IGF 2020 - Day 6 - WS317 DNS-Abuse in the Age of COVID-19: Lessons Learned

The following are the outputs of the real-time captioning taken during the virtual Fifteenth Annual Meeting of the Internet Governance Forum (IGF), from 2 to 17 November 2020. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 



     >> MODERATOR: We are on time.  Good morning and good afternoon, good evening, everyone joining this session.  All of the panelists are already here, and we will start on time, I guess, in about two minutes so.

     We'll wait for the go from the IGF host.

     >> MODERATOR: Good morning, everyone.  Nobody is speaking for now, so we are just getting ready to start the session today.

     Welcome, everyone.  And good morning, good afternoon, good evening, depending on where you are joining this session from.

     So this is Section 317, organized and coordinated by ICANN on the DNS abuse during the COVID-19 era.  This is going to be a panel.  And we'll be joining the panel by our colleague from iThreat, Jeff Bedser.  Ashley Heineman, who is the Director of Global Policy at GoDaddy.  And John Crain, the Chief Security and Resiliency Officer at ICANN.  And Merike Kaeo who is the DNS Security Facilitate, initiative by ICANN.  She will be talking about DSFI and the technical study group that was put in place.

     As some of you may remember, a few days ago, we had a session which is the pre-event 47 where we talk about observation related to DNS abuse during the COVID-19 era, what we have observed and so on.  So this session will particularly focus on the lesson learned and what is being suggested going forward in this session.  Before I give the floor to the panelists, I will just remind the participants that we have a Q&A pod.  If you have questions, feel free to write that down in the Q&A pod.

     But if you prefer to speak out your question, just raise your hand or let the host know by putting it in the chat and you will be unmuted and be able to ask your question.

     On that note, I will give the floor to Jeff.  Jeff, share a little bit with us on what has been observed from this period.  Jeff?

     >> JEFF BEDSER: Thank you.  Is someone going to be starting the PowerPoint presentation?

     >> MODERATOR: Yes.

     >> JEFF BEDSER: Because I'll acknowledge it is the early morning hours on the east coast of the United States and without the slide deck, I will have a difficult time following my own presentation.

     >> MODERATOR: Okay.  I am trying to share from here  because --

     >> JEFF BEDSER: There we are.

     >> MODERATOR: Okay.

     >> JEFF BEDSER: Thank you.  So thank you all for joining us this morning, this afternoon, this evening, this day.  Appreciate you taking the time to listen to this talk about DNS abuse.

     What I will be talking about is basically the realities of DNS abuse and as I put in quotes here, it is not about the volume.

     So next slide, please.  So you know, what is DNS abuse?  DNS abuse is measurable.  You can quantify it.  You can look up sums and quantities.  It is detectable at multiple stages when it is created and thus when it is launched and used.  It can be addressed and it can be reduced.

     And I do mean addressed in the form of resolving or dealing with it.  The problem is we use the term address and resolve differently in the technical community.  I don't mean it in a technical sense.  It is not something that can be eradicated.  I don't think there will be an end to DNS abuse soon.  It needs constant attention and focus to keep in check and one of the most persistent topics over the DNS communities in the last two years, that is certain.  Next slide, please.

     So how is it measurable?  Well, you can measure it through questionable registration.

     You can measure it by phishing attempts and malware distributed by the DNS and the number of bot net domains and by the amount of spam and cyber squatting and typo attacks and child exploitation and human trafficking.  These are groups out there tracking and measuring this and the accounts and domains associated.  Next slide, please.

     So how is it detectable?  Well, commercial entities that detect and report domain abuse and IP abuse for block list abusers such Spamhaus or Surbi or Abusix, they are not-for-profit services but they provide names.  Keeping your e-mail inbox clear of abuse.  So they have a particular measurement which is they try and detect it to stop it from getting to your mailbox.  There are commercial entities that detect and report abuse for the defensive systems and companies.  Sometimes against phishing attacks.  They exist to help their clients protect their networks and thus they have lists of domains detected for those purposes.  Academic institutions and some NGOs and governments and CERTs.  All involved in some form of doing research on detecting patterns and use of the DNS for abuse. 

Passive DNS providers.  Passive DNS providers are constantly tracking the data and logging the data of outbound DNS requests. And you can use that to determine if the domain has been used for a particular purpose or has a particular format that might include a name or a term. And then there is the infrastructure reputation where the pattern of the abuse such as the name of a bank but with a certain letter switched out or a number switched out are bluntly the infrastructure reputation.  IP addresses or name severs that are used -- servers used by those that perpetuate abuse on a regular basis and look at the reputation of the underlying infrastructure.

     Let's talk in the context of COVID-19 and what happened.  Egret provides registry to Donuts in regards to volumes and sources of abuse for the system to try and resolve the abuse in the Donuts Tlds.  This is the data in January to February, March to April, May to June and June to July.  There a is massive spike at the beginning of the COVID-19 pandemic when basically the businesses shut down and the countries shut their borders.  There was a large spike of registrations of domains that had both the term corona and COVID, and you can see where corona had the lead because it was the bigger term. At the end of the day, the volume tracked down after the initial spike.  Next slide, please. 

For Donut statistics breakdown, there were 4900 roughly reports by clean DNS.  There were zero reports sourced via abuse e-mails and forms.  The formal process through two Donuts, none came in that way and no reports from law enforcement requesting action or escalations.  53 domains reached the basic threshold for abuse escalation and had evidence or corroboration and ability to indicate that it was tending to support the blacklisting.  And then 50 domains flagged for ordinary DNS abuse unconnected to content.  Most were flagged for spam.  Next slide, please.

Three domains were noted for allegations related to the content of websites associated with the domain.  As of October 1, zero domains required escalation at the registry level.  The  total positive reports as a percentage of flagged domains was 0.11% and the total positive reports as a percentage of total registered domains containing COVID or corona was .08% of all domains registered in that period of time.  Next slide, please.

