28 Abuse Prevention and Mitigation

Prototypical answer:

Definition of Abuse
Abuse takes on many forms for an entity trying to perform critical registry functions. The forms of abuse we recognize and will actively act against are:
- Fraud in registering domain names: people giving the wrong contact details because they want to hide their identity, or misuse the identity of someone else
- Trying to access registry services with false or stolen credentials to transfer a domain name where there is no legal right
- Trying to retrieve domain name passwords or authorization codes from the registry or associated registrars where there is no legal right to this information
- Trying to block access to registry services by DOS, DDOS, spoofing or any attack directed at the critical registry services
- Misuse of whois services to gain information about domain names, registrants, admin contacts or technical contacts for spamming or other purposes of fraud.
- Domain names with websites containing malicious content, such as fake banking websites, fake transport websites, phishing (password-stealing) websites, fake shops
- Domain names with websites containing illegal content like child porn, stolen (digital) material, false accusations, anti-socal behaviour, harassment or private information about persons.
- Viruses and worms on websites that live on .FRL domain names
- Hacking activity, either on the website or the services from the registry.
- Orphaned glue records, where domain names are deleted to hide nameserver activity
- Registrars with malicious intent
- Registrar employees with malicious intent


Not strictly abuse, but also addressed in the answer to this question:
- Information in the registry database (or whois) being incorrect because people move house, e-mail address or telephone number.
- People specifying wrong information because they have a legitimate need to hide (part of) their identity.


The FRL registry is committed to prevent abuse where possible and to solve any indication of abuse on very short notice. We are aware that phishing and spam cause many problems, and are dedicated to close down spamming and phishing sites within 24 hrs after notification.
The registry adheres to the notice and takedown procedures that are commonly practiced in The Netherlands (an also by our sister company Mijndomein), which state: Any website containing fraudulent material that is unmistakable, indisputable and clearly visible must be taken down as soon as possible. In these cases the registrant or registrar will not be heard, but they will be notified of the takedown. In other cases, where fraud is assumed but not unmistakable or indisputable we will first hear the registrant or registrar and then take appropriate action. In case the registrant cannot be reached the website may be taken down.


Abuse prevention by the registry
- Single point of abuse notification. The website of the registry will contain a contact point that is easy to find for abuse matters. The registry – registrar agreement will state that every associated registrar must register an abuse e-mail address and telephone number, and will contain an SLA for the registrar to respond to queries from the side of the registry. Every abuse case is logged into our support systems. The registry will perform monthly reporting on abuse and support cases and adapt policies where necessary.
- Address checks: Every contact created in the registry database will be checked automatically to see if the address and postal code information match. Our company already has this address checks in place, using a downloaded database from Experian QAS. Because this database resides on local disk, we are able to do address checks within milliseconds, so the impact on the EPP command time is extremely low. The Experian database is renewed every 3 months, a contract for renewal is in place. At this point in time, our company only uses Dutch and German data from Experian, but this can easily be expanded to other countries.
- Registrar checks: Every ICANN-accredited registrar that signs up for a connection will be background and credit checked. Our company already has an automated background and credit check in operation, managed by Graydon Nederland B.V. This check is performed via an internet connection to the live databases of Graydon.
- Prevention of EPP service abuse: The EPP services require strong passwords and rigid monitoring of services. The EPP server will support password change on EPP login, and passwords are checked for strength. Simple passwords will not be accepted.
Registrars connecting to the server are prompted to change their EPP passwords from time to time. This password change will not be enforced, but messages via e-mail or EPP will encourage the EPP user to change passwords on a regular basis.
The connections at the EPP server are monitored for abuse prevention and for performance logging. Every session that is created logs start and end times, and these times are reported on a daily basis. If times exceed the standard parameters as set in the server, this is reported. Whenever one of the EPP users exceeds thresholds regarding session length or numbers of EPP sessions, this is reported and the registrar in question is contacted to see what the problem might be. Sessions taking to long can be broken off, and registrars opening too much sessions can be limited or even blocked for a specific period of time.
- Prevention of wrong people accessing EPP: The epp servers checks IP addresses of connecting servers. Each registrar can associate IP addresses with the accounts they have created for the employees that can access the website or the EPP server. Address violations and login attempts are logged and reported on a daily basis.
- Prevention of abuse by internal registrar employees: Every registrar can create accounts to logon to the Registry website or to EPP. The accounts created are associated with logon profiles, for example read-only accounts can be created, or accounts that have no access to invoicing or payment functions, or accounts that can alter but not create. Registrars will be able to create separate accounts for individual employees, and track activity of their own employees on EPP and on the website of the registry.
- DNS abuse prevention: To prevent DDOS attacks to the DNS service, the registry will employ DDOS protection servers sold by an external company. DNS services will be logged and screened on a daily basis. If usage of the service exceeds usage of the previous days by a large amount, support personnel will be alerted.
- WHOIS abuse prevention: The whois services of the registry will comply to Dutch privacy laws. That means that a non-registered user can only see a limited amount of information on a registrant. Full information is only available via the website whois, or when a party is entitled to full whois information, like a registrar or another party with a legitimate right to the full whois information.
Only parties that have a legitimate need for full whois access will be screened for that need and granted access based on IP address. These connections will be monitored even more to prevent abuse. The whois server will produce daily reports on whois usage.
The whois server will monitor and log all incoming sessions based on IP address. IP addresses consuming too many sessions will be blocked for a period of time. Unblocking of IP addresses can be done by contacting the registry. Registry personnel will verify the legitimacy of the access to the WHOIS and unblock where access is really needed. If usage of the WHOIS service exceeds usage of the previous periods by a large amount, support personnel will be alerted.
- Phishing sites, virus sites or mail spamming sites: The registry will perform a daily scan of all domain names against the databases of Google or other parties that scan for viruses. For all found incidents, mail will go to the registrar to alert the registar on the scam. The Registry-registrar agreement will hold a service level and penalty for registrars not responding. Metrics will be captured about registrars having more malicious sites then others, those registrars will be addressed.
- Measures for the accuracy of domain modifications: In addition to the measures that the registrars must take (see next section) the registry will send out messages to the owner contacts of every domain name that is transferred, deleted, or where the registrant is changed. This message is only for information, no answer is required. The message will contain information on how to contact the registry when a change is unwanted.
- Orphaned glue records: We are a strong advocate for the hard line on orphaned glue records. Whenever a domain name is cancelled or reaches the quarantine period without being renewed, all DNS information related to this domain name is removed. That includes glue records from nameservers connected to the domain name.
This policy might cause websites that rely on the removed domains dns service to stop functioning. We are aware of this, and will take that risk. In the case of a normal deletion, the nameservers that once belonged to this domain name will probably not function any more, so glue records pointing to those nameservers will be pointless. In the case of a malicious deletion, we do not want them to function anyway.
For the few cases where a domain name is cancelled and the nameservers should keep on functioning, the domain name owners will have to modify the nameserver information. Since the registry will operate the DNS from the starting point on, we can impose this strict rule on orphaned glue records from the very beginning.



