28 Abuse Prevention and Mitigation

Prototypical answer:

1. COMPREHENSIVE ABUSE POLICIES, WHICH INCLUDE CLEAR DEFINITIONS OF WHAT CONSTITUTES ABUSE IN THE TLD, AND PROCEDURES THAT WILL EFFECTIVELY MINIMIZE POTENTIAL FOR ABUSE IN THE TLD

American Broadcasting Companies, Inc. takes the issue of domain name abuse very seriously. In conjunction with Verisign, American Broadcasting Companies, Inc.’s chosen registry services provider, the company has developed measures to minimize abusive registrations and other activities that have a negative impact on Internet users. In the event that abuse does occur, American Broadcasting Companies, Inc. will have mitigation plans in place to address the abuse. As .ABC will be a closed gTLD, registration eligibility is strictly limited to the American Broadcasting Companies, Inc.. Due to this, the likelihood of abuse will be extremely low.

In 2010, ICANNʹs Registration Abuse Policies Working Group issued their Registration Abuse Policies Working Group Final Report. American Broadcasting Companies, Inc. will use the definition of abusive behavior contained in that report which states that abusive behavior is any action that:
• causes actual and substantial harm, or is a material predicate of such harm
• is illegal or illegitimate, or is otherwise considered contrary to the intention and design of the mission⁄purpose of the TLD

A more comprehensive definition can be found later in this answer.

1.1 American Broadcasting Companies, Inc. Abuse Prevention and Mitigation Implementation Plan

Every second-level domain name registered in the .ABC gTLD will be registered by American Broadcasting Companies, Inc. and American Broadcasting Companies, Inc. will undertake the maintenance of all such domains in its capacity as the registry operator. American Broadcasting Companies, Inc. will not sell, distribute or transfer control or use of any registration in the .ABC gTLD to any third party.

1.2 Policies for Handling Complaints Regarding Abuse

As required by the ICANN Template Registry Agreement, American Broadcasting Companies, Inc. will establish, publish, and maintain on its website a single point of contact for handling abuse complaints. Considering that American Broadcasting Companies, Inc. will be the sole owner and registrant of second-level domains within the .ABC gTLD, it is anticipated that instances of abuse will be extremely rare, where they are likely to only arise from malicious activity (e.g. Hacking).

Nonetheless, the above-mentioned role-specific contact will be linked to a role-specific account, e.g., reportabuse@registry.abc. All email inquiries will immediately receive an automated response indicating that the inquiry has been received and docketed into the American Broadcasting Companies, Inc. ticketing system, a telephone number will also be provided for those individuals and or entities that may require immediate interaction with the registry.

Once a complaint has been received from a trusted⁄verified source or independently identified by American Broadcasting Companies, Inc., American Broadcasting Companies, Inc. will use commercially reasonable efforts to verify the information in the complaint. If American Broadcasting Companies, Inc. is able to verify the credibility of the complaint, which should not be a problem given the limited number of second-level domains to be operated within the .ABC gTLD, the complaint will then be promptly dealt with. If American Broadcasting Companies, Inc. is unable to resolve the issue promptly (for example, in the case of sophisticated hacking attacks), American Broadcasting Companies, Inc. will temporarily disable the domain name by placing it on hold until such a time as the complaint has been rectified. Whilst on hold, the domain will not be publicly visible but the underlying Whois information associated with the domain name will still be available for public access⁄review.

With regard to inquiries from law enforcement, American Broadcasting Companies, Inc. will respond to inquiries from legitimate law enforcement agencies within 24 hours. If any of the actions fall within the scope of American Broadcasting Companies, Inc.’s Abuse Policy identified below, American Broadcasting Companies, Inc. will follow the actions identified above for the timely resolution of the matter, or the domain name will be placed on hold

1.3 Proposed Measures for Removal of Orphan Glue Records

Although orphan glue records often support correct and ordinary operation of the Domain Name System (DNS), registry operators will be required to remove orphan glue records (as defined at http:⁄⁄www.icann.org⁄en⁄committees⁄security⁄sac048.pdf) when provided with evidence in written form that such records are present in connection with malicious conduct. American Broadcasting Companies, Inc.’s selected backend registry services provider’s (Verisign’s) registration system is specifically designed to not allow orphan glue records. Registrars are required to delete⁄move all dependent DNS records before they are allowed to delete the parent domain.

