & Conditions are the usage of domain names under .brussels:
1°to infringe or otherwise violate the rights of a third party;
2°for an unlawful purpose;
3°in violation of any applicable laws or regulations, such as a name that helps to discriminate on the basis of race, language, sex, religion or political view;
4°is contrary to public order or morality (e.g. obscene or offensive names).
2.2 WHOIS Accuracy Measures
There will be formal verification of registrant data for all applications made during the different stages of the Sunrise Period. The contact data or Whois data of the registrant will have to correspond with the data of the applicant that applied for a certain .brussels domain name and has proved his prior right allowing that party to register the applied for domain name.
As soon as the phase of normal registrations starts, there will be no formal a priori verification of the registrant data.
The applicable Registrant Terms & Conditions will contain the obligation to provide and maintain at all times correct registrant data. The registry will provide an online form that can be used to report inaccurate or false registrant data linked with a specific .brussels domain name. The registry will – if the complaint seems well-founded – start up a revoke procedure for the specific domain name and inform the registrant and his registrar of the inaccuracies in the registrant data. If the registrant fails to correct the registrant data within 14 days, the domain name will be revoked by the registry.
The registry will perform a screening of the newly registered domain names within a 24 hour time frame (on business days) after registration and will identify any domain names whose registrant data seem obviously inaccurate or false. This will be a high level screening and not an in depth verification of all registrant data linked with all new domain name registrations. If registrant data appear to be inaccurate or false at first sight, the data will be closely examined. If the registry estimates that the registrant data are indeed inaccurate or false, it will start up the revoke procedure mentioned above. If the registrant fails to correct the registrant data within 14 days, the domain name will be revoked by the registry. Depending on feasibility in terms of manpower and labor cost, the registry will evaluate whether the screening will not only apply to new registrations but also for all updates of existing registrant contacts that are linked to an active .brussels domain name.
The Registration Terms & Conditions will also explicitly exclude the possibility of so called proxy registrations. These are registrations whereby the identity of the real domain name holder is shielded and replaced by the contact data of the proxy. There might be examples of good usage of proxy services (e.g. protection of privacy) but it is commonly known that proxy services are often used to shield off domain name holders that breach rights of third parties or make malicious use of domain names. Moreover, Registry Operator will make a distinction between domain names registered by entities en those of private individuals. The contact data for private registrants will be in the registry database but not accessible through whois services. This also means that private registrants do not need to make use of proxy services in order to protect their privacy.
3 Abuse Contact and Abuse Handling Provisions
The .brussels Registry Operator establishes and publishes on his website a single abuse point of contact responsible for addressing matters requiring expedited attention and providing a timely response to abuse complaints concerning all names registered in the .brussels gTLD through all registrars of record, including those involving a reseller.
The contact information of the abuse contact will consist of:
•an e-mail address
•a phone number
•the postal address of the abuse contact (premises of the registry operator)
Communication submitted to the abuse contact will be handled as follows:
All reported abuses will have to be deposited in written form through usage of a specific complaint⁄report form. Even in the case of a telephone exchange with the abuse point of contact, this contact will need to be followed up by a formal deposit through the complaint⁄report form.
All deposited abuses will be reviewed internally by competent administrative, paralegal or legal staff. Spam messages and other non-relevant reports will be discarded immediately. Non-applicable or ill-founded complaints or requests will be provided a short answer with – to the extent possible – advise on how the complaint or request can be validated. For this type of incoming reports the registry estimates that a reply (on business days) can be rendered within 24 hours after deposit of the complaint or request.
For validated complaints⁄requests a case file number will be opened and a formal enquiry will take place. Competent staff will review the allegations and deposited documents, identify the specific domain name and responsible registrar, contact the registrar and competent legal or administrative instances for as much as necessary and provide a first response to requestor.
If the abuse report emanates from legal or administrative entities and is provided with corresponding legal documents e.g. court order, the registry will respond and start the appropriate procedure within 24 hours (on business days) after the report.
If the abuse report emanates from other stakeholders, the registry cannot commit to a specific time frame since the registry itself will have to transmit the reported elements to the competent legal or administrative entity for examination. The registry will however proceed with the procedure (providing answer to the requestor or start specific procedure) within 24 hours (on business days) after having received a valid and clear instruction from the contacted legal or administrative entity.
