The State of DNS Abuse: Moving Backward, Not Forward

Read the original article: The State of DNS Abuse: Moving Backward, Not Forward


ICANN’s founding promise and mandate are optimistic — ensure a stable and secure internet that benefits the internet community as a whole. Recent months, however, have highlighted the uncomfortable truth that ICANN’s and the industry’s approach to DNS abuse is actually moving backward, ignoring growing problems, abdicating on important policy issues, and making excuses for not acting. Further, the impending failure of ICANN’s new WHOIS policy to address cybersecurity concerns will add fuel to the fire, resulting in accelerating DNS abuse that harms internet users across the globe.

ICANN, though, has an opportunity here to not disappoint its community by taking courageous steps toward doing the right thing about DNS abuse. First, it needs to fully enforce its contracts with those registries and registrars that routinely harbor bad actors and have excessive rates of abuse. It should also demand that any new WHOIS policy helps, not hinders, cybersecurity professionals mitigating DNS abuse in a timely manner.

DNS abuse still grows without check in the face of COVID-19

DNS abuse growth continues unabated and the community sectors concerned with abuse have urgently expressed their worries for some time now. The Business Constituency (BC) sounded this alarm last fall and others — including the GAC — are on record with impatient statements to ICANN that abuse really can’t be ignored.

COVID-19 scams have magnified the problem. Criminal opportunists, to no one’s surprise, are exploiting public fear and leveraging the DNS to lure victims. WIPO documents a surge in cybersquatting case filings and, according to the National Association of Boards of Pharmacy, “rogue pharmacy” scams — which now are pushing unproven COVID-19 treatments — are rampant at domain names sponsored by notoriously lax registrars. Google reported a dramatic surge in COVID-19 related abuse, citing 18 million daily malware and phishing emails related to COVID-19 during one week in April.

Even more recently, registry provider Neustar reports “an increase in the overall number of attacks as well as in attack severity . . .” In addition to noting that it has “mitigated more than double the number of attacks in Q1 2020 than in Q1 2019,” Neustar also reported “an increase in DNS hijacking, a technique in which DNS settings redirect the user to a website that might look the same on the surface but often contains malware disguised as something useful.”

Law enforcement has taken notice, of course. According to the FBI, reports received at its Internet Crimes Complaint Center more than doubled in April — reports of crimes that resulted in hundreds of millions of dollars of damage.

COVID-19 Response: Law Enforcement Perspective (Source: FBI)

While a few responsible registrars and registries have recently addressed abusive COVID-19 domain names in coordination with law enforcement, this response was not universal. Voluntary frameworks do not replace ICANN’s responsibility to ensure that all registrars and registries participate in DNS abuse mitigation efforts, as requested by a growing consensus of stakeholders.

Warnings from ICANN’s Stakeholders Ignored

The BC wasn’t the first to raise the red flag on DNS abuse. Look back in time — in this instance, almost five years — and one can see abuse has been the subject of countless forms of advice from experts from the security sector, governments, community members and others exercising their mandate under the Bylaws to advise the ICANN Board.

Date Message
January 2016 – SSAC (SAC77) ICANN should collect and disseminate information about known categories of how domain registrations are used for abusive and fraudulent purposes.
November 2016 – GAC (Hyderabad Communique) GAC questions Board on ICANN’s plans for abuse mitigation.
June 2018 – SSAC (SAC101) Security practitioners’ and law enforcement’s ability to mitigate cybercrime and DNS abuse has been negatively affected.
September 2018 – CCTRT Final Report ICANN Org should work with registries and registrars to add provisions to contracts aimed at preventing DNS abuse.
October 2018 – GAC (Barcelona Communique) Not having reasonable access to WHOIS data is prolonging the exposure of victims to crime and abuse.
October 2018 – SSAC (SAC 103) SSAC recommends requirements for new gTLDs include robust abuse mitigation measures.
December 2018 – SSAC (SAC 104) The current lack of definition of reasonable access impacts the ability of security actors to fight abuse and cybercrime.
September 2019 – GAC (Statement on DNS Abuse) Protecting the public from security threats and DNS Abuse is an important public policy issue.
November 2019 – GAC (Montreal Communique) The Board shouldn’t proceed with a new round of gTLDs until after implementation of recommendations on DNS abuse mitigation.
December 2019 – ALAC DNS Abuse is a key factor eroding confidence in a single, trusted, interoperable Internet.
March 2020 – SSAC (SAC 110) It’s clear the domain name system is under continual pressure from various forms of abusive and fraudulent behaviours, and the position is not improving.
March 2020 – GAC (ICANN67 Communique) GAC reiterated previous advice calling for implementation of community recommendations in light of previous advice on abuse mitigation.
June 2020 – GAC (ICANN68 Communique) Governments, ICANN, and the Community must take a multi-pronged approach to combating DNS abuse.

Yet, the ICANN Board has largely ignored calls for action.

ICANN Org has facilitated a lot of talking — it scheduled a cross-community discussion on abuse during its Montreal meeting last November and another one during its virtual meeting in June. Between those meetings, though, the ICANN Board responded with a wary letter to the BC defending its ticketing record and only this May, through a memorandum of understanding (MOU) with FIRST, seemingly acknowledged the rampant abuse problem and the need to do more than simply rely on best practices offered up by its contracted parties.

However, we’re left with no tangible result from these discussions, except the insistence by ICANN Org leadership that anything related to fighting abuse must come from the community — a community where parties with outsized influence block meaningful anti-abuse measures.

The Ball is in ICANN’s Court

If nothing changes, the pattern will continue, DNS abuse will persist as it has, and policy groups will continue to punt on new DNS abuse requirements, despite objections. ICANN Org must break out of its rut and secure real tools for mitigating abuse, which includes a robust WHOIS system to identify and proactively respond to DNS abuse. The current proposals by an expedited policy group (known as the EPDP) that refuse to treat phishing-related WHOIS requests with urgency are woefully inadequate (for example, responses to queries can be expected within ten business days). Phishing attacks are mitigated in hours, not days, to protect people from identity theft and financial ruin. This is just one of many problems with the new EPDP WHOIS policy to be shortly teed up for approval.

The ball is now squarely in the Board’s court to demand that ICANN Org show leadership and do what it is supposed to do as an accrediting body meant to oversee the DNS. While confidence in ICANN’s capabilities continues to erode, there’s still an opportunity to remedy things for the better — it requires leadership, a firm direction, and community collaboration, but it’s not too late to act.

Written by Mason Cole, Internet Governance Advisor at Perkins Coie


Read the original article: The State of DNS Abuse: Moving Backward, Not Forward