To prevent orphan glue records, Verisign performs the following checks before removing a domain or name server:

Checks during domain delete:
• Parent domain delete is not allowed if any other domain in the zone refers to the child name server.
• If the parent domain is the only domain using the child name server, then both the domain and the glue record are removed from the zone.

Check during explicit name server delete:
• Verisign confirms that the current name server is not referenced by any domain name (in-zone) before deleting the name server.

Zone-file impact:
• If the parent domain references the child name server AND if other domains in the zone also reference it AND if the parent domain name is assigned a serverHold status, then the parent domain goes out of the zone but the name server glue record does not.
• If no domains reference a name server, then the zone file removes the glue record.

1.4 Resourcing Plans

Details related to resourcing plans for the initial implementation and ongoing maintenance of American Broadcasting Companies, Inc.’s abuse plan are provided in Section 2 of this response.

1.5 Measures to Promote Whois Accuracy

As the sole registrant for the .ABC domain, responsibility for up-to-date Whois information rests with American Broadcasting Companies, Inc.. American Broadcasting Companies, Inc. takes this responsibility seriously, and will perform regular checks to ensure that all Whois data is current and complies with ICANN’s latest guidelines.

1.5.1 Authentication of Registrant Information

As both the operator and sole registrant for .ABC gTLDs, American Broadcasting Companies, Inc. does not anticipate significant problems with registrant verification. Nonetheless, American Broadcasting Companies, Inc. will be fastidious in ensuring that only American Broadcasting Companies, Inc. companies and affiliates are able to register .ABC gTLDs, and that all data provided is fully accurate.

1.5.2 Regular Monitoring of Registration Data for Accuracy and Completeness

Verisign, American Broadcasting Companies, Inc.’s selected backend registry services provider, has established policies and procedures to encourage registrar compliance with ICANN’s Whois accuracy requirements. Verisign provides the following services to American Broadcasting Companies, Inc. for incorporation into its full-service registry operations.

Registrar self certification.

The self-certification program consists, in part, of evaluations applied equally to all operational ICANN accredited registrars and conducted from time to time throughout the year. Process steps are as follows:

• Verisign sends an email notification to the ICANN primary registrar contact, requesting that the contact go to a designated URL, log in with his⁄her Web ID and password, and complete and submit the online form. The contact must submit the form within 15 business days of receipt of the notification.

• When the form is submitted, Verisign sends the registrar an automated email confirming that the form was successfully submitted.

• Verisign reviews the submitted form to ensure the certifications are compliant.

• Verisign sends the registrar an email notification if the registrar is found to be compliant in all areas.

• If a review of the response indicates that the registrar is out of compliance or if Verisign has follow-up questions, the registrar has 10 days to respond to the inquiry.

• If the registrar does not respond within 15 business days of receiving the original notification, or if it does not respond to the request for additional information, Verisign sends the registrar a Breach Notice and gives the registrar 30 days to cure the breach.

• If the registrar does not cure the breach, Verisign terminates the Registry-Registrar Agreement (RRA).

Whois data reminder process. Verisign regularly reminds registrars of their obligation to comply with ICANN’s Whois Data Reminder Policy, which was adopted by ICANN as a consensus policy on 27 March 2003 (http:⁄⁄www.icann.org⁄en⁄registrars⁄wdrp.htm). Verisign sends a notice to all registrars once a year reminding them of their obligation to be diligent in validating the Whois information provided during the registration process, to investigate claims of fraudulent Whois information, and to cancel domain name registrations for which Whois information is determined to be invalid.

1.6 Malicious or Abusive Behavior Definitions, Metrics, and Service Level Requirements for Resolution

American Broadcasting Companies, Inc. defines Malicious and Abusive behavior based on but not limited to the following definitions;

• Phishing is a criminal activity employing tactics to defraud and defame Internet users via sensitive information with the intent to steal or expose credentials, money or identities.  A phishing attack begins with a spoofed email posing as a trustworthy electronic correspondence that contains hijacked brand names i.e. (financial institutions, credit card companies, e-commerce sites).  The language of a phishing email is misleading and persuasive by generating either fear and⁄or excitement to ultimately lure the recipient to a fraudulent Web site.  It is paramount for both the phishing email and Web site to appear credible in order for the attack to influence the recipient. As with the spoofed email, phishers aim to make the associated phishing Web site appear credible.  The legitimate target Web site is mirrored to make the fraudulent site look professionally designed.  Fake third-party security endorsements, spoofed address bars, and spoofed padlock icons falsely lend credibility to fraudulent sites as well.  The persuasive inflammatory language of the email combined with a legitimate looking Web site is used to convince recipients to disclose sensitive information such as passwords, usernames, credit card numbers, social security numbers, account numbers, and mother’s maiden name.

