Michele, there's this thing called fastflux NS as well Host the NS on compromised nodes with a low TTL and you just don't need to find an ISP or dns provider to host NS for you. As for the defamatory / sweeping statements thing - I will only say that an analysis of the number of .at / .lv etc domains turning up in traps, honeypots, bls etc tends to bear out an impression that once criminals find a gTLD or ccTLD where terminations are slow to non existent, they will crowd on to it, in increasingly larger numbers. .hk found that out the hard way some years back and it took a lot of data passed to hkdnr, and a lot of convincing and/or pressure on them from a variety of sources (including, presumably, some official ones) made them take several steps to lock their ccTLD down. There should be a presentation somewhere from HKDNR's Bonnie Chun talking about their experiences and the steps they took to ensure this doesn't recur. I can tell you for sure that soon after the largescale termination of like thousands of .hk domains in a matter of days, the domains started to crop up on a provider in another (very small) asian nation, where a simple email to a trusted contact there was enough to get them turfed off, very quickly indeed. They didn't ever come back there as far as my statistics show - and this is from nearly a decade back. This is absolutely not behavior restricted to registrars or TLDs. If you find a colo host that is lackadaisical about abuse issues for whatever reason, that provider will pretty soon find his service overrun with spammers, bot c&c, irc kiddiez and whatever else, compared to providers that run a tighter ship wrt abuse mitigation. So, I am sorry to say but furio's statements are fairly accurate, though they may be a trifle more blunt than some can take. thanks -srs On Thursday, June 27, 2013, Michele Neylon :: Blacknight wrote:
Furio
If you're going to make statements about 3rd parties you should try to restrict yourself to facts and not make broad sweeping statements.
On 27 Jun 2013, at 14:13, furio ercolessi <furio+as@spin.it <javascript:;>> wrote:
Therefore the responsibility for terminating C&C domains lies on the registries, not on the DNS providers (that may not even exist).
Not necessarily.
If registries are going round the place pulling domains it causes headaches for registrars - and the registries don't have a contract / agreement with the registrant
While this may be different with ccTLDs you haven't specified that you're only referring to cctlds ..
And I don't see how a domain can resolve without a DNS provider - that makes zero sense.
The .AT and .LV cases have been two rather dramatic cases where the registries were sitting there doing nothing for a very long time, while the word spread among criminals that they were a 'safe haven'.
That's highly defamatory.
I don't think the managers of either ccTLD would appreciate anyone referring to them using that tone.
Similar problems have then occurred in .PL and .RU as well.
Again - broad sweeping statements.
I'd take you more seriously if you referred to the current state of play and not some past issues that have been addressed
Luckily, the times have changed and country CERTs are nowadays much more aware of the C&C problem and of the need to take down those domains swiftly.
Irrelevant statement
CERTs have little impact on registry operations when they're run by private entities
As it often happens with large organizations, 'learning' may be very slow and may need to be stimulated by external forces - not because of lack of capacity of the individuals working in the organizations to understand the issue, but because of the fear of those individuals to break a complex set of rules, and the possible need to have those rules changed to avoid breaking them.
I believe that all the external forces working on this problem - Spamhaus, Cymru, Shadowserver, SURBL, GTSC, ISC, Trend Micro and others - have played and are playing a very important role in interacting with registries and CERTs regarding cybercrime domains, even more so when those interactions have to be a little 'rough' to get some traction. Nobody likes friction i think, but sometimes it is needed to shake things and see some action.
furio ercolessi
Mr Michele Neylon Blacknight Solutions ♞ Hosting & Domains ICANN Accredited Registrar http://www.blacknight.co http://blog.blacknight.com/ Intl. +353 (0) 59 9183072 US: 213-233-1612 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Facebook: http://fb.me/blacknight Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
-- --srs (iPad)