IGF 2022 Day 3 WS #505 DNS Abuse: Where are we and where do we want to be

The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.



>> MODERATOR: So on my clock, it says it's 6:00 in Ethiopia, which means it's time for our session.  I would like to ask our friends from tech if we are good.  Are we good to go?  So, perfect.  I declare this session started.  Thank you very much, everyone, for being here.  It's a pleasure.  This is kind of a unique opportunity.  It's the first time that the business constituency from ICANN is hosting a panel at the IGF.  So to us, it's a minor accomplishment, but still one that we are very happy about.  We are here to discuss DNS Abuse.  It's a topic that's very dear to us.  It's been a pet peeve of our Chairman, Mason Cole, so to say.  And in very general lines, what DNS abuse is, for those who don't follow this very closely, is when you take the DNS and you make very weird things with it that you shouldn't be doing.  Let's say the (?).  This can take place in many ways.  The ones that we look into the most are exactly distribution of malware, operation of command and control dot‑nets which basically you use DNS in many domain names to instruct machines to do harm.  We also consider phishing or otherwise misleading domain names to be part of DNS abuse.  And all of these matters have been unaddressed for quite a bit.  And we are finally being able to, within the ICANN sphere, take some action, get a move on, and actually generate some results.  And that's why I call on Mason to kind of give us a bit of a history lesson.  This is ‑‑ has been his mission for a long time to get this kind of started.  It's been very interesting to see it develop.  So, Mason, can you give us some general insights on what this has looked like historically, like, what's going on, how we got here? 

>> MASON COLE: Thanks very much, Mark.  Do you hear me well? 

>> MARK DATYSGELD: Loud and clear. 

>> MASON COLE: Well.  Well, first let me say it's a pleasure to be with everybody here at IGF.  Good very early morning from the West Coast of the United States.  My name is Mason Cole, I'm Chair of the Business Constituency at ICANN and it's a pleasure to be with you all today.  So thank you for the opportunity to address this session.  So following up on what Mark just introduced, let me just talk about a bit about what's BC's involvement has been in DNS abuse. 

             The business constituency has long worked on the issue of DNS abuse and has been active on this advocating for industry and regulatory actions since at least 2018.  So since the current administration took the Chair in 2020, this BC administration has prioritized action on DNS abuse as a desired outcome from BC participation in the ICANN sphere. 

             So our objective has been twofold.  One is reduce the incidence of DNS abuse, and second, and equally important, equip ICANN's compliance department with the tools it says it needs but currently lacks to enforce against domain name registrars and registries that intentionally harbor those who abuse the domain name system.  So we have a two‑pronged approach that we've pursued now for the past probably five years or so. 

             Now, why is DNS abuse of concern?  Well, the BC's goal is well justified because the incidences of DNS abuse have been steadily rising over the years, no matter really what ‑‑ by what objective measure you can implement.  So multiple examinations of the market in and the DNS confirmed this is the case, even in 2022 alone, global cyber attacks increased by 28% in the third quarter of 2022, compared to the same period in 2021.  In the second quarter of 2022, the Anti‑phishing Working Group observed 1.1 million phishing attacks, which is a new record and the worst quarter they've ever observed.  And according to Interaisle, which is an industry research group, there are 1,199 accredited domain name registrars that currently host malware‑related domain names.  So we have a situation in the DNS where there's a great deal of difficulty in dealing with DNS abuse.  The cases are on the rise, and ICANN is in the unique position to help us do something about it. 

             So first what's the industry's answer been to DNS abuse?  Well, there have been a couple of positive steps.  There have been things like the DNS Abuse Institute, the DNS Abuse Framework.  Other frameworks that contracted parties, meaning registrars and registerees have signed on to that will help mitigate DNS abuse.  And these are applaudable, but they do stop short of dealing with the contracted parties that turn a blind eye toward abusers of DNS. 

             So what we're looking for from ICANN's compliance function and as it has said many times over the years, that compliance function needs better contractual tools for holding rogue contracted parties accountable for intentionally harboring abuse.  So let me turn to the questions that were posed by IGF in advance of our session.  Number one, what are the trends in DNS abuse and how can the available data be interpreted, considering different data sources and the types of abuse that exist?  Well, again, trends are increasing.  The BC has looked at data From Anti‑phishing Working Group, the messaging malware mobile anti‑abuse working group known as MMMAWG, sonic wall, the FBI cyber crime information center, the European Union study on DNS abuse published earlier this year.  The World Intellectual Property Organization, Google cloud, Krebs on security, ARS, Paolo aloe Networks, you name it, we've looked at data sources that have informed us about the level of DNS abuse, and all our reporting worrying increases in cyber crime trends. 