• Malware is malicious software that was intentionally developed to infiltrate or damage a computer, mobile device, software and⁄or operating infrastructure or website without the consent of the owner or authorized party. This includes, amongst others, Viruses, Trojan horses, and worms.

• Domain Name or Domain Theft is the act of changing the registration of a domain name without the permission of its original registrant.

• Botnet Command and Control: Services run on a domain name that is used to control a collection of compromised computers or “zombies,” or to direct Distributed Denial of Service attacks (DDoS attacks)

• Distribution of Malware: The intentional creation and intentional or unintentional distribution of “malicious” software designed to infiltrate a computer system without the owner’s consent, including, without limitation, computer viruses, worms, keyloggers, and Trojans.

• Fast Flux Attacks⁄Hosting: A technique used to shelter Phishing, Pharming, and Malware sites and networks from detection and to frustrate methods employed to defend against such practices, whereby the IP address associated with fraudulent sites are changed rapidly so as to make the true location of the sites difficult to find.

• Hacking: Unauthorized access to a computer network;

• Pharming: The redirecting of unknown users to fraudulent sites or services, typically through, but not limited to, DNS hijacking or poisoning;

• Spam: The use of electronic messaging systems to send unsolicited bulk messages. The term applies to email spam and similar abuses such as instant messaging spam, mobile messaging spam, and spamming of websites and Internet forums.

• Further abusive behaviors include, but are not limited to; Cybersquatting, Front-Running, Gripe Sites, Deceptive and⁄or Offensive Domain Names, Fake Renewal Notices, Cross-TLD Registration Scam, Name Spinning, Pay-per-Click, Traffic Diversion, False Affiliation, Domain Kiting ⁄ Tasting, fast‐flux, botnet command and‐control and 419 scams.

Section 1.2 outlines American Broadcasting Companies, Inc.’s Policies and Procedures for Handling Complaints Regarding Abuse as defined above.

As pertains to American Broadcasting Companies, Inc. performance metrics and service level requirements for resolution, we adhere to an 24 hour timeframe to address and potentially rectify the issue as it pertains to all forms of abuse and fraud. Once a notification is received via email, call center or fax, the American Broadcasting Companies, Inc. employee responsible for dealing with such issues immediately creates a support ticket in order to monitor and track the issue through resolution. If notifications are received during normal business hours (9am – 6pm Pacific Standard Time zone) (Monday day – Friday day), the majority of issues are resolved in less than 24 hour period.

1.7 Controls to Ensure Proper Access to Domain Functions

1.7.1 Multi-Factor Authentication

To ensure proper access to domain functions, American Broadcasting Companies, Inc. incorporates Verisign’s Registry-Registrar Two-Factor Authentication Service into its full-service registry operations. The service is designed to improve domain name security and assist registrars in protecting the accounts they manage by providing another level of assurance that only authorized personnel can communicate with the registry. As part of the service, dynamic one-time passwords (OTPs) augment the user names and passwords currently used to process update, transfer, and⁄or deletion requests. These one-time passwords enable transaction processing to be based on requests that are validated both by “what users know” (i.e., their user name and password) and “what users have” (i.e., a two-factor authentication credential with a one-time-password).