What does this tell us?  There was a spike in registrations associated with the pandemic.  But most were speculative, people that were buying domains for setting up a business or buying domains and thought about setting up a business.  Buying a domain to hopefully sell to someone else setting up a business.  But there was very little fraud amongst the volume of domains.  But in the anti-abuse community, I can tell you that this is a very common occurrence.  During the Christchurch shootings there were domains at that time.  Every natural disaster has a massive spike and political hot topics and if there is immediate frenzy on any topic there is speculation and purchasing of domains as people think about how to do something with the particular topic.  Sometimes for fraud and sometimes speculation.  But every time there is a major event there is a spike and leads to it.

So let’s talk about volume versus life cycle.  DNS abuse can be measured.  Was the domain in the zone on the day the domain was reported as abuse?  And you could have the type of abuse.  Was it phishing or spam or malware?  How long was it live with abuse is an important metric.  Sometimes a domain registration for abuse can be done within a 24-hour window between the publications of the file so there is no record of that abuse or the abuse could have occurred.  Particularly important in phishing attacks.  How long can that take to acknowledge, act upon, and take action from the domain?

     Who took the action to resolve the abuse?  At the registry level, clear indications including removal from the zone at registrar level and the registrar reseller level is clear indication that the domain could be put into hold or put into a validation or registrar data validation process.  Sometimes the hosting company if it is content that took the action.

     The CDNs, content delivery networks, can also take action at their level and, of course, at the IP address, at the original internet providing entity or even where the e-mail server resides at the MM level can take action against a domain.  Next slide, please.

     So the patterns of abuse, as I mentioned earlier, you can talk about associations with the IP addresses that have previously been used for abuse and how recently the IP addresses were associated with abuse.  You can talk about association with name servers used for abuse.  Batch registrations of domains.  Large volumes at the same time.  And you can measure how many of the domains in the batch showed up on abuse lists.

     You can talk about the associations with large discount programs.  If there is a large discount and a large batch purchase, was the price of that domain indicative of a use for cyber criminal use for abuse or fraud.  Purely analysis of the domain string itself.  You can find phishing with the company being put into the domain string in some way.  And, of course, passive DNS activity is looking for patterns not the first level the TLD and not the second level the domain but passive DNS can catch the bank name or e-commerce name. 

The best model is to combine both.  Take the data from as many sources as possible that people are working on trying to determine what is going on.  But also to research on and try and determine patterns of activity that would show you what the abusers are doing and what infrastructure they are apt to use.  Next slide, please.

     In military terms, they call this signal detection.  You are filtering the noise from the signal.  And once you have determined what the signal is, it is signal intelligence where you take the signal and try to determine what it means and is it a pattern that indicates fraud or DNS abuse.  Next slide, please.  What are the next steps to reduce victimization by domain abuse?  It is the term we are looking at here is it is about reducing victimization of consumers, right.  Next slide.

     So a lot of the conversation around DNS abuse tends to reside on how much is there?  Has it gone up?  Has it gone down?  And is there an indication -- a lot of early indicators for COVID-19 was a huge spike in fraud because of the registrations that happened across the DNS of terms like corona and COVID and domains, but the volume was not indicative of the problem.  But to me, how long the domains live and are live is a bigger indication of the fraud and victimization.  Next slide, please.

     There we go.  So both are relevant to reducing DNS abuse.  Understanding volume of course is important because you can look for patterns and trends.  Of course, reducing DNS abuse is about reducing victimization.  To me, again, reducing the lifetime of the domain has a bigger impact on reducing DNS abuse to the victims than the volume of DNS -- than the volumes of domains registered.  Next slide, please.

     So I guess I have said that already for the last two slides but I will say it again with a nice picture of the family.  The majority of DNS abuse targets consumers.  Yes,  there is some that targets companies and spear phishing attacks and go against corporations to steal money and do ransomware attacks on banks, but the majority of the victimization is against consumers to steal personally identifiable information or their credentials or steal their money or their identity itself.  Next slide, please.

     This is a stat that just came out in the last couple of months from the European Commission.  Basically that the global cost of cybercrime is estimated to be about 530 billion Euros which translates to $630 billion or 480 billion Pounds Sterling.  Next slide, please.

     So focus on reducing the life cycle of a domain used for abuse is a really good vector to take to reduce DNS abuse.  Strategizing on early patterns of abuse protection and can get used for abuse reduction in the volumes of domains used for abuse.  The battle for the last 20 years for DNS and cyber crime is to stay ahead of the curve.  Every time you come up with a solution the people looking to do cyber crime found a way around it and a new mechanism to do it.  But you can stay ahead of the new vectors they use to do fraud and crime.  There are always people trying to steal from them.  Next slide, please.

     So some recommendations.  And this is from an upcoming paper put up on Security and Stability Advisory Committee at ICANN that I'm a member and Merike Kaeo is as well.  Adopt standard definitions of abuse.  All of the different players from the companies and mail providers and CDNs and registry and registrars define abuse differently.  The coordination between the different parties would be difficult.  Determine and assign the primary points of responsibility for abuse resolution.  The big registries and registrars have done that effectively.  But there is a lot of smaller players out there that don't have the effective point of contact and it is much more structured in the registry and registrar community than it is in the hosting world which is significantly larger in the number of players involved.  Identifying the best practices for evidentiary standards.  If you present this bit of malware happened on this domain at this time, what is required to prove that as far as evidence that will allow the company taking an action to take that action?

     You have to prove what has happened and evidentiary standards is the best way to do that.  Especially if all of the parties can agree to do that.  Utilizing standard escalation paths for abuse resolution.  We would love to be in an ecosystem where all of the players are good people who are always trying to do their best to stop problems but there are players in the ecosystem not designed to, do not intend to, or even purposely sell to criminals.

