28 Abuse Prevention and Mitigation

Prototypical answer:

28.1 Abuse Prevention and Mitigation

NBA Registry, LLC (ʺNBA Registryʺ) and its registry service provider, Neustar, understand that preventing and mitigating abuse and malicious conduct in the .nba TLD is a weighty and critical responsibility. NBA Registry will leverage Neustarʹs extensive experience in establishing and implementing registration policies to prevent and mitigate abusive and malicious domain activity within the proposed .nba space.

A responsible domain name registry works towards the eradication of abusive domain name registrations and malicious conduct, including, but not limited to, those resulting from:

- Illegal or fraudulent actions
- Spam
- Phishing
- Pharming
- Distribution of malware
- Fast flux hosting
- Botnets
- Distribution of child pornography
- Online sale or distribution of illegal pharmaceuticals.

By taking an active role in researching and monitoring botnets that use fast-flux DNS, NBA Registryʹs partner, Neustar, has developed the ability to efficiently work with various law enforcement and security communities to begin a new phase of mitigation of these types of threats.

Policies and Procedures to Minimize Abusive Registrations

A registry must have the policies, resources, personnel, and expertise in place to combat such abusive DNS practices. Neustar, NBA Registryʹs registry services provider, has taken a prominent role in preventing such abusive practices and is one of the few registry operators that has developed and implemented an active ʺdomain takedownʺ policy. NBA Registry believes that combating DNS abuse is important in protecting registrants.

Removing the domain name from the zone before it can cause harm is often the best preventative measure for thwarting certain malicious conduct such as botnets and malware distribution. Because removing a domain name from the zone will stop all activity associated with it, including websites and e-mail, a zone removal decision should follow a thorough and documented process, culminating in a determination that the domain name at issue threatens the security and stability of the registry or the Internet.

Abuse Point of Contact

As required by the Registry Agreement, NBA Registry will establish and publish on its website a single abuse point of contact responsible for addressing inquiries from law enforcement and the public related to malicious and abusive conduct in the .nba TLD. NBA Registry will also provide this information to ICANN before delegating any domain names in the .nba TLD. This information shall consist of, at a minimum, a valid e-mail address dedicated solely to the handling of malicious conduct complaints, and a telephone number and mailing address for the primary contact. NBA Registry will ensure that this information is accurate and complete, and will provide updated information to ICANN as needed. In addition, Neustar, shall have an additional point of contact, as it does today, for ICANN-accredited registrars that have entered into a Registry-Registrar agreement with NBA Registry.

28.2 Policies Regarding Abuse Complaints

NBA Registry will adopt and implement an Acceptable Use Policy that (i) clearly delineates the types of activities that will not be permitted in .nba; (ii) reserves NBA Registryʹs right to lock, cancel, transfer, or otherwise suspend or take down domain names violating the Acceptable Use Policy; and (iii) identifies the circumstances under which NBA Registry may share information with law enforcement. NBA Registry will incorporate its .nba Acceptable Use Policy into its Registry-Registrar Agreement. Under the .nba Acceptable Use Policy, which is set forth below, NBA Registry may lock down the domain name to prevent any changes to the domain name contact and nameserver information, place the domain name ʺon hold,ʺ rendering the domain name non-resolvable, transfer the domain name to another registrar, and⁄or in cases in which the domain name is associated with an ongoing law enforcement investigation, substitute name servers to collect information about the DNS queries to assist the investigation.

It is important to note that NBA Registry intends that registration and use of .nba domains will be restricted to itself, its Affiliates, and the contracted partners of NBA Registry and its Affiliates; that there will be no resellers of .nba domains; and that there will be no market in .nba domains. Accordingly, the potential for abusive registration, malicious conduct, and other activities that have a negative impact on Internet users is minimal. In the unlikely event that such abuse occurs, NBA Registry and its registry service provider, Neustar, will implement the following policies and processes to manage such activities.

.nba Acceptable Use Policy

This Acceptable Use Policy gives NBA Registry the ability to quickly lock, cancel, transfer or take ownership of any .nba domain name, either temporarily or permanently, if the domain name is being used in a manner that appears to threaten the stability, integrity or security of NBA Registry, or any of its registrar partners - and⁄or that may put the safety and security of any registrant or user at risk. The process also allows NBA Registry to take preventive measures to avoid any such criminal or security threats.

The Acceptable Use Policy may be triggered through a variety of channels, including, among other things, private complaint, public alert, government or enforcement agency outreach, and the on-going monitoring by NBA Registry or its partners. In all cases, NBA Registry or its designees will alert NBA Registryʹs registrar partners about any identified threats, and will work closely with them to bring offending sites into compliance.

