Michele, there&#39;s this thing called fastflux NS as well<div><br></div><div>Host the NS on compromised nodes with a low TTL and you just don&#39;t need to find an ISP or dns provider to host NS for you.</div><div><br></div>
<div>As for the defamatory / sweeping statements thing - I will only say that an analysis of the number of .at / .lv etc domains turning up in traps, honeypots, bls etc tends to bear out an impression that once criminals find a gTLD or ccTLD where terminations are slow to non existent, they will crowd on to it, in increasingly larger numbers.</div>
<div><br></div><div>.hk found that out the hard way some years back and it took a lot of data passed to hkdnr, and a lot of convincing and/or pressure on them from a variety of sources (including, presumably, some official ones) made them take several steps to lock their ccTLD down.</div>
<div><br></div><div>There should be a presentation somewhere from HKDNR&#39;s Bonnie Chun talking about their experiences and the steps they took to ensure this doesn&#39;t recur.  </div><div><br></div><div>I can tell you for sure that soon after the largescale termination of like thousands of .hk domains in a matter of days, the domains started to crop up on a provider in another (very small) asian nation, where a simple email to a trusted contact there was enough to get them turfed off, very quickly indeed.  They didn&#39;t ever come back there as far as my statistics show - and this is from nearly a decade back.</div>
<div><br></div><div> This is absolutely not behavior restricted to registrars or TLDs.  If you find a colo host that is lackadaisical about abuse issues for whatever reason, that provider will pretty soon find his service overrun with spammers, bot c&amp;c, irc kiddiez and whatever else, compared to providers that run a tighter ship wrt abuse mitigation.  So, I am sorry to say but furio&#39;s statements are fairly accurate, though they may be a trifle more blunt than some can take.</div>
<div><br></div><div>thanks</div><div>-srs<span></span><br><br>On Thursday, June 27, 2013, Michele Neylon :: Blacknight  wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Furio<br>
<br>
If you&#39;re going to make statements about 3rd parties you should try to restrict yourself to facts and not make broad sweeping statements.<br>
<br>
On 27 Jun 2013, at 14:13, furio ercolessi &lt;<a href="javascript:;" onclick="_e(event, &#39;cvml&#39;, &#39;furio+as@spin.it&#39;)">furio+as@spin.it</a>&gt; wrote:<br>
<br>
&gt;<br>
&gt;<br>
&gt; Therefore the responsibility for terminating C&amp;C domains lies on the<br>
&gt; registries, not on the DNS providers (that may not even exist).<br>
<br>
Not necessarily.<br>
<br>
If registries are going round the place pulling domains it causes headaches for registrars - and the registries don&#39;t have a contract / agreement with the registrant<br>
<br>
While this may be different with ccTLDs you haven&#39;t specified that you&#39;re only referring to cctlds ..<br>
<br>
And I don&#39;t see how a domain can resolve without a DNS provider - that makes zero sense.<br>
<br>
<br>
&gt;<br>
&gt; The .AT and .LV cases have been two rather dramatic cases where the<br>
&gt; registries were sitting there doing nothing for a very long time, while<br>
&gt; the word spread among criminals that they were a &#39;safe haven&#39;.<br>
<br>
<br>
That&#39;s highly defamatory.<br>
<br>
I don&#39;t think the managers of either ccTLD would appreciate anyone referring to them using that tone.<br>
<br>
<br>
&gt; Similar problems have then occurred in .PL and .RU as well.<br>
<br>
Again - broad sweeping statements.<br>
<br>
I&#39;d take you more seriously if you referred to the current state of play and not some past issues that have been addressed<br>
<br>
<br>
<br>
&gt;<br>
&gt; Luckily, the times have changed and country CERTs are nowadays<br>
&gt; much more aware of the C&amp;C problem and of the need to take down those<br>
&gt; domains swiftly.<br>
<br>
Irrelevant statement<br>
<br>
CERTs have little impact on registry operations when they&#39;re run by private entities<br>
<br>
<br>
&gt;  As it often happens with large organizations,<br>
&gt; &#39;learning&#39; may be very slow and may need to be stimulated by external<br>
&gt; forces - not because of lack of capacity of the individuals working<br>
&gt; in the organizations to understand the issue, but because of the fear<br>
&gt; of those individuals to break a complex set of rules, and the possible<br>
&gt; need to have those rules changed to avoid breaking them.<br>
&gt;<br>
&gt; I believe that all the external forces working on this problem -<br>
&gt; Spamhaus, Cymru, Shadowserver, SURBL, GTSC, ISC, Trend Micro and<br>
&gt; others - have played and are playing a very important role in<br>
&gt; interacting with registries and CERTs regarding cybercrime domains,<br>
&gt; even more so when those interactions have to be a little &#39;rough&#39;<br>
&gt; to get some traction.  Nobody likes friction i think, but sometimes<br>
&gt; it is needed to shake things and see some action.<br>
&gt;<br>
&gt; furio ercolessi<br>
<br>
<br>
<br>
Mr Michele Neylon<br>
Blacknight Solutions ♞<br>
Hosting &amp; Domains<br>
ICANN Accredited Registrar<br>
<a href="http://www.blacknight.co" target="_blank">http://www.blacknight.co</a><br>
<a href="http://blog.blacknight.com/" target="_blank">http://blog.blacknight.com/</a><br>
Intl. +353 (0) 59  9183072<br>
US: 213-233-1612<br>
Locall: 1850 929 929<br>
Direct Dial: +353 (0)59 9183090<br>
Facebook: <a href="http://fb.me/blacknight" target="_blank">http://fb.me/blacknight</a><br>
Twitter: <a href="http://twitter.com/mneylon" target="_blank">http://twitter.com/mneylon</a><br>
-------------------------------<br>
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty<br>
Road,Graiguecullen,Carlow,Ireland  Company No.: 370845<br>
<br>
</blockquote></div><br><br>-- <br>--srs (iPad)<br>