     If the party that should be responsible doesn't respond, what is the escalation path?  Who is the next party in the chain of partners that can run the DNS and take the action if the party responsible does not respond or refuses to respond?  Utilizing reasonable time frames for reporting.  If each party gives the next party in the ecosystem 72 hours to respond and takes three levels to get to, you have a domain that is now victimizing people for over a week.  It would be lovely to have a reasonable time frame for how long a domain can exist before someone takes action against it.  Next slide, please.

     There is an opportunity to identify notifier programs and make more efficient abuse handling in certain parts of the ecosystem.  And I'm not talking about GDPR and registrant data.  I'm talking about the different parties that have a part in running the DNS from registry operator down to the hosting company having mechanisms whereby it is straightforward to get the contact information of the infrastructure provider so it can be resolved.  And if you do that, you need a mechanism to ensure reasonable quality that it is kept updated and available so the people reporting the abuse can be assured they are getting ahold of the right people at the right time.

     Next slide, please.  And then that is the end of the presentation.  Thank you.

     >> MODERATOR: Thank you very much, Jeff, for this very well-explained situation and observation from your perspective.

     We will move now to the next presentation from Ashley Heineman from GoDaddy.  You are next.

     >> ASHLEY HEINEMAN: Go to the next slide.  This is Ashley Heineman.  I'm the Director of Global Policy at GoDaddy, and I will be talking about our experiences in the age of COVID-19 but also DNS abuse in particular.

     And just a little bit about GoDaddy for those who aren’t familiar.  We are the world's large registrar and web hosting provider and do a number of other things as well.  I will be speaking primarily today from the registrar perspective and our experiences working within ICANN but as well as our efforts working within the registrar community and as a company.

     So if you could go to the next slide, please.  So just a quick introduction and I think something that we all know, is that abuse is a problem for the industry, and it is a priority for GoDaddy.  As Jeff said, this is something that will never go away.  Hopefully, we will get to a point where we are able to successfully mitigate abuse to the extent possible.  But I think it is an unrealistic station that we will eradicate DNS abuse or abuse in general.  That is just not how the world works, unfortunately.

     But something that I wanted to stress is the importance to recognizing the distinction between DNS abuse and other types such as content specific.  Particularly when you are looking at those companies that are contracted with ICANN.  There is kind of a limit as to what we can do, particularly in the remit of ICANN and this is limited to DNS abuse.  Next slide, please.

     And I think we are all familiar with ICANN and I won't do their job here.  We have John on the queue as well.

     But part of the primary part of the mission is to preserve the security and stability of the DNS.  But that does not go into content moderation.  And that extends to its contracted parties, the registrars, and registries.  We are limited to what we can do to the DNS.  People think that we can do more than that, but we can't.  Looking at the DNS and taking actions at the level it is somewhat equated to a nuclear option.  There is a lot of collateral damage that could potentially go along with that and usually should be kind of the last resort.

     And when people have to have a domain taken down or locked, we need to really make sure that we are taking the appropriate action.  And that is why we ask for a lot of information to make sure and confirm that taking that action is appropriate.

     But outside of ICANN, and industry including GoDaddy because we do more than providing registrations, we are organizing and taking efforts to mitigate not only DNS abuse as we define it but also content-specific abuse.  Next slide, please.

     So to talk a bit about some of the non-ICANN industry specific.  Most notably in registries and registrars in September of 2019, 11 of us got together and launched a framework on DNS abuse to standardize definitions and set expectations for action.  Touches on what Jeff was pointing to earlier in terms of the need to have a common definition.

     As part of the effort, we defined DNS abuse as malware, bot ware, phishing and farming and spam.  It can provide a vector that way, not necessarily the spam itself but provide a space for doing the other bad stuff listed here.

     Since our launch in 2019, we are up to 50 signatories from surveillance and just issued the one-year update and you can see that the link provided here.  But I think what we have seen mostly through the effort is one, an attempt to come up with a definition.  There is -- there are definitions out there.  We like our definition.  We think it's pretty straightforward and makes the appropriate distinction between the different kinds of abuse but provides benchmarks for us to live up to and hopefully bring all of the industry up to the same standards.  For companies like GoDaddy, we are doing this so we don't need to create from the bottom up a new structure to deal with DNS abuse.  It is more or less living up to the standards we already created for ourselves.

     Another area there is industry efforts is the internet and jurisdiction project.  They are doing a lot of great work and bringing in all stakeholders, so it is multi-stakeholder in nature, representing different perspectives and they are developing outputs that are educational for the most part and I think are really good in terms of socializing what is happening out there.  It also has a definition for DNS abuse, very similar to that of the framework on DNS abuse.

     But it also is getting into the workflow for how registries and registrars deal with DNS abuse.  So it is kind of explaining in better detail how we are handling things.  And there will be work continuing in the future on this.

     There is also a range of other industry alliances and coalitions that are dealing specifically with this.  In the U.S., we're dealing with a lot of upcoming and proposed legislation.  So this is a constant area of focus for this industry.  Next, please.

     So the focus here today, COVID and how we are dealing with it, I -- once the pandemic really started to take hold as with most of these type of events, unfortunately, you have the bad guys come out and take advantage of the situation.

     And this has really I think impacted all of us.  We had to change the way we do a lot of things, not necessarily in response to the fraud that is associated with it, but just living our lives, being at home and being online much more than we ever were, conducting business online and having to adjust to this environment and protect ourselves at the same time.

     I think -- well, I think it is fair to say that our industry did a lot to help in this sense in terms of helping companies get online.  Those sorts of activities.  But also in dealing with the bad guys that came out as a result.  The good news is that the sky was not falling, did not fall and I think that is evident in a lot of what Jeff said.  Next slide, please.

     So what we were seeing or are seeing as an industry is yes, there was an uptick in phishing reports in line with what ICANN has seen as well.  But we have seen a modest year on year growth of 15% and there really was not this surge of abuse.