             So where does that leave us?  Well, unfortunately the ICANN reporting on DNS abuse is kind of an outlier because they have said that DNS abuse is on a downward trend.  We respectfully disagree because most cybersecurity authorities that we consult with report that online abuse and misuse of the DNS is actually at an all‑time high. 

             Question number 2.  How can the Internet community effectively collaborate to ensure that abuse rates decrease in a consistent manner?  Well ‑‑ yes. 

>> MARK DATYSGELD: Thank you kindly.  I want to (?) And hand it back to you.  Does that make sense? 

>> MASON COLE: Yes.  Of course, please. 

>> MARK DATYSGELD: It's supposed to be more informal.  We don't need to be as formal as usual. 

>> MASON COLE: Perfect. 

>> MARK DATYSGELD: Great introduction.  I'd compliment it much better than I could.  Lawrence, can you give us a bit of perspective (?) Right?  You're speaking to us straight from the Abuja hub.  And it would be great to hear more about everything that has been going on.  You are the BC's Vice President for Finances, and definitely you have a very, I would say, very keen perspective on the subject.  Can you give us some ideas? 

>> Thank you very much, Mark.  That was lovely start‑up from Mason.  And my name's Lawrence.  Thank you very much for the introduction, Mark.  I'm speaking to from the remote hub of the IGF in Abuja which happens to be the capital of Nigeria.  This hub has, for the past five years, received support from the business constituency of ICANN to keep it live for a week, and there was a time where we definitely had two weeks of IGF meeting during the COVID, if you still remember that period.  We still had our doors open. 

             To the topic on ground.  So first of all, DNS abuse is definitely a global trend.  It's not something that's, to some extent, affects a region over the others.  And here in the Global South, we definitely have had our fair share of it.  Just before 2019 when GDPR hit and, you know, the (?) Went dark.  We had been having series of problems in terms of accuracy, of registrant data.  And the practice in Africa, which is very much like what happens in the Global South, is that we have a lot of resellers who piggyback on the infrastructure and the backbone of, you know, major DNS players to resell domain names.  And in the process of doing this, as resellers, they not only try to automate the system, but to a larger extent, it's still a manual process.  And so what we see happen is a situation where the resellers, the local resellers, on one hand, trying to ensure that they don't give out too much information to their competitors, use their own data, their own personal information, to register the domains rather than the registrants. 

             And to some extent this feeds back into what our quote/unquote the big players, the registrars, the contracted parties, get to keep at the back end of the information they have.  So we had had ‑‑ we have been having issues around accuracy of registrant data.  And this is very important.  I also happen to play in the CCTL space here and to a large extent see issues where law enforcement get ‑‑ when they cannot reach a registrant who has done something funny on the 'net, you know, will go into the WHOIS to peek at the records of whoever was there to at least have someone to reach or to offset with regards to that domain. 

             Now, that is bad enough as it is, but when we had the GDPR hit us, it's mandated that personal information had to be redacted, and that, again, provided another layer of challenges because the WHOIS went dark.  With this happening ‑‑ I mean, where he have all forms of abuse happening due to bad actors, we basically, like, opened the doors ‑‑ opened the gate for bad actors to freely act because the tool that the community uses, that the public uses, to be able to, you know, monitor what's happening with regards to domain or, you know, have some form of enforcement take place has been taken off the radar. 

             I mean, this is one of the reasons why I concur with what Mason has said earlier on with regards to, you know, the claim that abuse is going down.  I actually feel that abuse has, you know, increased because of the situations that we found ourselves with a legitimate call to take the WHOIS off the streets, if I can use that word. 

             I will give it back to Mark or to Mason, and then I can maybe go further in subsequent opportunities to talk about how this especially affects the African and the Global South as a whole. 

>> MARK DATYSGELD: That's beautiful, Lawrence.  Thank you for bringing this perspective.  This is exactly what I think is one of the great strengths of our group is that we have a lot of representation in the Global South.  That's why I think we accomplish a lot.  We have thankfully a lot of guests here in the room.  And, you know, it's (?) Session.  We don't need to follow the structure.  Would anybody like to add any comments, or should we move on with our speakers?  Does anybody have interests, stories, experiences, or perspectives?  If not, we can move on.  Our good friend Salu from Brazil or tech representative, please go on. 

