28 Abuse Prevention and Mitigation

Prototypical answer:

28.1 Abuse Prevention and Mitigation

Strong abuse prevention in a new gTLD is an important benefit to the Internet community. HLT Stakis and its back-end registry services provider, Neustar, agree that a registry should aim for the highest standards of technical and operational competence, but should also act as a steward of the space on behalf of the Internet community and ICANN in promoting the public interest. Neustar brings extensive experience establishing and implementing registration policies, and will leverage this experience to help HLT Stakis combat abusive and malicious domain activity within the new .hilton space.

One of those public interest functions for a responsible domain name registry includes working towards the eradication of abusive domain name registrations, including, but not limited to, those resulting from:

- Illegal or fraudulent actions
- Spam
- Phishing
- Pharming
- Distribution of malware
- Fast flux hosting
- Botnets
- Distribution of child pornography
- Online sale or distribution of illegal pharmaceuticals.

More specifically, although traditionally botnets have used Internet Relay Chat (IRC) servers to control a registry and the compromised PCs, or bots, for DDoS attacks and the theft of personal information, an increasingly popular technique, known as fast-flux DNS, allows botnets to use a multitude of servers to hide a key host or to create a highly available control network. This ability to shift the attacker’s infrastructure over a multitude of servers in various countries creates an obstacle for law enforcement and security researchers to mitigate the effects of these botnets. But a point of weakness in this scheme is its dependence on DNS for its translation services. By taking an active role in researching and monitoring these sorts of botnets, HLT Stakis’ partner, Neustar, has developed the ability to efficiently work with various law enforcement and security communities to begin a new phase of mitigation of these types of threats.

Policies and Procedures to Minimize Abusive Registrations
A registry must have the policies, resources, personnel, and expertise in place to combat such abusive DNS practices. As HLT Stakis’ registry services provider for .hilton, Neustar is at the forefront of the prevention of such abusive practices and is one of the few registry operators to have actually developed and implemented an active “domain takedown” policy. Neustar also believes that a strong program is essential because registrants have a reasonable expectation that they are in control of the data associated with their domains, especially the data’s presence in the DNS zone. Because domain names are sometimes used as a mechanism to enable various illegitimate activities on the Internet, often the best preventative measure to thwart these attacks is to remove the names completely from the DNS before they can impart harm, not only to the domain name registrant, but also to millions of unsuspecting Internet users.

Removing the domain name from the zone has the effect of shutting down all activity associated with the domain name, including the use of all websites and e-mail. The use of this technique should not be entered into lightly. HLT Stakis will use in the .hilton TLD a documented process for taking the necessary action of removing a domain from the zone when its presence in the zone poses a threat to the security and stability of the infrastructure of the Internet or the registry.

Abuse Point of Contact
As required by the Registry Agreement, HLT Stakis will establish and publish on its principal .hilton website a single abuse point of contact responsible for addressing inquiries from law enforcement and the public related to malicious and abusive conduct. HLT Stakis will also provide such information to ICANN prior to the delegation of any domain names in the .hilton TLD. This information shall consist of, at a minimum, a valid e-mail address dedicated solely to the handling of malicious conduct complaints, and a telephone number and mailing address for the primary contact. HLT Stakis will keep this information accurate and up to date, and will provide updates to ICANN if and when changes are made. In addition, with respect to inquiries from ICANN-accredited registrars, the .hilton registry services provider, Neustar, shall have an additional point of contact, as it does today, handling requests by registrars related to abusive domain name practices.

28.2 Policies Regarding Abuse Complaints
One of the key policies each new gTLD registry will need to have is an Acceptable Use Policy that clearly delineates the types of activities that constitute “abuse” and the repercussions associated with an abusive domain name registration. In addition, the policy will be incorporated into the applicable Registry-Registrar Agreement and reserve the right for the registry to take the appropriate actions based on the type of abuse. This will include locking down the domain name to prevent any changes to the contact and nameserver information associated with the domain name, placing the domain name “on hold” to render the domain name non-resolvable, transferring to the domain name to another registrar, and⁄or in cases in which the domain name is associated with an existing law enforcement investigation, substituting name servers to collect information about the DNS queries to assist the investigation.