     It was more or less, you know, a lot of the same that we have seen just kind of different wrapper.  So right now GoDaddy processes about 2,000 phishing reports per day.  The majority are not actionable or duplicates.  Either there was not enough information or there was really nothing wrong to deal with.  Next slide, please.

     So yeah, COVID scams.  This was, you now, something that was featured prominently in the news.  And it continues to be.  And there are internet related.  What we have seen is that there was a peak in late March and early April.  Mostly content focused and weren't novel.  A lot of the same type of abuse, just using the COVID moniker.  And a lot was not at the registry or registrar level.  Next slide, please.

     So before I get into this on the bottom line, I want to go in a little more detail about our experiences and what we found through this process.  And that right off the market we had a lot of folks whether they were in a position of political power or companies, advising us to basically not allow registrations of names like -- that included words like COVID or corona.  And what we found is that that was really not the way to address this situation.  And I think Jeff touched on this a bit is that there is actually, you know, good use of these terms as well.  You can't assume just because they have COVID in the name of the domain that it is going to be used for abusive purposes.  Whether there are hospitals or advocacy groups just trying to get out good information, it just really did not make sense to block those names or to otherwise not allow registration of those names.

     Also, when block lists.  We had some issues there.  We got lots and lots of requests to take down names in the hundreds.  And most of them were not actionable.

     Either because they just did not provide us enough information.  An example being we think there is suspicious activity.  That is not really helpful if you are a registrar.  We need more information to take action.  Or we go and look at the domains and they were not -- nothing was going on.  There were a lot of speculative registrations, as Jeff noted.  By and large, we did not see a lot of abuse associated with the registrations of these names.

     We also weren't that -- we could get a lot done with our partners either through the cyber security community or law enforcement and it was a useful exercise to build the relationships and strengthen them and I think we learned a lot from each other in terms of what is the information we need to take action.  The time frames, the point of contact.

     So that was a really good learning experience.  And I think there is a lot of room to build from that and you can continue to improve relationships as well as what is it we need to take action? And that was a real useful opportunity through all of this.

     But I think moving forward, we identified a number of areas where we could make things more efficient.  We don't need to recreate anything or create anything new.  It is a matter of I think building on what we have.  Getting the message out there in terms of building of relationships and what information we need and going from there.

     So the bottom line, DNS abuse obviously is extremely important.  But it is also equally important to recognize the limited role of registrars in my case but also registries and ICANN.

     It is our view that ICANN, their role is best spent facilitating community discussions, exchange of views, research, and statistics, like John Crain is involved in.  We do not think that new policies are in order especially.  In fact, it could actually make things more difficult.  And that it is time consuming to deal with new policy and it is not clear what more is necessary.  I think the best use of our time is like I said previously, is building on what we already have.  Because what we have found is that we have the tools.

     It is just a matter of using them, making sure people understand that we have them so they know how to use them and making improvements where we can.

     Next slide, please.  And that is it.  I think I have covered all my major points.  I hope so.  It is very early for me so I apologize.  And that cup of coffee did not help with my speed of speech.  Apologies to those of you having a hard time following me.  Happy to answer questions later.  Thanks.

     >> MODERATOR: You did very well, Ashley.  Thank you very much.  And thank you for sharing that perspective from contracting party and operator of DNS service perspective.  Thank you very much.  It was a good.  Nobody noticed that it was early for you, don't worry.

     The next speaker now is our own John Crain.  John Crain is Chief Security Stability and Resiliency Official at ICANN and he and his team have done some measurement during this period and he will be -- we will be happy to hear from him his observation and the lesson learned.  John?

     >> JOHN CRAIN: Thank you.  Next slide, please.  Actually, let's go one more.  Okay.

     Well, thank you, everybody.  Good morning, good afternoon, evening, whatever it may be wherever you are.

     So, hopefully some of you followed the talk we did early in the week where my colleague talked about the statistics that we measured and I will give the credit to my staff.  I didn't really do any measure.  They did all of the work. I just get to talk about it every now and again.

     So, COVID is, of course, a massive event in everybody's life.  But in many ways, it is not really any different to -- as Jeff already said, many other events that occur in the couple of decades that I have been working on DNS issues and security issues we have seen a multitude of events and the bad guys will always go towards them.

     Just like the ticket scalpers go to the big events to do fraudulent tickets, et cetera.  The bad guys online, they reflect reality and they will go after wherever they see opportunity.

     Of course, COVID is a little different in that we all got sent home and we are all working on the internet.  It looks like I'm sitting on a beach but I'm in a trailer in my driveway.  A little less exotic than the background.  Everybody is living with a little bit more stress.  A lot of people, especially people outside our industry because many of us are used to working online and from home.  They are not used to this so this makes them extremely susceptible.  Almost the perfect storm for the bad guys.  Next slide, please.

     So, we have all seen graphs.  This is not an ICANN graph.  This is from a company called The Main Tolls.  We have all seen dozens and dozens of articles out there about the massive increase in abuse related to COVID, et cetera.  And most of the charts look something like this with a peak in the March/April, early May time frame.

     Next slide, please.  So many of those sources that you have seen out there one of the things I realized is that there often a fundamental disconnect between what people are saying and what people are hearing.  So when you see somebody like Domain Tolls going out and saying there are names registered with suspicious COVID-like strings, they identified them as being a possible security threat.  There are many companies that provide lists to networks to protect networks.

     And these lists are often a little bit more expansive than what is choosing to be bad.  If you have a large list, one of the users can phone you up or the IT department up and say I wanted to get to the website but you seem to be blocking it.  That is different to what is often asked to occur in the DNS abuse realm and DNS realm where people say let's stop these names from resolving.

     Once a name doesn't resolve in the DNS it doesn't resolve for anybody.  I think it was Ashley that said it is a bit of a nuclear options.  Sometimes it is the correct option and the right thing to do for certain cases.  Many of the names you were seeing when we saw these, there are 600,000 or 500,000 registered names were, in fact, speculative registrations.  They looked risky, they were suspicious maybe because of the string in them.  But they actually -- many of them never turned out to be malicious. So although they were a perceived threat and a risk, they weren't actually causing harm to anybody.  Next slide, please.