>> I just would like to ‑‑ my name is Salu, I'm here as part of the (?) Program.  I have a technical background.  And I have some ‑‑ also a situation in ICANN, mostly under the (?) Domain.  (?) In terms of fighting the DNS abuse (?) In your work. 

>> MARK DATYSGELD: Thank you.  That's actually really interesting because, you know, coming from your background of IDNs, international domains, that used to be a big concern, right?  Like, how do you abuse internationalized names to actually exploit.  But those have been going down significantly because so much work has been done by the cybersecurity community to stop script mixing.  Anyone can pitch extra about, or not.  I don't know.  I don't want to put you on the spot, but maybe something you can say a little more about.  So that concern has kind of gone away.  And it has become ‑‑ these actors, they can benefit from different things like new TLDs, top‑level domains.  They can sometimes sell domains for very cheap to make their strategies work.  So the (?) Not doing so well, you can go do it for free in times or for very cheap to kind of justify your investment.  But then it comes to the situation where it's, like, okay.  It's free.  This is potentially good.  But who thinks this is even better?  Malicious actors.  Right?  Let's register 10,000 domains here and use it for a bot net, you know.  So I wonder if any of the remote panelists have an impression on this.  Mason?  Lawrence? 

>> MASON COLE: I'll let Lawrence begin. 

>> Thank you, Mason.  What you say is actually very true.  There has been this trend, so to say, for where we have a lot more abuse happening around TLDs that are given out for free or quite cheap.  We have a number of registries that will give a lot of bonanzas.  You can get the TLDs for less, for close to a dollar, if you will, you know, buy for over a long period in time.  And I will give a case in point.  And this happens to be a personal experience.  So I got a couple of friends reaching out to me to say we found something on the 'net, and the story isn't quite ‑‑ it's quite unsettling for us.  And so they send me the link to this particular website on one of our new GTLD brands. 

             And that particular domain was marketing some form of an enhancement product and had my picture and a story that was accredited to me.  The picture was clearly mine, but the story was quite ‑‑ wasn't quite aligning because the location where the person claimed to live, the age, and all that didn't match with mine.  But the bottom line still remains that this was me looking at my picture on a site selling a product that I had nothing ‑‑ no kind of connection to.  Yet more or less one couldn't do anything about it.  So I reached out to the registry, the guys behind that particular TLD, to say, well, I've seen this about me.  This is not about me, and I want it taken down.  The registry reaches back to me.  I'm talking about something in the range of about three, four months ago.  So it's a very recent case. 

             The registry reaches back to me to say we just sell domains.  There is nothing else we can do about this.  Take it up with the hosting company.  And so I write to the hosting company, somewhere in South America, and they're getting back to me to say I cannot tell who is behind this domain as we speak because the WHOIS records has already been redacted all thanks to GDPR.  So I don't have a direct contact to reaching whoever the abusers are.  But the hosting company gets back to me to say we will advise that you, you know, you get a court ‑‑ what's that word called?  I can't remember again.  But, you know, I should start a process in court where they are able to even divulge to me the guys behind the domain name. 

             So I'm now wondering, am I supposed to set up this process, this judicial process, in my region here in Africa?  Will it apply to them, or am I supposed to find a lawyer in their jurisdiction, somewhere in South America, where I am not so familiar with, which will definitely cost me an arm and a leg to be able to get information about the actors behind this domain name. 

             This is the kind of frustration, you know, that people have to endure on a day‑to‑day basis.  And that is why I also believe that, you know, DNS abuse has to be dealt with decisively.  We might have different reasons why we feel it's not in our environment, it's not in our space, but these are real‑life issues that impart on not just the registrant itself.  It impacts on lives ‑‑ on real human lives, on business, on everyday living.  Mason, I will give the floor back to you at this point. 

>> MASON COLE: Thank you, Lawrence.  Mark, if I may. 

>> MARK DATYSGELD: Yes, go ahead. 

>> MASON COLE: Thank you.  So I agree 100% with Lawrence that there is a direct correlation between low‑cost sellers of domain names and the instances of abuse.  We've seen this now repeated for the past, I don't know, decades now where you have problem behaviors within registrars, things like multiple bulk registrations.  You have domain names that are sold for $1 or less.  And these kinds of circumstances afford DNS abusers the opportunity to leverage the domain name system to carry out whatever program they're trying to carry out, to carry out a nefarious scheme. 