HLT Stakis will adopt for its .hilton TLD an Acceptable Use Policy that clearly defines the types of activities that will not be permitted in .hilton and reserves is right to lock, cancel, transfer or otherwise suspend or take down domain names violating the Acceptable Use Policy and allow Stakis to share information with law enforcement as appropriate. Because there will be no resellers in .hilton and there will be no market in .hilton domains, opportunities for abuse and malicious conduct are inherently limited. Below is the HLT Stakis’ initial Acceptable Use Policy that it will use in connection with the .hilton registry.

It is important to note that registration and use of .hilton domains will be restricted to HLT Stakis and its Affiliates. Accordingly , the potential for abusive registrations and other activities that have a negative impact on Internet users is minimal. In the unlikely event that such abuse occurs, HLT Stakis and its registry service provider, Neustar, will implement the following policies and processes to manage such activities.

--.hilton Acceptable Use Policy--

This Acceptable Use Policy gives HLT Stakis the ability to quickly lock, cancel, transfer or take ownership of any .hilton domain name, either temporarily or permanently, if the domain name is being used in a manner that appears to threaten the stability, integrity or security of .hilton, or any of its registrar partners – and⁄or that may put the safety and security of any registrant or user at risk. The process also allows HLT Stakis to take preventive measures to avoid any such criminal or security threats.

The Acceptable Use Policy may be triggered through a variety of channels, including, among other things, private complaint, public alert, government or enforcement agency outreach, and the on-going monitoring by HLT Stakis or its partners. In all cases, HLT Stakis or its designees will alert its registrar partners about any identified threats, and will work closely with them to bring offending sites into compliance.

The following are some (but not all) activities that may be subject to rapid domain compliance:

- Phishing: the attempt to acquire personally identifiable information by masquerading as a website other than .hilton’s own.
- Pharming: the redirection of Internet users to websites other than those the user intends to visit, usually through unauthorized changes to the Hosts file on a victim’s computer or DNS records in DNS servers.
- Dissemination of Malware: the intentional creation and distribution of ʺmaliciousʺ software designed to infiltrate a computer system without the owner’s consent, including, without limitation, computer viruses, worms, key loggers, and Trojans.
- Fast Flux Hosting: a technique used to shelter Phishing, Pharming and Malware sites and networks from detection and to frustrate methods employed to defend against such practices, whereby the IP address associated with fraudulent websites are changed rapidly so as to make the true location of the sites difficult to find.
- Botnetting: the development and use of a command, agent, motor, service, or software which is implemented: (1) to remotely control the computer or computer system of an Internet user without their knowledge or consent, (2) to generate direct denial of service (DDOS) attacks.
- Malicious Hacking: the attempt to gain unauthorized access (or exceed the level of authorized access) to a computer, information system, user account or profile, database, or security system.
- Child Pornography: the storage, publication, display and⁄or dissemination of pornographic materials depicting individuals under the age of majority in the relevant jurisdiction.

HLT Stakis reserves the right, in its sole discretion, to take any administrative and operational actions necessary, including the use of computer forensics and information security technological services, among other things, in order to implement the Acceptable Use Policy. In addition, HLT Stakis reserves the right to deny, cancel or transfer any registration or transaction, or place any domain name(s) on registry lock, hold or similar status, that it deems necessary, in its discretion; (1) to protect the integrity and stability of the registry; (2) to comply with any applicable laws, government rules or requirements, requests of law enforcement, or any dispute resolution process; (3) to avoid any liability, civil or criminal, on the part of HLT Stakis as well as its affiliates, subsidiaries, officers, directors, and employees; (4) per the terms of the registration agreement or (5) to correct mistakes made by HLT Stakis or any registrar in connection with a domain name registration. HLT Stakis also reserves the right to place upon registry lock, hold or similar status a domain name during resolution of a dispute.