The following are some (but not all) activities that may be subject to rapid domain compliance:

- Phishing: the attempt to acquire personally identifiable information by masquerading as a website other than .nbaʹs own.
- Pharming: the redirection of Internet users to websites other than those the user intends to visit, usually through unauthorized changes to the Hosts file on a victimʹs computer or DNS records in DNS servers.
- Dissemination of Malware: the intentional creation and distribution of ʺmaliciousʺ software designed to infiltrate a computer system without the ownerʹs consent, including, without limitation, computer viruses, worms, key loggers, and Trojans.
- Fast Flux Hosting: a technique used to shelter Phishing, Pharming and Malware sites and networks from detection and to frustrate methods employed to defend against such practices, whereby the IP address associated with fraudulent websites are changed rapidly so as to make the true location of the sites difficult to find.
- Botnetting: the development and use of a command, agent, motor, service, or software which is implemented: (1) to remotely control the computer or computer system of an Internet user without their knowledge or consent, (2) to generate direct denial of service (DDOS) attacks.
- Malicious Hacking: the attempt to gain unauthorized access (or exceed the level of authorized access) to a computer, information system, user account or profile, database, or security system.
- Child Pornography: the storage, publication, display and⁄or dissemination of pornographic materials depicting individuals under the age of majority in the relevant jurisdiction.

NBA Registry reserves the right, in its sole discretion, to take any administrative and operational actions necessary, including the use of computer forensics and information security technological services, among other things, in order to implement the Acceptable Use Policy. In addition, NBA Registry reserves the right to deny, cancel or transfer any registration or transaction, or place any domain name(s) on registry lock, hold or similar status, that it deems necessary, in its discretion; (1) to protect the integrity and stability of the registry; (2) to comply with any applicable laws, government rules or requirements, requests of law enforcement, or any dispute resolution process; (3) to avoid any liability, civil or criminal, on the part of NBA Registry as well as its affiliates, subsidiaries, officers, directors, and employees; (4) per the terms of the registration agreement or (5) to correct mistakes made by NBA Registry or its authorized registrars in connection with a domain name registration. NBA Registry also reserves the right to place upon registry lock, hold or similar status a domain name during resolution of a dispute.

Monitoring for Malicious Activity

NBA Registryʹs registry service provider, Neustar, has a leading role in preventing abusive DNS practices. Neustar is one of only a few registry operators that has developed and implemented an active ʺdomain takedownʺ policy in which the registry itself takes down abusive domain names.

Neustarʹs approach is quite different from other gTLD registries and the results have been unmatched. Neustar targets verified abusive domain names and removes them within 12 hours - regardless of whether the domain name registrar cooperates because Neustar has determined that the interest in removing such threats outweighs any potential damage to the registrar⁄registrant relationship.

NBA Registry plans to restrict registration and use of .nba domains to itself, its Affiliates, and their contracted partners. These registration eligibility restrictions make it unlikely that any .nba domains will be taken down. Moreover, only registrars that contractually agree to cooperate in stemming abusive behaviors will be permitted to register .nba domain names.

Neustarʹs active prevention policies stem from the notion that registrants in the .nba TLD have a reasonable expectation that they control the data associated with their domains, especially its presence in the DNS zone. Removing a domain name before it can cause harm is often the best preventative measure for thwarting certain malicious conduct such as botnets and malware distribution that harms not only the domain name registrant, but also potentially millions of unsuspecting Internet users.

Rapid Takedown Process

Since implementing the program, Neustar has developed two basic variations of the process. The more common process variation is a light-weight process that is triggered by ʺtypicalʺ notices. The less common variation is the full process that is triggered by unusual notices which generally allege that a domain name is being used to threaten the stability and security of the TLD, or is part of a real-time investigation by law enforcement or security researchers. These processes are described below:

Lightweight Process

In addition to having an active Information Security group that, on its own initiative, seeks out abusive practices in the TLD, Neustar is an active member in a number of security organizations that have the expertise and experience in receiving and investigating reports of abusive DNS practices, including but not limited to, the Anti-Phishing Working Group, Castle Cops, NSP-SEC, the Registration Infrastructure Safety Group and others. Each of these sources is a well-known security organization that has a reputation for preventing abuse and malicious conduct on the Internet. Aside from these organizations, Neustar also actively participates in privately run security associations that operate based on trust and anonymity, making it much easier to obtain information regarding abusive DNS activity.