             So it is ‑‑ there is evidence in the marketplace that shows that low‑cost providers of domain names tend to harbor more DNS abuse.  Sames is the case with top‑level domains, that low‑cost TLDs tend to find more incidences of DNS abuse.  And I know this is a critical discussion point within the ICANN sphere about whether or not to try to do something about that.  But it is a data point within DNS abuse that we need to address, that low‑cost providers are disproportionately housing difficult domain names.  Mark, back to you. 

>> MARK DATYSGELD: Thank you very much to both of you.  This is actually pretty enlightening.  I would like to ask if anybody from the online audience or anybody from the in‑person audience here would like to add anything or proceed with the question?  Please. 

>> Hi.  (?) Here speaking as an IGF participant.  Thank you very much for a very interesting case, Lawrence, and very disturbing.  I think some of the issues that not only ICANN but beyond ICANN community probably needs to work on, I did want to raise as a kind of question is that I have heard of, you know, there's this relation between the GDPR and the redaction of some of the WHOIS fields in terms of use, but in the past where they asked for additional information about it, usually there doesn't seem to be much information like data on the actual correlation.  And there's also an argument that, you know, if a bad actor is registering, they don't use real information anyway.  (?) It shouldn't make a big difference.  So just get a sense of what do you think about that and, you know, why a bad actor won't give bad information anyway, you know, even if the WHOIS information was shown? 

>> MARK DATYSGELD: I think (?) Mason but I will give just the first scratch at that.  Remembering everything that, you know, I discussed with Microsoft security team, which pretty much some of the people who do a lot of work on DNS abuse protection, even when you're using malicious‑generated data, you can still find patterns there.  You can still find a general trend in there, which does not exactly solve the issue, but gives you a direction to go towards.  But I will point specifically towards Mason here who is more organized on this.  Mason, please. 

>> MASON COLE: I think I caught most of the question, but if I understand the question correctly, or comment, it has to do with the redaction of WHOIS data has really had that significant of an impact on the investigatory capability of reading out DNS abuse.  I would say that, yes, since 2018 when WHOIS was massively redacted, I think any cybersecurity authority or any person that speaks with credibility over the security of the DNS would tell you that the difficulty around investigating DNS abuse, because of the redaction of WHOIS, has contributed to the increase of DNS abuse over time. 

             And we have a situation now where, you know, even if you've got a domain name that is being used for nefarious purposes or whatever and you've got a dark WHOIS record, Mark is correct.  There is the ability to suss out patterns, and otherwise even with a sliver of data, be able to find some data that would be helpful in the investigatory sense.  So I don't necessarily buy the argument that redaction of WHOIS data has not contributed to the incidences of DNS abuse.  I believe that's actually the case.  If that weren't the case, I don't think we'd see the upward trend lines that we do in DNS abuse now.  So I hope that's helpful, Mark. 

>> MARK DATYSGELD: It is very helpful.  Would you like to address that? 

>> Yeah, just quickly on that.  Yeah, I don't disagree with what was said, and especially in the investigation and especially in research and pattern matching those kind of things.  I guess what I wanted to raise is that, you know, for a specific case like Lawrence's situation, it doesn't ‑‑ on a specific case, it doesn't necessarily matter that much.  But, yes.  I totally agree, in terms of the larger scheme of things, yeah.  So I agree with that. 

>> MARK DATYSGELD: Yeah.  And that kind of dovetails into the big announcement here.  It's not a big announcement because it's been going on since the start of the year, but not everyone here may know, we have managed to achieve a bit of a landmark in the ICANN community now.  We have a small team coming from our generic names, the (?) Council in which we got together, all stakeholders, representatives from literally every ICANN stakeholder, we came together with the idea of how do we address this in some way that's more immediate that doesn't require us to be talking about this forever?  And very recently we delivered a report specifying some basic changes to ICANN contracts that could be helpful.  And our friends from the contracted body, the registrars and registerees were replying to that almost immediately saying that they are starting an internal negotiation now to change some of the provisions around DNS abuse, so that comment is more effective.  And so me what this represents is we are ‑‑ we were able to take an issue that's very pressing and actually work as a community and achieve something meaningful, leaving aside some of the other questions.  The WHOIS fight, you know, it will rage on.  But now we'll be able to actually have some basic measures of control in which pretty much the big change that we are seeking here in this renegotiation of contracts is that the registrar, the one who sells the domain name, actually has to do something about the complaint.  Right now what we found out, after a year of inquiry with ICANN compliance, as Mason mentioned, we have been talking to them a lot, is they can write very strongly‑worded letters saying that this is wrong.  And that's not exactly where we want to be in today's landscape.  You want them to have some kind of capability to react to that.  And we are hopeful that next year we will be able to actually get this rolling.  Things are in place.  So it's actually looking pretty good.  This is a very short session.  Networking thing.  I would like to, again, open the floor to any of our virtual or in‑person participants to express anything, or otherwise I will just wrap up.  Any final impressions, anyone?  At the end of the table, sir, please. 