     Now we had our own project and we talked about this earlier in the week.  And we looked at many different strings.  And I will come to that on the following slide.  But just like the people over at domain and everybody else measuring this, we were seeing thousands of names every day with COVID-like strings in them.

     It could be COVID, could be facemask, it could be anything like that.  But when we started looking for evidence by looking for that signal and the noise that Jeff was talking about, those numbers are much, much smaller.  We were actually finding hundreds of names every day that looked like they might have some signal in there, some intelligence, but when we actually then went and looked even further, the numbers were actually much, much smaller.  Next slide, please.

     So we actually looked at many, many different keywords.  You know, we did things like obviously using other languages.  Looking at names that were representing other scripts or internationalized domain names as we call them.  We were also looking at things that weren't quite that same name.  So COVID with a one.  COVID with a zero.  And all of the various variations you can come up with.  It turned out that it was mainly just the big sort of names that were in the press that really made a difference.

     You could add all kinds of strings and it didn't actually make a large change to the numbers.  And I'm not going to go into these.  If you are interested in more detail in this, I suggest you go and look at some of the recordings of the previous message.  But you can do this sort of string pattern recognition against Zone files and come up with names that are suspicious. It's not hard to do.  Next slide, please.

     But it is important to go beyond that.  Just having suspicious names, as I said earlier, it's not enough.  You really need that signal.  You really need evidence that you can pass on.  And what we found out is that if we -- and we do this at ICANN, actually went that extra step and went and dug to see how much evidence can we find and can we present that?  Then, people in the industry actually can and they did act.  We didn't actually have to make many reports.  What we actually found is that by the time we were looking at the data, which was often 12 to 24 hours after the zone file was published, many of the names that looked problematic were already gone.

     Somebody had taken action.  Now, it is not always easy after the fact to see who took action, but somebody took action.  So if you get actionable data and intelligence to somebody in the industry, be that a registry or registrar or even hosting providers and other people in the industry, they will take action.  The majority of the industry or the internet industry does not want this on their infrastructure.  And that was very clear.

     Now, by the time we got around to looking at a lot of this data people had already acted.  Next slide, please.

     As I said, we were looking at the gateway and going through and trying to find intelligence.  We could find reports that something happened on a name for a few hundred, but over the six to I guess it is now almost nine months, I think somebody said the other day in the presentation, one of our colleagues from a registry it was March the 285th or something like that.  We are long into the COVID name.  We still only have seen that were still problematic that we could report maybe between 100 and 200 in total.  Next slide, please.

     And, of course, there is always more that can be done.  Right?  This is not going to go away, as Jeff said.  There will always be bad guys doing stuff and there is always more we can do.  But what I found we were spending a lot of time doing and we joined many of these forums for collaboration, you know, you will have heard of the various alliances where industry got together with law enforcement to attack all of the COVID abuse is that we spent a lot of time on education explaining to people little things like if you come with actual evidence, something that could be acted on, people will act.  This is the kind of evidence you need to put forward.  Simple things like please use white lists.  Not only are there lists of things out there that are bad, but in many ways more importantly, during something like a pandemic, there are lists of names out there that are good.  And we absolutely do not want to cause any harm to those names.

     Those are the names that people are relying on for information, and medical advice et cetera, et cetera.  The good news is that there are efforts underway, Ashley already alluded to this.  But the industry themselves put out a DNS abuse framework.  This is not an ICANN or policy thing or ICANN community policy thing, this was an industry-led thing and it is what we actually used when we did what we call DNS sticker which is our measurements and we went and read the document and made sense to us.  It is okay, they are looking for evidence.  They don't want the noise, they want the signal.

     We actually used that document to develop our reports and then passed those reports on and lo and behold it worked.  When we pass a name on to a registry or registrar and provide them with evidence, they take action, which is really good news.  Next slide, please.

     As I said, there have been in the past and there will be in the future other events.  This is not unique.  It is going to happen again.  I think though, that the collaboration that occurred during this event and the processes that various industry players put in place really gives me hope.  That we will be in a better position each time something like this happens.  I see progress around me.  I see discussions in the community.  I see interaction between what we call the operational security community and the DNS industry.  And that is occurring more and more. 

And I think this kind of collaborative effort at the industry level, at the level of people who can actually take action and the level of the people that can actually deliver evidence is a really good thing that has been happening over these -- well, it has been happening for many years but has really been shown to work during COVID.

     So I'm hopeful that we will like do even better going forward and that as people learn to interact with each other between the various security and operational communities, that we will actually see more and more improvements going forward and that this will get easier and not harder for us.  I think that was my last slide.  And it was.

     >> MODERATOR: Yes.  And it is your last slide.  Thank you very much, John.  And that message of hope of yours stays on collaboration is a good segue to the next presentation with Merike Kaeo.  That will take us through an initiative that is actually trying to help around that more collaboration aspect so the DSFI-TSG and there is a study group set up to try to build the initiative and Merike is trying to coordinate that effort.  The floor that is yours.

     >> MERIKE KAEO: Thank you, I love that John is optimistic and I share his optimism.  And by the end of my presentation some comments on why you will be able to see why.  So next slide, please.

     So why initiate a technical study group to look at how DNS security issues can be facilitated by ICANN?  Well, we have had many, many attacks that impact the security and stability of DNS over at least 15 years.  And they come in a variety of formats.

     One of the very earliest one that had very wide visibility was called DNS Changer where there was a takedown in 2011.  And this particular attack was extremely sophisticated and did target the home user.  It was a very clever, clever campaign that ran for many years where a home user's either router or device was infected with malware through a variety of mechanisms.

