cyber news cybersecurity

Registries unveil plan to tackle botnet abuse with mass takedowns

Voiced by Amazon Polly

Kevin Murphy, June 21, 2021, 11:54:08 (UTC), Domain Policy

Domain name registries have thrown a bone to critics who say they’re not doing enough to tackle DNS abuse by revealing a framework for rapidly taking down domains associated with large-scale botnets.

In a nutshell, the new Framework on Domain Generating Algorithms (DGAs) Associated with Malware and Botnets (pdf) would enable registries to preemptively register potentially abusive names without paying ICANN fees.

It is hoped that the framework will give law enforcement an easier time in tackling botnets, and perhaps cool down some of the heat the domain name industry is taking over the DNS abuse problem.

Botnets, you’ll recall, are large networks of compromised computers that can be deployed to, for example, carry out damaging distributed denial of service attacks.

The endpoint malware on botted machines is often controlled by regularly pinging a predetermined domain name to ask for instructions.

Rather than a single domain name, which would be easy to block, the malware often use algorithms, seeded with the current time or date, to create apparently random, gobbledygook names.

Botnet controllers need only run the same algorithm at home to determine the appropriate domain to register at any given time.

Other times, lists of thousands of domains are generated in advance and hard-coded into the malware.

Either way, DGAs can give law enforcement a way to effectively shut down a botnet by having all the potential command and control domains blocked or registered, but only with the cooperation of the registries.

A notable example of such cooperation was during the Conficker crisis over a decade ago, which ultimately saw a broad coalition of LE, registries and security companies come together to reverse engineer and preemptively block the huge numbers of domains the malware was expected to generate.

The new framework, which was created by ICANN’s Registries Stakeholder Group in cooperation with the Governmental Advisory Committee, essentially formalizes and expedites that kind of countermeasure.

It’s not official ICANN consensus policy, nor is it binding on all registries. It’s purely voluntary.

It appears primarily concerned with reducing the administrative and financial burden on registries that choose to participate.

It asks law enforcement to submit takedown requests as part of “a well thought-out, comprehensive abuse disruption strategy” that gives registries sufficient time to implement them.

It further asks (and provides a template letter) that ICANN waives the fees it collects when registries register botnet domains, which with some DGAs could amount to many tens or hundreds of thousands of dollars.

It also lists several reasons why registries might refuse to comply with LE without a court order — such as when the names are already registered and need to be seized, or when they’ve been identified as potentially high-value domains.

For registries, offering up the framework appears to be low-hanging fruit in their ongoing conflict with governments, cops and security researchers that argue the industry should do more to tackle abuse.

What it doesn’t do is expand the current industry definition of “abuse”, which is currently limited to botnets, phishing, pharming and malware distribution. Spam can also be considered DNS abuse when it is used to perpetrate any of the other four malfeasances.

But that definition is also voluntary, and only a few dozen registries and registrars have signed up to it. ICANN contracts are pretty much toothless when it comes to abuse.

The fight about DNS abuse is pretty amorphous, and overlaps with intellectual property interests’ demand for more access to private Whois data and the issue of when to start the next new gTLD application round.