Registrars can use the one-time-password when communicating directly with Verisign’s Customer Service department as well as when using the registrar portal to make manual updates, transfers, and⁄or deletion transactions. The Two-Factor Authentication Service is an optional service offered to registrars that execute the Registry-Registrar Two-Factor Authentication Service Agreement. As shown in Figure 28-1, the registrars’ authorized contacts use the OTP to enable strong authentication when they contact the registry. There is no charge for the Registry-Registrar Two-Factor Authentication Service. It is enabled only for registrars that wish to take advantage of the added security provided by the service.
1.7.2 Requiring and Notifying Multiple, Unique Points of Contact

To eliminate the possibility of changes to a domain without proper authorization and notice and authorization, all domain name registrations in the .ABC gTLD will be required to have at least two unique points of contact who are authorized to request and⁄or approve update, transfer, and deletion requests. The points of contact must be authenticated before a point of contact will be allowed to process updates, transfer, and deletion requests. Once a process update, transfer, or deletion request is entered, the points of contact will automatically be notified when a domain has been updated, transferred, or deleted through an automated system run by Disneyʹs registrar.

2. TECHNICAL PLAN THAT IS ADEQUATELY RESOURCED IN THE PLANNED COSTS DETAILED IN THE FINANCIAL SECTION

Resource Planning

The .ABC gTLD will be fully supported by a cross function team of American Broadcasting Companies, Inc. professionals. Numbers and types of employees will vary for each function but American Broadcasting Companies, Inc. projects it will use the following personnel to support the resource planning requirements:

• Engagement Manager
• Network Engineer
• Application Engineer
• System Engineer
• Security DL (abuse@abc.com)

Resource Planning Specific to Backend Registry Activities

Verisign, American Broadcasting Companies, Inc.’s selected backend registry services provider, is an experienced backend registry provider that has developed a set of proprietary resourcing models to project the number and type of personnel resources necessary to operate a TLD. Verisign routinely adjusts these staffing models to account for new tools and process innovations. These models enable Verisign to continually right-size its staff to accommodate projected demand and meet service level agreements as well as Internet security and stability requirements. Using the projected usage volume for the most likely scenario (defined in Question 46, Template 1 – Financial Projections: Most Likely) as an input to its staffing models, Verisign derived the necessary personnel levels required for this gTLD’s initial implementation and ongoing maintenance. Verisign’s pricing for the backend registry services it provides to American Broadcasting Companies, Inc. fully accounts for cost related to this infrastructure, which is provided as “Total Critical Registry Function Cash Outflows” (Template 1, Line IIb.G) within the Question 46 financial projections response.

Verisign employs more than 1,040 individuals of which more than 775 comprise its technical work force. (Current statistics are publicly available in Verisign’s quarterly filings.) Drawing from this pool of on-hand and fully committed technical resources, Verisign has maintained DNS operational accuracy and stability 100 percent of the time for more than 13 years for .com, proving Verisign’s ability to align personnel resource growth to the scale increases of Verisign’s TLD service offerings.

Verisign projects it will use the following personnel roles, which are described in Section 5 of the response to Question 31, Technical Overview of Proposed Registry, to support abuse prevention and mitigation:
• Application Engineers: 19
• Business Continuity Personnel: 3
• Customer Affairs Organization: 9
• Customer Support Personnel: 36
• Information Security Engineers: 11
• Network Administrators: 11
• Network Architects: 4
• Network Operations Center (NOC) Engineers: 33
• Project Managers: 25
• Quality Assurance Engineers: 11
• Systems Architects: 9

To implement and manage the American Broadcasting Companies, Inc. gTLD as described in this application, Verisign, American Broadcasting Companies, Inc.’s selected backend registry services provider, scales, as needed, the size of each technical area now supporting its portfolio of TLDs. Consistent with its resource modeling, Verisign periodically reviews the level of work to be performed and adjusts staff levels for each technical area.

When usage projections indicate a need for additional staff, Verisign’s internal staffing group uses an in-place staffing process to identify qualified candidates. These candidates are then interviewed by the lead of the relevant technical area. By scaling one common team across all its TLDs instead of creating a new entity to manage only this proposed gTLD, Verisign realizes significant economies of scale and ensures its TLD best practices are followed consistently. This consistent application of best practices helps ensure the security and stability of both the Internet and this proposed gTLD, as Verisign holds all contributing staff members accountable to the same procedures that guide its execution of the Internet’s largest TLDs (i.e., .com and .net). Moreover, by augmenting existing teams, Verisign affords new employees the opportunity to be mentored by existing senior staff. This mentoring minimizes start-up learning curves and helps ensure that new staff members properly execute their duties.