     And the main intent was just to change where the queries go to.  So there was a nefarious infrastructure set up.  Fast forward a couple of years in 2017-2018, you had other more sophisticated attacks that impacted or made use of DNS infrastructure in various ways.  And one of the things that has become very clear as of last year is that some of the solutions that would improve the security and stability of the overall DNS ecosystem are not yet a hundred percent clear and really there might be new levels of coordination and understanding that need to happen.

     And so the ICANN CEO initiated a project and actually last fall so this was prior to COVID-19 to start looking at a variety of aspects and primarily the intent is what can and should ICANN be doing to improve the DNS security profile?  But even more importantly, what should ICANN not be doing?  And for this technical study group, the recommendation that it will be creating are really to look at, you know, where and how to promote best practices, whether or not new ones should be created where more facilitation of communications and strengthening of collaboration can happen.  Next slide, please.

     One of the things that was extremely critical was to get cross-functional expertise.  So it wasn't just membership of the typical ICANN community, but also to look outside of the ICANN community, and what you will see on the right are the nine members that make up the technical study group.  We are all volunteers.  And I very much am grateful to everybody that is volunteering in this cross-functional effort.

     The members that make up the technical study group have very extensive cross-functional expertise.  And this includes expertise in incident response handling.  Some were members of the first community.  And then also working with large-scale DNS operations and architectures, working with just general network account texture and design because routing -- architecture and design because routing is also a factor of things that you want to explore because sometimes route hijacks become a vector for subverting DNS.

     The members also have experience with registry and registrar operations and also some very in-depth and deep DNS protocol technical experience.  So they are members that contribute to the internet engineering task force to continue enhancing the DNS protocol.

     And the technical study group has a very extensive staff support.  John is part of the group as a technical expert and then we have other staff support that help with administration and documentation and so forth.  And that is greatly appreciated.

     Next slide, please.  So one of the first milestones that was reached after assembling the group in the spring of this year was to create their charter and the milestone.  That took a little bit of time primarily because you have COVID and you had people in a lot of different time zones.

     But we managed to have biweekly meetings consistently since June.  And the charter creation was a very big milestone because we knew that we had a broad scope but needed to have a narrow focus so that the recommendations that we would come up with would actually be actionable.  None of us wanted to be in these meetings and discuss things where it would be yet another discussion where nothing happens, right?  So we're very clear in that while there is the scope is quite broad, right, the actual recommendations and the focus will be fairly narrow to really look at what should ICANN not do, but where does ICANN have a role to help with facilitation and collaboration?

     And the initial discussions are focusing on a number of different attacks that various members have known about, know about that might be currently happening and so some of the discussion cannot necessarily be public because these are -- these are some of the attacks may not yet be public.

     But we are focusing on the mechanisms by which the attack is carried out, not the content of the attacks.  So if I look into the overall scope of everything that is included, identity management is related to the threats that rely on asserting identity through any kind of means.  Commercial management, life cycle and then looking at availability where many threats have an impact to provide reliable responses to the word DNS queries will fail in some way, shape or form.

     And also looking at where does route impact or DDOS that leverage DNS infrastructure or are attacks against the DNS infrastructure. Looking at infrastructure impersonate, and these are threats that impersonate the DNS infrastructure.  For us, that means the DNS servers for DNS forwarder.

     Also vulnerabilities that may exist and how are they handled and what are the threats and flaws in software that might be avoidable in some way, shape or form.

     We are looking at fate sharing.  And these are threats that create any kind of areas of weakness due to the homogeneity of the systems.  And we are looking at a scope where we are looking at security threats that utilize the DNS.  And this would take into account forms of malware that redirect queries, that falsify queries, and create means of utilizing the DNS for the ex-filtration of private and confidence data.

     We are also including in the scope verify and validating trust in the DNS infrastructure and data.  Some threats that are realizable due to a lack of focus on validation deployment, architectures and configurations and we decided to include in the scope cryptographic nuances because they are more utilized for integrity and validation purposes. So how does that fit into the overall discussions?  As you can see, the scope is quite broad.  But we feel pretty confident by at least focusing first on the attacks that we know about and looking at how they tie into the different scope and what are the different vectors of attacks we can then continue to the next aspect.  Next slide, please.

     And that next aspect is really to try to answer the following questions.  And by answering the questions it can inform us how to formulate the recommendations that will go to the ICANN CEO.  One of the questions is what are the ways currently that exist to address DNS security?  What are the best practices?  What are the technologies available?

     And then can we identify any gaps that currently exist either in processes and technology and operations, what have you.  And then looking at the entire ecosystem, who is best suited to fill those gaps?  Right?  The other panelists have discussed that, you know, there is many different stakeholders that are in communities that are discussing overall DNS-related abuse or DNS-related threats or attacks that impact the DNS, right, as part of their whole campaign.

     And so which players play where?  Right?  Who is best suited for what?  And then we are also thinking about looking at what are the risks associated with those gaps that may not be well understood?  And one of the things that I always hear is well, teach users to do X, Y, Z.  I have to laugh because a colleague of mine sent me an e-mail and click on a link.  I sent him a text message and said did you send me an e-mail to click on something because it wasn't something that he would really do.  I was like wow, this is fascinating, we are teaching people not to click on something yet everybody is having links to click on things.  So what gaps are there that may not be understood that may need a little more thought behind it.

     And then also does the DNS have unique characteristics that attract security problems which other internet services do not have?  Why reinvent the wheel, you know, if you don't have to?  But what is so different about DNS or what is similar to maybe something that another industry is seeing that we can also learn from.

     So next slide, please.  So we have already been talking about how COVID impacts everybody.  I came across this cartoon and I fell in love with it.  Because it absolutely speaks to how, you know, a lot of us have virtual backgrounds and they really took off.  Why?  Because you have no idea what is going on in the background, right?  Somebody might be going hey, shhh.  Shhh.  Or the cat jumped on their lap or the dog is barking so you are putting yourself on mute.  So many distractions going on in some environments and the criminals love it, right?

