Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: Are you getting I-CANNED ? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Are you getting I-CANNED ?

One year ago, I already covered the impact that ICANN's latest money grab was having on security, see https://isc.sans.edu/forums/diary/httpsyourfakebanksupport+TLD+confusion+starts/18651/. ICANN is the organization that rules the Interwebs, and decides which "top level" domain names can be used. A while back, they decided that they needed more money, and embarked on a "manifest destiny" like trek to discover domain name lands that they could homestead for free, and then sell to the highest bidder.

Thanks to this, we now have generic top level domains (gTLDs) like ".support" and ".shop" and ".buy" and ".smile", in addition to ".com", ".net" & co. Some of these new native lands that ICANN offers seem to be rich in gold or silver, since A LOT OF MONEY is changing hands for the privilege to own one of these freshly plowed plots of cyberspace.

The problem is, most newly arriving settlers are outlaws, and there is no sheriff in town! For example, this past week, most of the redirector pages leading to exploit kits were domiciled under the new gTLDs .top and .xyz.  To add insult to injury, some of the miscreants that register these domains don't even TRY to hide. They use the same name and email address for six, eight weeks in a row.  Once a domain of theirs gets blacklisted by filters, the bad guys already have 10 other domains registered, and they simply relocate.

Two weeks ago, ICANN published their "Revised Report on New gTLD Program Safeguards to Mitigate DNS Abuse", suggesting - at least on the surface - that they are aware of what is going on. But let me share a couple of nuggets:

[...] ICANN and its various supporting organizations have some purview over registration issues through the policy-making and enforcement processes, while use issues are more difficult to confront given ICANN’s limited authority over how registrants use their domain names.  [Translation: Malware TLDs are not our fault]

The ICANN-sponsored survey referenced above reported that consumer trust in new gTLDs is much lower than in legacy TLDs, with approximately 50% of consumers reporting trust in new versus approximately 90% reporting trust in legacy TLDs.  [Translation: Well, DUH! Sometimes, consumers are right!]

[...] New TLD domains are more than twice as likely as legacy TLDs to appear on a domain blacklist—a list of domains of known spammers— within their first month of registration. [Translation: We knew this was going to happen, but lets conduct another study while we rake in the dough]

The report goes on to list the "Nine Safeguards" that ICANN put in place to prevent abuse. All of them make perfect sense. What is glaringly obviously missing, though, is what I would suggest as Safeguard #10: "A registrar where more than 1% of their registered domains, or more than 0.01% of the registered domains per TLD,  end up on a public blacklist (like Google SafeBrowsing) shall receive a warning, and upon reoccurrence within 3 months, have their license to act as a registrar withdrawn by ICANN with immediate effect."

That whole "Oh we can't do anything about how domains are USED" cop-out is utter bull. ICANN raked in piles of $$ in the gTLD land grab, and they can afford to hire auditors who compare the zone files against the public block lists, and take decisive action against the registrars that feed on the bottom. Financial institutions have a FTC enforced "red flag rule" that requires them to know who they do business with, or face the consequences. Why don't registrars?

As as (small) upside, ICANN helpfully publishes a list of all the new gTLD domains. If you are running a corporate web filter, I suggest you simply chuck them all onto the BLACKLIST, no questions asked, and keep them blocked. Fallout will likely be minimal. You can always re-open a specific gTLD once you had 20 or so really worthwhile and business relevant white listing requests for domains under it. Odds are, 95% of the new gTLDs will never reach that threshold. And by blocking them by default, you are bound to keep lots and lots of malware, spam and phishing URLs at bay.

Here's a special shout-out to Charity Baker aka Jaclyn Latonio, who yesterday registered about 200 typo domains like citgibank.com, symanpec.com, jpmoragan.com, etc, showing how such blatantly obvious abuse is not limited to the new gTLDs. Rather, lack of oversight, accountability and enforcement are the core of the system. Makes one wonder where all that money goes.

You are welcome, ICANN. Consider this my public input to your request for comment.

 

 

Daniel

367 Posts
ISC Handler
Further evidence that any half-decent URL filter should support blocking of newly created domains (e.g. 2 weeks, a month, whatever you want to set).
BeigeHat

3 Posts Posts
There are a number of banks, mortgage companies, etc that are registering their own TLDs. Rather than "block all" there should be a process to validate domain efficacy since there is the potential for a great deal of good for these legit company-owned domains. I grok why you said block by default, but it will mean that we lose the opportunity to build better security into services.
hrbrmstr

1 Posts Posts
Blocking the new TLDs now gives organization a head start on the 'default deny' best practice. It is a lot more work to move to a default deny posture with .com, .net, .org, .edu domains than it would be for all of the other TLDs that are out there.
Do it now, and save yourself the trouble later.
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!