4 Potential Registration Abuse Categories and Countermeasures
As outlined above ICANN’s RAPWG has identified a number of potential abuse categories (see chapter 5 of their document). These correspond to the first bullet point of the potential abuses of a Registry as listed above (“Abusive Registrations”). The proposed registry system addresses these individual categories as follows:
4.1 Cybersquatting
Abuses from cybersquatting cases in the proposed gTLD will be addressed by an Alternative Dispute Resolution (ADR) procedure that is entirely based on ICANN’s existing and well know Uniform Dispute Resolution Process (“UDRP”). However, registry staff will also closely follow developments regarding Rights Protection Mechanisms within ICANN, and will investigate potential paths towards adoption of such processes once they are clearly defined for the gTLD registry space.
4.2 Front-Running
Even though the RAP does not recommend any specific action regarding this issue, the proposed registry will treat log files and other information that reflects user interests in a certain domain name confidential. Such data and log information will only be available to staff with actual requirements to access those files for operational purposes.
4.3 Gripe Sites; Deceptive and Offensive Domain Names
In line with the RAP WG recommendation, the proposed gTLD registry will not develop best practices to restrict the registration of offensive strings. It is believed that the existing UDRP, in addition to court decisions (which the registry will obviously oblige to) allows for neutral and sufficient action against such potentially abusive names.
The registry does not exclude the possibility that the stakeholders of the community which .brussels is to serve, can establish an exclusion list of domain names that may not be registered. Such exclusion list will be established before the start of the Sunrise Period and will be publicly available.
4.4 Fake Renewal Notices
The registry will – in line with the RAPs recommendation – not implement any specific countermeasure on the registry side, since this is believed to be an issue that cannot be solved on this level as long as the registry is also required to provide accurate and complete WHOIS information for domain names (which is believed to be the source for such notices). It is expected that ICANN monitors this issue, and takes respective countermeasures against registrars following such practices.
The registry will, however, post warnings on their website about clearly fraudulent (and clearly illegal) renewal and expiration notices of which its staff becomes aware, and will take legal measures against registrars performing such illegal and fraudulent acts.
4.5 Name Spinning
This practice is considered a tool that is mostly used by registrars in a legitimate way to offer users more choice and⁄or alternatives should their desired name already be taken. As such, it is believed that it is within the registrar’s responsibility to use those techniques in a considerate way. The registry cannot even differentiate between a name that the user has manually entered, or a name that was “spun” by the registrar.
In case that name spinning would lead to trademark infringements in a domain name, the UDRP allows for taking appropriate action against the holder of such a name.
This follows the RAP’s recommendation.
4.6 Pay-Per-Click
In agreement with the RAP point of view, this is considered a pure web issue, and not an issue of the registration of a certain name. In most cases, pay-per-click is a legitimate revenue source for domain name owners ⁄ web site operators. Any potential misuse of such practices is out of scope of the Registry – trademark cases are expected to be brought up using the UDRP.
4.7 Traffic Diversion
In line with the RAP point of view, this is a web issue, and no measures against it are performed or considered for the registry operations.
4.8 Domain Kiting ⁄ Tasting
In order to prevent mass domain kiting ⁄ tasting (as it was observable in gTLD and ccTLD registries), the Registry will implement the “Add Grace Period Limits Policy” (http:⁄⁄www.icann.org⁄en⁄tlds⁄agp-policy-17dec08-en.htm), which efficiently removes the financial advantage of domain kiting ⁄ tasting, and hence significantly reduces the volume of such registrations. All registrars will obviously be treated identically, and no exemptions from that policy will be made.
5 Abusive Use of a Domain Name
The malicious use of domain names is a complex issue and often puts a Registry Operator in an uneasy position. It is beyond doubt that the malicious usage of domain names in a TLD has a detrimental influence on the reliability, quality and attraction of that TLD and is to be avoided as much as possible. However, it should also be noted that the malicious use is often linked with the content of a website connected with the domain name. Even if the content of the website is of illegal nature or constitutes an offence or crime, it is beyond the competence of a Registry Operator to evaluate this behavior in the same way as a magistrate of a competent court of law would be able to do.
If a Registry Operator acts upon notices of abusive usage of domain names, it should realize that it is only a question of time before it will be held liable for its actions and interventions. As a Registry Operator working on a not-for-profit base, DNS.be cannot afford to step in and make unsound judgments leading towards questionable decisions and potential damage for domain name holders. Therefore, in dealing with abusive registrations, Registry Operator makes a distinction between the following situations.