Taking Action Against Abusive and⁄or Malicious Activity
HLT Stakis is committed to ensuring that those domain names associated with abuse or malicious conduct in violation of the Acceptable Use Policy are dealt with in a timely and decisive manner. These include taking action against those domain names that are being used to threaten the stability and security of .hilton, or is part of a real-time investigation by law enforcement.

Once a complaint is received from a trusted source, third-party, or detected by HLT Stakis, HLT Stakis will use commercially reasonable efforts to verify the information in the complaint. If that information can be verified to the best of the ability of HLT Stakis, the sponsoring registrar will be notified and be given 12 hours to investigate the activity and either take down the domain name by placing the domain name on hold or by deleting the domain name in its entirety or providing a compelling argument to HLT Stakis to keep the name in the zone. If the registrar has not taken the requested action after the 12-hour period (i.e., is unresponsive to the request or refuses to take action), HLT Stakis will place the domain on “ServerHold”. This is unlikely to be necessary, as HLT Stakis will be using a single, gateway registrar with whom it has a contract reflecting these policies. Although this action removes the domain name from the .hilton zone, the domain name record still appears in the .hilton WHOIS database so that the name and entities can be investigated by law enforcement should they desire to get involved.

Coordination with Law Enforcement
With the assistance of Neustar as its back-end registry services provider, HLT Stakis can meet its obligations under Section 2.8 of the Registry Agreement where required to take reasonable steps to investigate and respond to reports from law enforcement and governmental and quasi-governmental agencies of illegal conduct in connection with the use of its TLD. HLT Stakis will respond to legitimate law enforcement inquiries within one business day from receiving the request. Such response shall include, at a minimum, an acknowledgement of receipt of the request, Questions or comments concerning the request, and an outline of the next steps to be taken by HLT Stakis for rapid resolution of the request.

In the event such request involves any of the activities which can be validated by HLT Stakis and involves the type of activity set forth in the Acceptable Use Policy, the sponsoring registrar is then given 12 hours to investigate the activity further and either take down the domain name by placing the domain name on hold or by deleting the domain name in its entirety or providing a compelling argument to the registry to keep the name in the zone. If the registrar has not taken the requested action after the 12-hour period (i.e., is unresponsive to the request or refuses to take action), HLT Stakis will place the domain on “serverHold”.

Continued Hilton Anti-Abuse Activities
HLT Stakis’ Affiliate, Hilton Worldwide (collectively, “Hilton”), currently uses MarkMonitor’s daily brand protection services for nine of the Hilton-owned brands, and will likely continue to do so after the launch of the .hilton registry. Current services include website monitoring, enforcement, and monthly compliance reports.

MarkMonitor’s website monitoring addresses traffic diversion, affiliate abuse, partner abuse, and, among others, paid search abuse. MarkMonitor reports these abuses to Hilton in a monthly report and takes action against abusive websites upon Hilton’s approval. Such actions include sending cease and desist letters requesting content removal, website removal, and⁄or a domain transfer. MarkMonitor also provides quarterly reviews of Hilton-owned domains, which involves reviewing sites for compliance with set anti-abuse criteria.

28.3 Measures for Removal of Orphan Glue Records
As the Security and Stability Advisory Committee of ICANN (SSAC) rightly acknowledges, although orphaned glue records may be used for abusive or malicious purposes, the “dominant use of orphaned glue supports the correct and ordinary operation of the DNS.” See http:⁄⁄www.icann.org⁄en⁄committees⁄security⁄sac048.pdf.

While orphan glue often support correct and ordinary operation of the DNS, we understand that such glue records can be used maliciously to point to name servers that host domains used in illegal phishing, bot-nets, malware, and other abusive behaviors. Problems occur when the parent domain of the glue record is deleted but its children glue records still remain in DNS. Therefore, when the Registry has written evidence of actual abuse of orphaned glue, the Registry will take action to remove those records from the zone to mitigate such malicious conduct.

Neustar runs a daily audit of entries in its DNS systems and compares those with its provisioning system. This serves as an umbrella protection to make sure that items in the DNS zone are valid. Any DNS record that shows up in the DNS zone but not in the provisioning system will be flagged for investigation and removed if necessary. This daily DNS audit serves to not only prevent orphaned hosts but also other records that should not be in the zone.