Once a complaint is received from a trusted source, third-party, or detected by Neustarʹs internal security group, information about the abusive practice is forwarded to an internal mail distribution list that includes members of the operations, legal, support, engineering, and security teams for immediate response (ʺCERT Teamʺ). Although the impacted URL is included in the notification e-mail, the CERT Team is trained not to investigate the URLs themselves because the URLs in question often have scripts, bugs, etc. that can compromise the individualʹs own computer and the network safety. Rather, the investigation is conducted by CERT Team members who can access the URLs in a laboratory environment to avoid compromising the Neustar network. The lab environment is designed specifically for these types of tests and is scrubbed on a regular basis to ensure that none of Neustarʹs internal or external network elements are harmed in any fashion.

Once the complaint has been reviewed and the alleged abusive domain name activity is verified to the best of the ability of the CERT Team, the sponsoring registrar has 12 hours to investigate the activity and either (a) take down the domain name through a hold or deletion; or (b) provide the registry with a compelling argument why to keep the domain name in the zone.

The .nba registry will place the domain on ʺServerHoldʺ if the registrar has not acted within the 12-hour period. ServerHold removes the domain name from the TLD zone, but the domain name record still appears in the TLD WHOIS database so that the name and entities can be investigated by law enforcement.


Full Process

If Neustar receives a complaint that claims a domain name is being used to threaten the stability and security of the .nba TLD or is a part of a real-time investigation by law enforcement or security researchers, Neustar follows a slightly different course of action.

Upon initiation of this process, CERT Team members are paged and a teleconference bridge is immediately opened up for the CERT Team to assess if the activity warrants immediate action. If the CERT Team determines the incident is not an immediate threat to the security and the stability of critical internet infrastructure, the CERT Team provides documentation to the Neustar Network Operations Center to clearly capture the rationale for the decision and refer the incident to the Lightweight process set forth above or closes. The incident is closed if no abusive practice is discovered.

However, if the CERT TEAM determines there is a reasonable likelihood that the incident warrants immediate action, the domain name is immediately removed from the zone. Customer Support immediately contacts the responsible registrar to identify the domain name in question and inform the registrar that it is involved in a security and stability issue. To protect the source of the complaint and evidentiary chain of custody considerations, the registrar may not be given detailed information regarding the complaint or data and evidence that has been collected.

Coordination with Law Enforcement & Industry Groups

Neustar has a close working relationship with a number of law enforcement agencies, both in the United States and internationally. For example, in the United States, Neustar is in constant communication with the Federal Bureau of Investigation, US CERT, Homeland Security, the Food and Drug Administration, and the National Center for Missing and Exploited Children. Internationally, Neustar has had interaction with organizations that include Interpol, UK SOCA, and the German Federal Police.

Neustar also participates in a number of industry groups aimed at sharing information amongst key industry players about the abusive registration and use of domain names. These groups include the Anti-Phishing Working Group and the Registration Infrastructure Safety Group (where Neustar served for several years on the Board of Directors). Through these organizations and others, Neustar shares information with other registries, registrars, ccTLDs, law enforcement, security professionals, etc. not only on abusive domain name registrations within its own TLDs, but also provides information uncovered regarding domain names in other registriesʹ TLDs. Neustar has found that abuses are rarely found only in the TLDs it manages, but also within other TLDs, such as .com and .info. Neustar routinely shares this information with other registries so that the registry can take the appropriate action.

With the assistance of Neustar as its back-end registry services provider, NBA Registry can meet its obligations under Section 2.8 of the Registry Agreement to take reasonable steps to investigate and respond to reports from law enforcement and governmental and quasi-governmental agencies of illegal conduct in connection with the use of the .nba TLD. NBA Registry and⁄or Neustar will respond to legitimate law enforcement inquiries within one business day from receiving the request. Such response shall include, at a minimum, an acknowledgement of receipt of the request, questions or comments concerning the request, and an outline of the next steps to be taken by NBA Registry and⁄or Neustar to resolve the request rapidly.

If the request involves any of the activities that NBA Registry and⁄or Neustar can validate and involves the activity covered by the Acceptable Use Policy, the sponsoring registrar will have 12 hours to investigate the activity further and either (a) take down the domain name through a hold or deletion; or (b) provide the registry with a compelling argument why to keep the domain name in the zone. If the registrar has not acted within the 12-hour period (i.e., is unresponsive to the request or refuses to take action), Neustar places the domain on ʺserverHoldʺ.

28.3 Measures for Removal of Orphan Glue Records

As the Security and Stability Advisory Committee of ICANN (SSAC) rightly acknowledges, although orphaned glue records may be used for abusive or malicious purposes, the ʺdominant use of orphaned glue supports the correct and ordinary operation of the DNS.ʺ See http:⁄⁄www.icann.org⁄en⁄committees⁄security⁄sac048.pdf.