>> Yeah.  New name is Yasai (?).  From Sudan.  Actually, we can't blame the (?) For the mass phishing that is going on.  I think we have more awareness issues for the people.  They are owning the domain itself.  Because recently most websites that are being phishing or attacking a, like, phishing website, because the website design it and no one is coming back for them.  Especially like Wordpress website, there are (?) Bad guys are using there for attacking site.  So there must be a way that we can do awareness for the people or for the domain through the media, social media, so they can be aware of what is going on. 

>> MARK DATYSGELD: I actually think you are 100% correct.  In that report from the council, there is a recommendation.  So thank you for, you know, bringing it back to that point.  And an impression from the room?  Please, sir? 

>> Thank you very much.  My name is (?) From Ghana (?) Registry.  I want to add on what he said.  In Ghana (?) Domain names.  What is important to look at (?) And organizations to drive home the importance of WHOIS (?).  So that they will have to take it down.  We will know the real (?).  Thank you. 

>> MARK DATYSGELD: Thank you very much.  I think here we see the difference between genetics and CCs, right?  CCs can pretty much write their own rules and often to the favor of the entire community, right?  Yes, please do. 

>> Also, before two or three years when there is ISIS around the world and making a big (?) Domain name and immediately the second day they put a letter media, ISIS, we can't (?) Of this domain.  So the community has to be involved and one of the people said I find website that is announcing something for ISIS.  So you have to take it down.  We review the website and we take down that website immediately.  So I think the community has a great part in this.  They have to be aware of the matter. 

>> MARK DATYSGELD: 100% agreement with that.  We are, unfortunately, pressed for time.  So I would like to invite our panelists to give a 30‑seconds final recommendation, speech, comment, or joke, starting with Mr. Mason Cole. 

>> MASON COLE: Thanks, Mark.  I don't have really much more to add except just to say that I appreciate IGF's attention on the issue of domain name abuse.  I appreciate those in the room who are concerned about this as an issue.  I invite you to contribute to the BC's work against domain name abuse, and I thank you for the opportunity to be with you today. 

>> MARK DATYSGELD: Thank you, Mason.  Lawrence. 

>> Yes.  So my last words will more or less be that awareness is good, but enforcement is key.  And there is that need for ICANN to step up to ensure that, you know, contracts are enforceable.  These are real‑life issues.  These are issues that impact people on an everyday basis, and there has to be that trust that, you know, there is somewhere where you can go to, and at least you have half of the problem solved, if not majority of the problem solved.  Also I believe that where we have stricter compliance, enforceable compliance in terms of, you know, the contracted parties that are involved, there will also ‑‑ these will also trickle down to the registrants, the bad actors, and those who will definitely find it difficult to operate in that space because of the kind of actions that, you know, our contracted party colleagues will be forced to step up to. 

             Enforcement is key to ensuring that, you know, abuse, we are not fully mitigated is reduced to a very bearable extent.  And thanks for having me here.  Manager thank you very much, Mason, Lawrence, and especially thank you to our audience both online and in person.  It's been a pleasure.  This is supposed to be a networking thing.  One second.  A bit of a networking thing.  So feel free to find us on LinkedIn, social media of any kind.  And, you know, around ICANN, that's where we live.  You have the final word, actually. 

>> Yes.  Thank you, Mark.  Hello, my friends from BC.  I would like you to take advantage of this event and congratulate Mason, Lawrence, and (?) And Mark for this DNS abuse case.  Okay.  Thank you.  Congratulations. 

>> MARK DATYSGELD: Thank you very much, my friend.  Thank you, everyone.  And with this very beautiful final words, we wrap the session.  Thank you very much.