In my previous blog, I explained why SIDN has a Notice-and-Take-Down Policy and described the safeguards associated with it. In the last resort, SIDN will remove a domain name from the zone if it's being used to publish content that's clearly illegal or unlawful. Our Notice-and-Take-Down Policy covers the way we respond to third-party takedown requests. However, we sometimes take down domain names of our own accord as well. And we're thinking of adopting even more proactive policies.
SIDN takedowns as part of Abuse204.nl
We recently announced that we were going to take down domain names of our own accord [link] in the context of the programme called Abuse204.nl ('abuse to zero for .nl'). Within Abuse204.nl, we receive information from a specialist abuse detection organisation. If malware or phishing is detected, we warn the registrant, registrar and hoster, and ask them to take appropriate action.
Average up time of malicious sites cut significantly
With the help of several partners, we started Abuse204.nl in 2014. Since then, we've seen the average up time of phishing and malware sites in the .nl domain fall from about two hundred hours to twenty-four. About 70 per cent of the notices we send out get a cooperative response, and the malicious content is removed within twenty-four hours. Removal sometimes involves cleaning up 'innocent' websites that have been infected, and sometimes it involves the whole site being taken off line or the domain name being deleted.
If stakeholders closer to the source don't act, we do
Although we quickly notify the various stakeholders whenever an issue is detected, and they usually take prompt action, a small percentage of abuse sites are still on line several days after detection. That's highly undesirable, because the sites can be claiming victims all that time. So we've adopted the policy of taking action ourselves if no one closer to the source does anything within 114 hours of the initial alert. The only useful course of action open to us is to remove the domain name from the zone. Since December 2016, we've had to do that forty times.
As I said, we never disable a domain name lightly. We take a very careful approach. In every case, multiple messages are sent to the abuse notification address and the other contact addresses we have for the registrant, the hoster and the registrar, asking them to take action. Where possible, we follow up those messages with phone calls. And, before we actually take the name off line, we check via another source whether the malware or the phishing content is still live. An impact assessment is made as well, so that we can be sure that intervention won't have any disproportionate negative consequences. Fortunately, we haven't yet come across a case where there was cause for concern in that regard. So, wherever the notification process doesn't result in the offending content being taken off line, our intervention does.
Shorter lead times
For the time being, we're sticking with the cautious intervention trip-time of 114 hours. That decision is informed by the knowledge that most phishing victims are hooked in the first few hours after the site goes live. Nevertheless, we believe that our programme will be more effective if in due course we start intervening sooner. We want intervention to remain a last resort, but we think that the programme's effectiveness would be enhanced if we could encourage stakeholders to respond to our notices sooner and take ownership of the problem.
On the horizon: faster detection of phishing domains
Our team at SIDN Labs (www.sidnlabs.nl) is working on a smart aggregated detection method, which will use a set of parameters to quickly define registration risk profiles. The method will make use of data that we process in our registry role. When it comes into service, we'll be able to tell registrants, registrars and hosters more quickly and more fully about suspect registrations and take action ourselves when we need to.
One thing we see quite often is domain names being registered specifically for phishing or the propagation of malware (including ransomware). Not long ago, for example, there was a rash of registrations for fake transport companies, aimed at spreading ransomware. A trend like that can come to light at any moment. Once we detect a trend, we look particularly closely at any registration containing the suspect key word (in the case described, 'transport').
With a trend like that, the detection methodology is fairly simple. However, SIDN Labs is also able to pick up much more subtle patterns. Using Labs' sophisticated detection algorithms, we can predict with a reasonable degree of confidence when a registration has an abusive purpose. For instance, our nDEWS-systeem analyses DNS traffic data to flag up suspect domain names immediately after registration. Then there's the JTIE system, under which we exchange threat information with the Fraudehelpdesk.
Intervening before damage is done
We haven't yet decided exactly how we're going to use the information provided by the system. After all, the incoming data relates only to suspicions, and no one wants to see honest registrants unfairly prevented from using their domain names. On the other hand, it's undesirable to stand by while suspicions are confirmed, or to intervene only once the harm has been done.
One option is that, if malpractice is suspected, a domain name shouldn't be added to the zone until the registrant data has gone through additional checks. The drawback of that approach is that some honest registrants would inevitably be inconvenienced. Another possibility is to put a close watch on any suspect domain name. But there are issues with that approach too: if the watch confirms abuse, the effect of intervention will be delayed because many servers will already have cached the DNS data. We can have much more effect on malpractice if we can prevent abusive domain names being added to the zone in the first place.
Our smart detection systems are as yet in the research phase, although preliminary testing by SIDN Labs has yielded some promising results. An nDEWS pilot is currently running, with about thirty participating registrars. Other registrars who would like to be involved can still join the programme. For details, see ndews.sidnlabs.nl.
And look out for my third blog in this series, in which I'll look at another development in the field of notice-and-take-down: Trusted NTD.