     But I mean for the working people, right, and as Jeff was saying earlier, right, it is people that get targeted, right.  And the criminals are getting much smarter at looking at well, you know, what are they actually -- they play on somebody's weakness, right.  And right now there is so much increased stress, right, because you don't know like what's happening, can you go out?  You can't go out.  Maybe you have elderly parents or who knows what is going on.  You have a lot less privacy.  There is multiple demands on you, and you are sharing devices and networks and there is no physical security.

     So if you go to the next slide.  You know, the primary thing that attackers are really playing on is if I look at the phishing scams, and I do.  I have a folder and I take a look at them.  I have an e-mail account where I have no filtering because this way I kind of get a look at hmm, what are the phishing scams and how are they changing.  And they are so clever.

     When I look at what I got 10 years ago to what I got today.  A lot of very short and very sweet.  Hey, I didn't get your e-mail, can you resend.  And they very much look like something that you might need.  Hey, your child, you know, couldn't log in yesterday, you know, can you click on this so that, you know, whatever magic will happen.

     And really, I mean right now the environment is ripe just for a lot of new nuances and a lot of different attack vectors.  And also as my other panelists were alluding to in their conversations, is that physical crime has not gone away.  Right?  It will never 100% go away, right?  But you keep putting up deterrents and trying to create mitigations.  And the same is true in the virtual world.

     So as the technical study group is starting to look at its work and its known attacks one of the things we also know is that as the work continues throughout next year we are going to take a look at the evolving landscape to see what are new mechanisms that attack campaigns are utilizing that will also affect the security and stability of the DNS overall.  Next slide, please.

     So for anyone that wants to track the progress, you know, please go to community.ICANN.org on the left-hand side of the screen you will find a whole bunch of different projects and things that relate to ICANN and you will find the DSFI-TSG and you can get and read the project charter and scope and follow the work plan and timelines which are still getting finalized and also the meeting agendas and notes. So that is it for my presentation.

     >> MODERATOR: Thank you very much, Merike.  And that is an illustration of concrete action being taken to make the collaboration and the understanding as well of the role that different parties can play to improve the overall security of the DNS in general.  Thank you all for those brilliant, brilliant presentations.

     I can see that there are a few questions in the Q&A pod.  A few of them have already been answered.

     I don't know if there is anyone that is still pending that we need.  Jeff, there is somebody asking a link to be shared.  I don't know which link it is specifically.  If Mark -- that is -- if you can provide the link, I think Jeff will be happy to share the link.

     But back to the preparation, I think throughout all of the presentation there is two things that I would like to highlight.  The first is what we have learned from the first two presentations that during the COVID era we have seen a lot of new domain names registered, but the observation picked up from all of the presentation is that there hasn't been any significant surge in abusive domain name registration during that period of time.

     And the fact that a lot of fact checking has been put in place has, you know, bring us to the conclusion that not many of them were actually in the domain name registration.  The other interesting thing is that the community and the actor and the DNS environment have been collaborative and, you know, responsive to those abusive name and take action when and where needed.

     I do have one question for the panelists.  And particularly to you, Ashley, on the -- if we agree that the COVID period has not, you know, impact specifically the domain name registration and the abuse specifically, the aspect of abuse, can we then conclude that abuse is something constant?  It is something that follow, you know, that follow the normal registration process and any measure that we put in place should be applicable continuously and not specific to an event or specific event or something that is happening? Is it something that we can be confident saying now?

     >> ASHLEY HEINEMAN: This is Ashley again from GoDaddy.  I think I don't want to minimize the bad stuff that we saw as a result of COVID.  There was a lot of bad stuff, and I think to maybe be a little more precise is that what we found with the existing tools we have and the existing requirements we have is that they provide us enough flexibility to do what we need to do.

     Sometimes it will change depending on the situation.  We were able to be nimble and do what we needed to do and that was provided to us in our terms of use and what we were required to do through our contacts with ICANN.  I don't think this proves that things are at a static rate or you don't need to adapt or change anything.  I think that is not at all the situation.  I think we learned a lot of lessons through the process and a lot of different areas we can improve.  So for what that is worth, that's my two cents.  Thanks.

     >> MODERATOR: Thank you.  Jeff, anything specific in that area as well when we start digging into looking more closely at the lesson learned?  Although we haven't seen, you know, big impact, what could you say you can take out from that period?

     >> JEFF BEDSER: I would echo what Ashley said as far as there certainly were plenty of domains that were used for fraud and abuse and just like John Crain said in the panel here, there is always abuse.  Ongoing volume but, of course, there is money to be made by defrauding people and victimizing people and there will always be spikes around big events.

     So diligence and understanding how that happens.  I think John Crain also mentioned there were a couple of different groups that sprung up to look at the surge.  And it turned out that that were a lot of false positives early on.  Just using one factor such as the name, the name COVID being in a name was not enough to demonstrate badness.  There had to be content, there had to be on infrastructure demonstrated to be bad in the past or recent past to show some other indicator was going on there.

     I do think there is opportunities moving forward when a big surge event like this happens to monitor.  You monitor them to see if this they do go live what type of content is on there.  Not just measuring that it shows up but keep measuring it so we can catch it as early as possible.

     >> MODERATOR: Which means six months down the road we can come back to this and see if there is any abuse of the domain name later on for abusive use because there is not something specific in in the time.

     One question, John, for you and based on the conclusion of your presentation which is that probably with the COVID situation we have seen more collaboration and cooperation among different actors because of the situation which is giving hope.  How do you think that initiative by ICANN and specifically your team like the -- the measurement of the threat that we are seeing this year initiative can help build more momentum from different actors and also help the discussion that is going on right now within the community, the ICANN community around the abuse?

     >> JOHN CRAIN: Thanks for that, Adiel.  One of the things I learned over and over again and then forgotten we need to have better acronyms for one of our tools.  We have some of the most horrible names for tools that we make up.