Abuse prevention by the associated registrars
The registry – registrar agreement will have Service Levels and penalties in place for those registrars that do not respond quickly and accurately to complaints. It will be the responsibility of the registrar to make sure that its associated resellers respond quickly and adequately to the abuse notifications.
The agreements made with the registrars will be audited on a yearly basis for compliance. The regular (daily and monthly) reporting from the services will indicate registrars that do not adhere to the agreement and they will be contacted.
- WHOIS accuracy measures: Each registrar will be hold responsible for yearly whois accuracy checks. The registrar must send out notices to the registrants of websites to notify them of the information in the whois. This measure is already in place for several gTLDs, so registrars will easily be able to comply.
- All domain transfers are token (or authcode) based. Registrars are only allowed to hand domain transfer tokens to the registrant of the website. When a domain transfer is disputed, the registry will be allowed to revert the transfer.
- Measures for accuracy of domain modifications: Every registrar will be held to notice both the domain registrant and the administrative contact for every domain transfer, change of registrant or domain deletion that takes place. The registrar must enable the registrant or the administrative contact to answer this message by clicking a link to either acknowledge or cancel a change. When either one (registrant or admin contacts) answers with a negative reply, the change is not allowed to proceed.
The registry will perform a yearly contractual compliance audit on this matter. On every major change (domain transfer, registrant change or domain deletion) the registry will send out notification to the owner. This message is only for information, no answer is required.


Policies for structural abuse
The registry-registrar contracts will hold penalties for registrars that abuse the systems.
Any registrar that is caught on abusing the registry systems will be warned formally, and the following penalties can be invoked:
- Temporary denial of whois access
- Temporary denial of EPP access ⁄ website access
- Permanent denial of whois access
- Permanent denial of EPP access ⁄ website access
- Ending the Registrar-Registry agreement


Resources:
The resource indentifiers used in this document are detailed in the text of question 46

Resourcing for abuse prevention in the startup phase
R.1 System Engineer Setup infrastructure and DDOS appliances 2 days
R.4 Information security manager Determine abuse procedures 3 days
R.6 Project lead Abuse prevention within the software 1 day
R.7 Programmer Program abuse prevention mechanisms 1 day
R.8 Tester Test mechanisms 1 day
R.10 General manager Determine abuse procedures 1 day

Resourcing for abuse prevention in the maintaining phase
R.2 Operations engineer Infrastructure maintenance 1 day⁄year
R.4 Information security manager Yearly review of abuse prevention procedures 1 day⁄year
R.5 Support personnel: Handles abuse calls that come from outside the registry. 30 days⁄year
R.6 Project lead Oversee programming changes 1 day⁄year
R.7 Programmer Program changes 5 days⁄year
R.8 Tester User acceptance test 1 day⁄year
R.9 Release manager Release software 1 day⁄year
R.10 General manager Abuse escalation procedures 2 days⁄year


T.3 Quality assurance team Will audit the abuse prevention and mitigation procedures once a year.

Since the FRL registry is not a large registry, with probably less then 10 ICANN accredited registrars that connect, the staff to resource the abuse prevention mechanisms can be kept at a limited level. Some functions can be combined with other functions to keep staffing as optimal as possible.

Similar gTLD applications: (0)