In addition, if either HLT Stakis or Neustar become aware of actual abuse on orphaned glue after receiving written notification by a third party through its Abuse Contact or through its customer support, such glue records will be removed from the zone.

28.4 Authentication of Registrant Information
As stated in its response to Question 18, it is anticipated that only HLT Stakis and its Affiliates (the “Eligible .hilton Registrants”) will be permitted to register and use .hilton domain names. Before any .hilton domain name is registered, HLT Stakis will confirm through certain procedures that all registrants are Eligible .hilton Registrants and that only Eligible .hilton Registrants are permitted to register .hilton domain names.

HLT Stakis will coordinate with its Affiliates to compile a list of the entities that are Eligible .hilton Registrants and the persons authorized to register .hilton domain names on their behalf. HLT Stakis will require all registrars that wish to enter into a Registry-Registrar Agreement to agree to abide by strict domain name registration guidelines. Each qualified registrar must validate certain contact information to determine if a potential registrant is an Eligible .hilton Registrant before proceeding with a .hilton registration.

Registrars may use a number of procedures for eligibility verification such as:
1. An automated authentication process to authenticate that the prospective registrant is an Eligible .hilton Registrant;
2. Registrar-conducted authentication of whether a prospective registrant’s e-mail address is included in a pre-approved registrant list;
3. Contacting HLT Stakis if the registrar is unable to verify that a prospective registrant is an Eligible .hilton Registrant; and
4. Requiring each prospective registrant to represent and warrant that it is an Eligible .hilton Registrant, that it will comply will all .hilton policies, and that neither the registration of the domain name nor its use infringes or will infringe the legal rights of third parties.

28.5 Measures to Promote Whois Accuracy
HLT Stakis will implement several measures to promote Whois accuracy. HLT Stakis will retain essential contact details for each .hilton domain name in a system that facilitates access to the domain contact information. HLT Stakis intends to implement internal checks and procedures so that Whois data is accurate and complete.

As noted above, HLT Stakis will authenticate that all registrants of .hilton domains are Eligible .hilton Registrants and that only Eligible .hilton Registrants register .hilton domains. Many of the procedures applicable to eligibility verification may also be applied to Whois accuracy.

HLT Stakis will, and its registrars will be contractually required to, periodically check the Whois records of a certain percentage of .hilton domains. More specifically, contact details and relevant .hilton registrant information will be verified, and such information shall be compared against previous Whois records and contact information. HLT Stakis anticipates that Whois records of approximately 25% of .hilton domains will be checked quarterly. If such checks disclose that Whois data is inaccurate, the registrant of the relevant .hilton domain name will be notified and provided with a reasonable period of time within which the inaccuracy must be corrected. A .hilton registrant’s failure to do so will affect its continued use of the .hilton domain in question.

HLT Stakis intends to comply with ICANN’s Whois policies and requirements and to require its registrars to do so. Although the restricted number of Eligible .hilton Registrants makes it quite unlikely that .hilton domains will be the subject of Whois Data Problem Reports, registrars of .hilton domains will be required to promptly and thoroughly respond to such reports. In addition, .hilton-accredited registrars must comply with the Whois Data Reminder Policy and may be requested to provide HLT Stakis with documentation of their compliance efforts.

28.6 Resourcing Plans
Responsibility for abuse mitigation rests with a variety of functional groups. The Abuse Monitoring team is primarily responsible for providing analysis and conducting investigations of reports of abuse. The customer service team also plays an important role in assisting with the investigations, responded to customers, and notifying registrars of abusive domains. Finally, the Policy⁄Legal team is responsible for developing the relevant policies and procedures.

The necessary resources will be pulled from the pool of available resources described in detail in the response to Question 31. The following resources are available from those teams:

Customer Support – 12 employees
Policy⁄Legal – 2 employees

The resources are more than adequate to support the abuse mitigation procedures of the .hilton registry.

Similar gTLD applications: (0)