DNS Abuse Mitigation
Malicious activity on the Internet routinely threatens and affects domain name registrants and end-users by leveraging vulnerabilities and features of all aspects of the Internet and DNS ecosystems (protocols, computer systems, domain registration processes, users, etc). When at scale, some of these nefarious activities may threaten the security, stability and resiliency of the DNS infrastructures.
These threats are generally referred to as DNS Abuse within the ICANN Community and include activities such as Distributed Denial of Service Attacks (DDoS), Spam, Phishing, Malware, Botnets and the distribution of illegal materials.
Public Policy Interests at Stake
- Consumer Protection
- Crime prevention and attribution
- Stability, Security and Resiliency of the DNS
Expected Outcomes of this Activity for the GAC
Mostly through work of its Public Safety Working Group (PSWG), the GAC is currently and continuously engaged in initiatives, studies and developments seeking to assess the threat landscape and to implement effective mechanisms in ICANN policies, contracts and procedures to prevent the occurrence, and mitigate the consequences, of such abuse.
The GAC, assisted by its growing body of law enforcement experts in the PSWG, has been instrumental in the adoption of contractual provisions seeking improve ICANN’s ability to prevent and mitigate DNS Abuse.
However, the effectiveness of these provisions has been limited by challenges in their implementation or by evolutions in the threat landscape. As a consequence, the GAC remains closely engaged with the ICANN organization and relevant initiatives in the ICANN Community to raise awareness, address deficiencies and development relevant and effective Abuse Mitigation capabilities.
Effectiveness of DNS Abuse Safeguards in Registries and Registrars Contracts
Building on the Law Enforcement Due Diligence Recommendations (October 2009), the GAC successfully sought the inclusion of DNS Abuse Mitigation Safeguards (among other Safeguards) in ICANN’s contracts with Registries and Registrars:
- The 2013 Registrar Accreditation Agreement (17 Septembre 2013) was approved by the ICANN Board (27 June 2013) after the inclusion of provisions addressing the 12 Law Enforcement recommendations (1 March 2012)
- The New gTLD Registry Agreement was approved by the ICANN Board (2 July 2013) after the inclusion of provisions in line with GAC Advice in the Beijing Communiqué, consistent with the ICANN Board Proposal for Implementation of GAC Safeguards Applicable to All New gTLDs (19 June 2013)
By the ICANN57 meeting (November 2016) the GAC had identified a number of provisions and related safeguards for which it could not assess the effectiveness. As a consequence, in its Hyderabad Communiqué (8 November 2016) the GAC sought clarifications from the ICANN Board on their implementation. This led to a dialogue between the GAC and the ICANN organization until the sharing by ICANN org of a set of draft responses (30 May 2017) which were discussed in a conference call between the GAC and the ICANN CEO on 15 June 2017. A number of questions remained open and new questions were identified as reflected in a subsequent working document (17 July 2017).
Among the outstanding topics of interest to the GAC, an Advisory, New gTLD Registry Agreement Specification 11 (3)(b) was published on 8 June 2017 in response to questions from some registry operators concerning what practices they could implement to establish compliance with Section 3(b) of Specification 11 of the New gTLD Registry Agreement. The Advisory offers one voluntary approach registry operators may adopt to perform technical analyses to assess security threats and produce statistical reports as required by Spec 11 (3)(b).
More recently, the ICANN organization published a blog (8 November 2018) highlighting efforts by its Contractual Compliance department to address DNS Infrastructure Abuse by conducting audits focusing on process, procedures, and handling of DNS infrastructure abuse and reviewing security threat reports for completeness and comparing them against publicly available reports.
Effectiveness of the Framework for Registries to Respond to Security Threats
As part of the New gTLD Program, the ICANN Board resolved (25 June 2013) to include the so called “security checks” (Part of the Beijing Communniqué GAC Safeguards) into Specification 11 section 3b of the New gTLD Registry Agreement. However, because it determined that these provisions lacked implementation details, it decided to solicit community participation to develop a framework for “Registry Operators to respond to identified security risks that pose an actual risk of harm (…)”.
In July 2015, ICANN formed a Drafting Team composed of volunteers from Registries, Registrars and the GAC (including members of the PSWG) who developed the Framework for Registry Operator’s Response to Security Threats that was published on 20 October 2017, after undergoing public comments.
This framework is a voluntary and non-binding document designed to articulate guidance as to the ways registries may respond to identified security threats. In particular, the Framework introduces a 24h maximum window for responding, upon acknowledging receipt, to High Priority requests (imminent threat to human life, critical infrastructure or child exploitation) from legitimate and credible origin such as a government law enforcement authority or public safety agency of suitable jurisdiction over the Registry Operator.
Consistent with recommendation 19 of the CCT Review (8 September 2018), the GAC may wish to consider reviewing the effects and effectiveness of the of the Framework.
Awareness: ICANN Community Engagement
The PSWG has led a number of cross-community engagement at ICANN meetings over the past few years seeking to raise awareness and explore solutions with relevant experts, most notably:
- During ICANN57 in Hyderabad (5 November 2016), the PSWG led a High Interest Topic session: Mitigation of Abuse in gTLDs which was designed as an exchange of views across the ICANN Community and highlighted: the lack of a shared understanding of what constitute DNS Abuse; the diversity of business models, practices and skills influencing approaches to mitigating abuse; and the need for more dialogue and cooperation, supported by share data on security threats.
- During ICANN58 in Copenhagen (13 March 2017), the PSWG proposed a Cross-Community Session: Towards Effective DNS Abuse Mitigation: Prevention, Mitigation & Response, which discussed recent trends in DNS Abuse, in particular Phishing, as well as behavior such as domain hopping across registrars and TLDs which may require more coordinated and sophisticated responses in the industry. The session also served to highlight of the new Domain Abuse Activity Reporting (DAAR) initiative, the ongoing collaboration between ICANN’s Compliance and SSR functions and the opportunity of leveraging New gTLD auction proceeds to fund the needs of Abuse mitigation.
- During ICANN60 in Abu Dhabi (30 October 2017), the PSWG hosted a Cross Community Session: Reporting of DNS Abuse for Fact-Based Policy Making and Effective Mitigation to discuss the establishment of reliable, public and actionable DNS Abuse reporting mechanisms for the prevention and mitigation of abuse, and to enable evidence-based policy making. The session confirmed the need for publication of reliable and detailed data on DNS Abuse, as contained in the Domain Abuse Activity Reporting (DAAR) tool. The PSWG pledged to develop a set of draft GAC principles in this regard in its reporting of the session in the GAC Abu Dhabi Communiqué.
Awareness: DNS Abuse Studies
New Capabilities: Domain Abuse Reporting Capabilities
New Capabilities: CCT Review Recommendations