While orphan glue often support correct and ordinary operation of the DNS, such glue records can be used maliciously to point to name servers that host domains used in illegal phishing, bot-nets, malware, and other abusive behaviors. Problems occur when the parent domain of the glue record is deleted but its children glue records still remain in DNS. Therefore, when NBA Registry has written evidence of actual abuse of orphaned glue, it will remove those records from the zone to mitigate such malicious conduct.

Neustar runs a daily audit of entries in its DNS systems and compares those with its provisioning system, which serves as an umbrella protection to confirm that items in the DNS zone are valid. Any DNS record that shows up in the DNS zone but not in the provisioning system is flagged for investigation and removed if necessary. This daily DNS audit prevents orphaned hosts and also flags other records that should not be in the zone.

In addition, if either NBA Registry or Neustar becomes aware of actual abuse on orphaned glue after receiving written notification by a third party through its Abuse Contact or through its customer support, such glue records will be removed from the zone.

28.4 Authentication of Registrant Information

As stated in its response to Question 18, it is anticipated that only NBA Registry, its Affiliates, and the contracted partners of NBA Registry and its Affiliates will be permitted to register and use .nba domain names. Before a .nba domain name is registered, NBA Registry will confirm through certain procedures that all registrants are Eligible .nba Registrants and that only Eligible .nba Registrants are permitted to register .nba domain names.

NBA Registry will coordinate with its Affiliates and contracted partners to compile a list of the entities that are Eligible .nba Registrants and the persons authorized to register .nba domain names on their behalf. NBA Registry will require all registrars that wish to enter into a Registry-Registrar Agreement to agree to abide by strict domain name registration guidelines. Each qualified registrar must validate certain contact information to determine if a potential registrant is an Eligible .nba Registrant before proceeding with a .nba registration.

Registrars may use a number of procedures for eligibility verification, such as:

1. An automated authentication process to authenticate that the prospective registrant is an Eligible .nba Registrant;
2. Registrar-conducted authentication of whether a prospective registrantʹs e-mail address is included in a pre-approved registrant list;
3. Contacting NBA Registry if the registrar is unable to verify that a prospective registrant is an Eligible .nba Registrant; and
4. Requiring each prospective registrant to represent and warrant that it is an Eligible .nba Registrant, that it will comply with all .nba policies, and that neither the registration of the domain name nor its use infringes or will infringe the legal rights of third parties.

28.5 Measures to Promote WHOIS Accuracy

NBA Registry will implement several measures to promote Whois accuracy. NBA Registry will retain essential contact details for each .nba domain name in a system that facilitates access to the domain contact information. NBA Registry intends to implement internal checks and procedures so that Whois data is accurate and complete.

As noted above, NBA Registry will authenticate that all registrants of .nba domains are Eligible .nba Registrants and that only Eligible .nba Registrants register .nba domains. Many of the procedures applicable to eligibility verification may also be applied to Whois accuracy.

NBA Registry will, and its registrars will be contractually required to, periodically check the Whois records of a certain percentage of .nba domains. More specifically, contact details and relevant .nba registrant information will be verified, and such information shall be compared against previous Whois records and contact information. NBA Registry anticipates that Whois records of approximately 25% of .nba domains will be checked quarterly. If such checks disclose that Whois data is inaccurate, the registrant of the relevant .nba domain name will be notified and provided with a reasonable period of time within which the inaccuracy must be corrected. A .nba registrantʹs failure to do so will affect its continued use of the .nba domain in question.

NBA Registry intends to comply with ICANNʹs Whois policies and requirements and to require its registrars to do so. Although the restricted number of Eligible .nba Registrants makes it quite unlikely that .nba domains will be the subject of Whois Data Problem Reports, registrars of .nba domains will be required to promptly and thoroughly respond to such reports. In addition, .nba-accredited registrars must comply with the Whois Data Reminder Policy and may be requested to provide NBA Registry with documentation of their compliance efforts.

28.6 Resourcing Plans

Responsibility for abuse mitigation rests with a variety of functional groups. The Abuse Monitoring team is primarily responsible for providing analysis and conducting investigations of reports of abuse. The customer service team also plays an important role in assisting with the investigations, responded to customers, and notifying registrars of abusive domains. Finally, the Policy⁄Legal team is responsible for developing the relevant policies and procedures.

The necessary resources will be pulled from the pool of available resources described in detail in the response to Question 31. The following resources are available from those teams:

Customer Support - 12 employees
Policy⁄Legal - 2 employees

The resources are more than adequate to support the abuse mitigation procedures of the .nba registry.

Similar gTLD applications: (0)