3. POLICIES AND PROCEDURES IDENTIFY AND ADDRESS THE ABUSIVE USE OF REGISTERED NAMES AT STARTUP AND ON AN ONGOING BASIS

3.1 Ongoing Anti-Abuse Policies and Procedures

3.1.1 Policies and Procedures That Identify Malicious or Abusive Behavior

Verisign, American Broadcasting Companies, Inc.’s selected backend registry services provider, provides the following service to American Broadcasting Companies, Inc. for incorporation into its full-service registry operations.

Malware scanning service. Registrants are often unknowing victims of malware exploits. Verisign has developed proprietary code to help identify malware in the zones it manages, which in turn helps registrars by identifying malicious code hidden in their domain names.

Verisign’s malware scanning service helps prevent websites from infecting other websites by scanning web pages for embedded malicious content that will infect visitors’ websites. Verisign’s malware scanning technology uses a combination of in-depth malware behavioral analysis, anti-virus results, detailed malware patterns, and network analysis to discover known exploits for the particular scanned zone. If malware is detected, the service sends the registrar a report that contains the number of malicious domains found and details about malicious content within its TLD zones. Reports with remediation instructions are provided to help registrars and registrants eliminate the identified malware from the registrant’s website.

3.1.2 Policies and Procedures That Address the Abusive Use of Registered Names

Suspension processes.
As per the requirements in the Registry Agreement, American Broadcasting Companies, Inc. will publish on the registry website - registry.abc - contact information for an Abuse Point of Conact (Abuse PoC). This Abuse PoC will serve as the central collection point for all complaints and reports about abusive behavior related to the .ABC gTLD. Inquiries addressed to the Abuse PoC will be handled by American Broadcasting Companies, Inc.’s legal staff who will review and if necessary remedy any Complaint involving domain name abuse.

When a complaint is received by the Abuse PoC, American Broadcasting Companies, Inc.ʹs legal staff will review the Complaint to see if it falls within an abusive use as defined by the Abuse Policy. If not, Abuse PoC will respond in a timely manner that the subject of the complaint does not fall within one of abusive uses as defined by the Abuse Policy and that Applicant considers the matter closed.

If the initial review determines is abuse taking place, the Abuse PoC will notify Verisign to immediately suspend the resolution of the domain name. Legal staff will then notify the registrant about the suspension of the domain name, the nature of the complaint, and provide the registrant with the option to respond within a timely manner or the domain name will be canceled.

If the registrant responds within the appropriate time, legal staff will review the response. If legal staff is satisfied by the response that the use is not abusive, legal staff will notify Verisign to reinstate the domain name the domain name. The Abuse PoC will notify the Complainant that its complaint was ultimately denied and provide the reasons for the denial. If the registrant does not respond within the required time period, the Abuse PoC will notify the registry services provider to cancel the abusive domain name.

American Broadcasting Companies, Inc. and Verisign will also comply with Section 2.8 of the Registry agreement, which states:

Registry Operator shall take reasonable steps to investigate and respond to any reports from law enforcement and governmental and quasi-governmental agencies of illegal conduct in connection with the use of the TLD. In responding to such reports, Registry Operator will not be required to take any action in contravention of applicable law.

If a request from law enforcement or other quasi-governmental agencies involves any of the activities which can be validated by American Broadcasting Companies, Inc.’s legal team and involves the type of activity set forth in the Abuse Policy, the Abuse PoC will notify the registry services provider to either immediately suspend or cancel the domain name. If the legal team determines that it is not an abusive activity, the Abuse PoC will respond with a reason for not suspending or terminating the name.

Suspension processes conducted by backend registry services provider. In the case of domain name abuse, American Broadcasting Companies, Inc. will determine whether to take down the subject domain name. Verisign, American Broadcasting Companies, Inc.’s selected backend registry services provider, will follow the following auditable processes to comply with the suspension request. Please reference the process flowchart in Figure 28-2.