5.1 Requests from law enforcement agencies
Registry Operator has already a procedure in place (for .be operations) in order to deal with requests from law enforcement agencies. Requests from law enforcement agencies for blocking or deleting of domain names are carried out within 24 hours after notice for as much as the request is signed by an appropriated magistrate. If the request is not supported by signature of a magistrate, Registry Operator will not proceed with the request but will inform law enforcement contacts that the proper procedures should be followed. If the request is indeed signed by the competent magistrate, Registry Operator will in any case proceed with the request and execute it.
5.2 Execution of court decisions
Often a party previously involved in a law suit concerning a domain name, will approach the Registry Operator in order to have a domain name transferred or deleted. Registry Operator will advise that parties involved in a law suit should first engage for a voluntary execution of the court’s decision. If a party can point out that the other party refuses to execute the court’s decision and therefore leaving the case unsolved despite of the legal ruling, Registry Operator will intervene and execute the decision by having the domain name transferred to the requestor or deleted accordingly.
The procedure above is in principle limited to decisions made by the Belgian courts. However, Registry Operator is prepared to examine if a similar approach can be followed for decisions by foreign courts. However, much will depend of the specific circumstances of each case.
5.3 Notice and take down procedure
Registry Operator wants to address specific attention towards malicious use of domain names which could be evaluated with the assistance of certain government entities or public services. Obvious cases of malicious usage are: the offer of counterfeited goods, illegal gambling sites, economical fraud and breaches of e-commerce regulations, breaches of tax regulations, sale of fake medicines, phishing and identity theft etc. In most of these cases specific government entities or public services have the authority to assess the situation, evaluate whether applicable legislation has been breached or not, propose appropriate action and sanction the offender.
Registry Operator is currently examining, together with relevant government entities, how these issues could best be addressed. A workable solution would be that Registry Operator and relevant government entities or public services sign an agreement for cooperation with reciprocal tasks for either party. The government partners would provide the assessment if a reported case is actually to be qualified as abusive or malicious use of a domain name. The Registry Operator would commit to act upon request from government partners and proceed with suspension or taking down of domain names. Liability for Registry Operator would be limited in as much as the agreed procedure are integrated in the Registration Terms & Conditions.
6 Registry Interfaces Abuse
The registry will employ the following countermeasures against abuse of the registry system and the DNS network itself:
6.1 WHOIS data harvesting
WHOIS access is a critical and vital functionality of any gTLD registry, and the Registry will obviously comply to ICANN’s requirements for WHOIS access.
However, as indicated in SSAC’s document “Is the WHOIS Service a Source for email Addresses for Spammers?”, WHOIS abuse can be considered as one of the primary sources for email addresses for unsolicited email, particularly mass harvesting of WHOIS information. It is also believed that WHOIS constitutes the major source of data for fake renewal notices. As a countermeasure against harvesting of registration data (and particularly, email addresses), the registry will employ the following countermeasures:
•WHOIS query rate limits: Access to whois data will be query rate limited on a per-IP-address basis (for IPv4) and a per-prefix basis (for IPv6), with a daily limit of 25 WHOIS queries per IP address⁄prefix. Once the limit is reached, the WHOIS server responds with a respective notification instead of the actual answer (The query limit may be reviewed and adapted by the Registry operator from time to time). IP-Ranges of accredited registrars (and other IP-ranges, eg. ICANN itself, UDRP and URS service providers) will be excluded from that rate limiting measure. While this will still allow legitimate queries to the service, it will effectively make it very hard to harvest data on a broad scale.
•Email⁄Phone⁄Fax privacy: The EPP implementation of the “contact” contains an mechanism that allows a registrar to define whether or not the “email”, “phone”, “fax” field of contact information shall be publicly disclosed or not (“contact:disclose” element). The registry will set these fields to “do not disclose” by default, however, registrars can modify this default setting via the normal EPP command stream. When a flag for a certain field is set to “do not disclose”, the respective field will be omitted from anonymous WHOIS outputs, providing a minimum level of privacy to registrants. To allow for various business processes, IP Ranges of accredited registrars (and other IP-ranges as needed, eg. ICANN itself, UDRP and URS service providers) will still see the full data set, including the fields marked as “do not disclose”.
The implementation mentioned above will have to be examined with the existing privacy legislation which is applicable throughout the European Union. A basic principle in European Privacy Law is the right for a private individual (in this case referring to a private person registrant) to request the omission of his personal data of information services such as Whois. The registry will be based in EU territory and will be obliged to align its policies with applicable domestic and EU legal requirements.