     I think ICANN is in an interesting situation here.  I mean we are known very much as a policy forum making the policy around how the DNS works.  But we also have a lot of technical capability at ICANN and I think the role specifically in the office of the CTO and SSR group that I run is that hopefully we have provide neutral data, sit in a neutral place and put together data that can be used to assess whether or not there are new policies needed.  To assess whether policies are working, et cetera.

     I mean we will continue to do research.  We have research projects.  We have DAR which is looking at abuse rates for very specific types of abuse.  Looking at the reputation data.  We have DNS Sticker which is the one we used for COVID which is looking about evidentiary material.

     Going forward, I think we are also very interested in looking at some of the predictive technologies and to see whether or not, you know, predictions are accurate.  There is a lot of work out there being done where people are predicting ahead of the game and saying well, these are all going to be bad but there is not much research occurring around whether or not that actually comes to pass.

     So I think we can be a resource to both the industry and the community at large and provide neutral data.  The other thing is the world changes, the bad guys change, Merike said this and Jeff and Ashley, too.

     So looking at new attack vectors, and seeing just, you know, how bad are they really?  Or you know, we are seeing a lot of reports of phishing.  SMS phishing where people are using domain names, et cetera.  ICANN have not done a lot of research into that.  There is a lot of space as an industry to keep learning.  And as Jeff said, trying to keep ahead of the curve.

     Our main goal here or my main goal here is to be a partner to the industry and to the community and provide assistance and aid wherever we can.

     >> MODERATOR: Yep.  Thank you.  Definitely.  And I think ICANN is showing that as well to a different initiative in the area.  And the engagement of the community will be key for the success of those initiative.

     Merike, if I may, talking about the DSFI.  This is a direct question to you based on your experience.

     What would you say would be your big hope of expectation of the work that the technical study group is going to do in order to add one additional tool or layer to this work to mitigate abuse in general?

     >> MERIKE KAEO: Thank you, Adiel, for that.  My hope is that we can actually come to some conclusions in terms of what gaps there exist either in knowledge or in collaboration to more effectively mitigate some of these more advanced DNS or I should say attack campaigns that really have an issue with or sorry, that impact the security and stability of the DNS.

     And so the cross-collaboration and the -- you know, the multi-faceted expertise that exists in this group I think is really well positioned to holistically look at problems and then really give some very definitive recommendation to the ICANN CEO that will then be actioned.

     >> MODERATOR: Great.  I think that will be very much useful because as John mentioned, the office of the CTO is also actively, you know, working to support the community and provide the community as that work is evolving, you know, tools and knowledge and information to actually continue to protect I will say the DNS in general to mitigate abuse.

     And in that vein, we have another initiative that we just looking at from ICANN perspective which we are calling kindness, which is an initiative to try to better, you know, define the documents and help the community to implement some DNS best practices.  The most common one and make it easy for us to implement.

     And some of the things that we are seeing in our engagement generally that the weakest link are the one that pose the most bigger challenge because they are small and they don't have all of the resources they need to follow everything happening globally. But at the same time they are the one who because of their weakness poses a global threat to the DNS and how to help those to implement best practices and be up to deliver.  That is another initiative I think that will be informed by the outcome of the work of the DSFI in general.

     I don't know if you have other question in the Q&A pod?  I think all of them now answered.  In writing.  Thank you, John.  You took a few of them.  And Jeffrey.

     As we are heading to the end of the time allocated to us, I will give the floor to each of you.  One minute for last word in this.  And your hope for the future work for mitigating DNS abuse.  And we will start with Merike.

     >> MERIKE KAEO: Great, thank you.  It is my hope that before there is too much hype with information that hasn't yet been vetted that really we start looking at more realistic, how realistic overall attacks campaigns are.  So there is a not of lot of fear and uncertainty and doubt, but really we are working with facts to really then figure out where the real big problems are and what needs to be mitigated and where we will work needs to be ton.

     >> MODERATOR: Thank you.  John?

     >> JOHN CRAIN: I just look forward to more collaboration and working with industry.  I have always enjoyed working with all parts of the industry.  So anything that helps us work together and collaborate is always good.

     >> MODERATOR: Wonderful.  Ashley?

     >> ASHLEY HEINEMAN: I hope and I hope we are better at tooting our horn and I think sharing the knowledge with other companies that perhaps aren't at the same level as we are I think will go a long way.  I think we are past the point of finger pointing and it is time to recognize what is happening and improve on that and get down to brass tacks and stop making it what I think it has been largely to date.  I think we are at a point now where we all recognize there is a problem and let's be constructive.  And I'm looking forward to participating in that.  Thanks.

     >> MODERATOR: Wonderful, I like that.  Jeff?

     >> JEFF BEDSER: So we are all here.  We are all on this call and all in the industry because we came up with protocols to allow everyone to work together and talk together because there are common protocols.  I think it is time to address the abuse the same way.  We could work out ways to use the same type of protocol approaches to collaboration to address it.  And I think to the point Ashley and John have made that the industry, the ICANN stakeholder, particularly the registrars have done a lot in the last couple of years to move the ball forward.

     It is time to get the whole ecosystem from the registries to the hosting companies moving together across the different levels and that is one way to move this ball forward.

     >> MODERATOR: Thank you very much, everyone.  The message is loud and clear we all agree on where the problems are, and we are already going to work together and seeing the diverse part.  And I agree that is an important step going forward, and I think this discussion is going to continue in other forum and specifically in the ICANN forum.  Thank you all very much for sharing all of this information and keeping this live discussion around the forum.

     We will then close.  And if there are any other questions on this topic, I think feel free to contact us at ICANN.  You can write directly to us in the office of the [email protected].  We will be happy to either answer or direct your question to the right people within the organization or the community to address your question.

     Thank you very much.  And I will see you probably on another panel of the IGF somewhere tonight or tomorrow.  Thank you very much.  We're going to bed.  Me, too.