14
Evidence & Privacy: ICANN, and the Domain Name System Dave Piscitello ICANN Senior Security Technologist ICLN 2012
Evidence & Privacy: ICANN, and the Domain Name System
Dave Piscitello ICANN Senior Security Technologist
ICLN 2012
ICANN’s Limited Role & Remit
ICANN coordinates Internet Domain Names and Numbers… and facilitates policy for same • ICANN is not a regulatory agency
• ICANN delegates administration of domain names to registry operators
• ICANN accredits registrars to process domain name registrations
2
When are names or numbers relevant to ecrime activities?
• Spam • Phishing or Fraud • Illicit content • Illegal goods or pharma • Denial of service attacks • Botnet operation • Many others…
Domain Names & Evidence Collection
• Where domain names are misused for criminal purposes, • Investigators work directly with
registries or registrars • They typically have what you need • They can take the actions you request
• ICANN does not provide legal advice to registries or registrars
• Name registry operators or registrars make their own legal decisions, are subject to own rules or regulations
4
Domain Seizures or Take Downs
5
• Warrants and restraining orders are increasingly used to dismantled prominent criminal networks • Rustock, Coreflood, Kelihos, ZeuS
• Actions sought in orders: • Remove a domain name from a registry • Transfer a domain name from a
defendant to a complainant • Remove a domain name from the DNS
(the name will not resolve) – or - • Redirect the domain name
(i.e., have it resolve to a surveillance host, remediation or notification page)
Similar actions may be sought from RIRs for addresses
What informaNon is relevant when preparing an order?
6
Information relevant to domain misuse
Domain Name (managed in registry DB)
Contacts, DNS info (managed in Whois)
DNS info, status
(managed in Whois DBs)
What should you provide when preparing an order?
1. Who is taking the legal or regulatory acNon or issuing a request?
2. What changes are required to the registraNon of the domain name(s) listed in the legal or regulatory order or acNon?
3. Should the Domain Name System (DNS) conNnue to resolve the domain name(s) listed in the legal or regulatory acNon?
4. What changes are required to the WHOIS informaNon associated with the domain name(s) listed in the legal or regulatory acNon?
7
What should you consider to minimize collateral harm? Examples of quesNons to ask before you file: • Will your acNon disrupt – Name service for other (reputable) domains? – HosNng services for parNes other than those named in your order?
• What services other than web are affected by your acNon on the domain name?
• What do you expect as the “long term disposiNon” of the domain name?
• Could your acNons interfere with other acNve invesNgaNons, monitoring, surveillance… ?
8
What About Privacy?
Privacy
Accessibility
Anonymity
Accuracy
ccTLDs set their own policies
Accuracy versus Anonymity • For gTLDs, Whois policy is a mulN-‐stakeholder
consensus mader – Should all registraNon data be kept private? – Should registraNon data only be available with court order? – Should ICANN disNnguish commercial use registraNons from
personal registraNons? – Should higher accuracy standards be set? – Should validaNon criteria be defined and enforced? – Should privacy protecNon services be off limits to commercial
use registraNons – Should registrants saNsfy stringent criteria to qualify
for privacy protecNon services?
• Law enforcement and governments parNcipate in the policy development process – Role or opportunity for internaNonal criminal law experts?
Accessibility versus Privacy • Prevalence of private registraNons in general
populaNon – 18% of domains randomly selected from general
populaNon (NORC, Feb 2010) – 20% of domains randomly selected from general
populaNon (ICANN GNSO commissioned, 2012)
• Results of studies on prevalence of private registraNons among malicious registraNons – 38% of malicious domains hosted at 3FN
(APWG, Oct 2009, Piscitello) – 31% of domains randomly selected from SpamHaus
Domain Block List (INET Asia, April 2010, Piscitello/Sheng) – 31% of domains randomly selected from SpamHaus
Domain Block List (APWG, Sep 2010, Piscitello/Sheng)
Reading List
Thought Paper on Domain Seizures and Takedowns h7p://blog.icann.org/2012/03/thought-‐paper-‐on-‐domain-‐seizures-‐and-‐takedowns/ Abuse of Domain Name Privacy ProtecHon Services h7p://securityskepHc.typepad.com/the-‐security-‐skepHc/2010/04/domain-‐name-‐privacy-‐misuse-‐studies.html Abuse of Domain Privacy ProtecHon Services: Act Deux h7p://securityskepHc.typepad.com/the-‐security-‐skepHc/2010/10/misuse-‐of-‐domain-‐privacy-‐protecHon-‐services-‐act-‐deux.html Private domain registraHons at 3FN h7p://securityskepHc.typepad.com/the-‐security-‐skepHc/2009/10/private-‐domain-‐registraHons-‐at-‐3fn.html Study of the Accuracy of WHOIS Registrant Contact InformaHon h7p://www.icann.org/en/compliance/reports/whois-‐accuracy-‐study-‐17jan10-‐en.pdf
Appendix: Domain name jargon
• Registries – gTLDs: Businesses under contract with ICANN to operate a
generic Top Level Domain (BIZ, COM, INFO, NET, ORG…) – ccTLDs: Top Level Domains operated by or on behalf of
countries and territories (AU, CH, CN, DE, JP, LY, RU, UK)
• Registrar – For generic TLD registries, an ICANN accredited business
that processes domain registraNons
• Registrant – The individual or organizaNon that registers a domain
name – For generic TLDs, registrants choose an ICANN accredited
registrar – For country code TLDs, the ccTLD operator may process
registraNons directly or may use registrars of its choosing 14