Verisign Suspension Notification. American Broadcasting Companies, Inc. submits the suspension request to Verisign for processing, documented by:
• Threat domain name
• Registry incident number
• Incident narrative, threat analytics, screen shots to depict abuse, and⁄or other evidence
• Threat classification
• Threat urgency description
• Recommended timeframe for suspension⁄takedown
• Technical details (e.g., Whois records, IP addresses, hash values, anti-virus detection results⁄nomenclature, name servers, domain name statuses that are relevant to the suspension)
• Incident response, including surge capacity

Verisign Notification Verification. When Verisign receives a suspension request from American Broadcasting Companies, Inc., it performs the following verification procedures:
• Validate that all the required data appears in the notification.
• Validate that the request for suspension is for a registered domain name.
• Return a case number for tracking purposes.

Suspension Rejection. If required data is missing from the suspension request, or the domain name is not registered, the request will be rejected and returned to American Broadcasting Companies, Inc. with the following information:
• Threat domain name
• Registry incident number
• Verisign case number
• Error reason

Registrar Notification (Optional). Once Verisign has performed the domain name suspension, and upon American Broadcasting Companies, Inc. request, Verisign notifies the registrar of the suspension. Registrar notification includes the following information:
• Threat domain name
• Registry incident number
• Verisign case number
• Classification of type of domain name abuse
• Evidence of abuse
• Anti-abuse contact name and number
• Suspension status
• Date⁄time of domain name suspension

Domain Suspension. Verisign places the domain to be suspended on the following statuses:
• serverUpdateProhibited
• serverDeleteProhibited
• serverTransferProhibited
• serverHold

Suspension Acknowledgement. Verisign notifies American Broadcasting Companies, Inc. that the suspension has been completed. Acknowledgement of the suspension includes the following information:
• Threat domain name
• Registry incident number
• Verisign case number
• Case number
• Domain name
• American Broadcasting Companies, Inc. abuse contact name and number, or registrar abuse contact name and number
• Suspension status

4. WHEN EXECUTED IN ACCORDANCE WITH THE REGISTRY AGREEMENT, PLANS WILL RESULT IN COMPLIANCE WITH CONTRACTUAL REQUIREMENTS

American Broadcasting Companies, Inc. believes that the proposed combination of protections that involve both proactive and reactive mechanisms will provide a very high level of security and anti-abuse protection within the .ABC gTLD. These mechanisms will be included in both the Registry-Registrar Agreement as well as the Registrant Registration Agreement.

American Broadcasting Companies, Inc. is fully committed to improving the completeness and accuracy of Whois data and to prevent and mitigate domain name abuse in the .ABC gTLD. American Broadcasting Companies, Inc. is committed to meeting the requirements in this area as outlined by ICANN.

The fight against domain name abuse is not a static fight. The tactics used by malicious parties are constantly evolving and American Broadcasting Companies, Inc. is committed to evolving our systems to address these ongoing threats, despite the fact that it is beyond ICANN’s requirements.

5. TECHNICAL PLAN SCOPE⁄SCALE THAT IS CONSISTENT WITH THE OVERALL BUSINESS APPROACH AND PLANNED SIZE OF THE REGISTRY

Scope⁄Scale Consistency

American Broadcasting Companies, Inc. will be the sole registrant for the .ABC gTLD. By applying the anti abuse protocols outlined in Q28, the level of protection should meet or exceed ICANN’s expectations regarding abuse prevention and mitigation.

Scope⁄Scale Consistency Specific to Backend Registry Activities

Verisign, American Broadcasting Companies, Inc.’s selected backend registry services provider, is an experienced backend registry provider that has developed and uses proprietary system scaling models to guide the growth of its TLD supporting infrastructure. These models direct Verisign’s infrastructure scaling to include, but not be limited to, server capacity, data storage volume, and network throughput that are aligned to projected demand and usage patterns. Verisign periodically updates these models to account for the adoption of more capable and cost-effective technologies.

Verisign’s scaling models are proven predictors of needed capacity and related cost. As such, they provide the means to link the projected infrastructure needs of the American Broadcasting Companies, Inc. gTLD with necessary implementation and sustainment cost. Using the projected usage volume for the most likely scenario (defined in Question 46, Template 1 – Financial Projections: Most Likely) as an input to its scaling models, Verisign derived the necessary infrastructure required to implement and sustain this gTLD. Verisign’s pricing for the backend registry services it provides to American Broadcasting Companies, Inc. fully accounts for cost related to this infrastructure, which is provided as “Other Operating Cost” (Template 1, Line I.L) within the Question 46 financial projections response.

Similar gTLD applications: (0)