•WHOIS monitoring: The WHOIS service will be monitored in order to identify unusual activity on the interface
The countermeasures above provide a well-balanced compromise between the requirements on access to WHOIS data and basic data protection for registrants. More information about the WHOIS service provided by the registry is contained in response to Question 26.
6.2 EPP Interface Abuse
As described in the answers to the SRS and security questions (Question 25 and 30, respectively), the EPP interfaces of the Registry are heavily firewalled, only accessible from IP-ranges of accredited registrar, and protected by EPP authentication. As such, abuse of those interfaces (such as DDoS, brute-force attacks against username⁄password combinations) can only be performed from networks of parties with whom the Registry Operator has a legal agreement. Additionally, EPP interfaces are rate-limited on the network layer.
Registrars that are found abusing the EPP interface and causing harm or nuisance to the technical operations of the registry, will be revoked as registrar. The registrar agreement will contain specific clauses regarding abuse of EPP interface and other technical systems of the registry. Noted abuses will in that context be regarded as breach of contract by the registrar and can lead towards termination of the contract.
6.3 DNS Interface Abuse
Public name servers, hidden masters and the signing infrastructure is configured and firewalled so that they allow NOTIFYs and UPDATEs from the required addresses only. In order to prevent zone walking and load peaks, zone transfers from the DNS infrastructure is disallowed (and disabled).
7 Management and removal of orphan glue records
It is understood, that inline with the SSAC’s comments in http:⁄⁄www.icann.org⁄en⁄committees⁄security⁄sac048.pdf, glue records have a vital function in the correct and ordinary operation of the DNS, but can be used for malicious purposes.
In order to prevent such malicious purpose, the registry performs management of glue records according to the following policy:
•Provisioning of host objects with glue: In line with the EPP RFCs, glue record (“internal”) host objects can only be provisioned when the superordinate (parent) domain name exists in the registry. Host objects that are not under the TLD managed by the registry (“external hosts”) can never have A or AAAA records
•Deletion of domain with subordinate glue record hosts: When a domain name transitions from “REGISTERED” into the “REDEMPTION” status (for example, via the EPP “delete domain” command, or via expiration), the domain name itself is removed from the DNS, but any glue records under the deleted domain that are still in use for other delegations are kept in the zone for now. Other registrars who are affected by a potential reduction of the DNS reachability due to the upcoming removal of the host from their domains receive a respective notification via the EPP message queue.
•Subsequently, when the domain name continues transition from “REDEMPTION” into “PENDING DELETE”, the glue records under the affected domain name are revoked from the DNS, but still exist in the SRS database.
•In the last step of deletion (transition from “PENDING DELETE” to “AVAILABLE”), the glue record host objects are deleted together with the domain, and are also removed from any other domain name in the registry that still uses those hosts.
This policy effectively prevents misuse of orphan glue records in the registry, since the status of a host object always follows the status of the superordinate domain, and glue records can never exist for domains that are not in the registry database. Additionally, keeping the glue records in the zone during the redemption period together with the notification significantly reduces the risk of other domains becoming less reachable (or unreachable), and reduces the effort required from a registrar in case such a domain gets restored.
However, in addition to this procedural policy outlined above, the registry operator will also act on evidence in written form that glue is present in connection with malicious conduct, and will subsequently remove such glue manually.
8 Resourcing Plan
8.1 CERT.at is a department of the backend provider
Note that the Austrian CERT (Computer Security Emergency Response Team), staffed with 5 full-time-equivalents is a department of nic.at, and shares offices with the registry operations team. Hence, world class security and anti-abuse competence is available, literally „next door“, to the registry operations centre.
8.2 DNS.be staff available for .brussels
The registry for .brussels will share its premises with DNS.be, the registry operator for .be. DNS.be disposes of sufficiently trained and experienced staff (total head count of 22) that will also be deployed for .brussels operations.
DNS.be has integrated an increase in staff resources in its business plan and budget outlook in order to provide maximum support for the gTLD’s it will have under its care. Additions in staff resources will also be deployed for the administrative, legal and regulatory units and thus for handling of incoming complaints, reports of abuses or relevant questions concerning those topics.
Similar gTLD applications: (1)
gTLD | Full Legal Name | E-mail suffix | z | Detail | .vlaanderen | DNS.be vzw | dns.be | -4.62 | Compare |