Organigrama estructural

Detecting a malicious domain name is only one step towards the ultimate goal of stopping the malign activity, identifying the responsible culprit and taking actions that such a misuse cannot happen again easily. Therefore, this section describes measures that can be taken by registries as soon as a domain name has been classified as malicious. Additionally, we describe how to proceed in case the registry has a suspicion that a domain name is involved in malicious activities but cannot verify this suspicion on its own.

6.3.1 Following the Chain of Responsibility

In case a third party has a complaint about content that is hosted on a.nl

domain, SIDN has published a general chain of responsibility that describes which entity has to be contacted in order to take down the controversial content1:

1. The provider of the content

2. The provider of the website (registrant) 3. The firm that hosts the website

4. The provider of the internet access (registrar) 5. The registry (SIDN)

In case SIDN itself detects a malicious domain name, the same chain can be followed. However, we need to differentiate between a domain name that has been registered by a culprit directly and a domain name that is infected such that it takes part in malicious activities.

1

Newly Registered Domains If a domain name is registered for mali- cious purposes, then there are very likely no or false contact information provided on the website and domain registration information of the regis- trant are possibly fake as well. Therefore, the first two steps of the chain of responsibility can be skipped directly. As long as the web content is hosted at legitimate web hosting firms, the server or web-space is probably bought with fraudulent information as well. Thus, these firms have an interest in cancelling the contract for this domain as soon as possible, because there is a high chance that they might not get paid for their service and although they are not legally responsible for the content hosted on their servers most of the time (Stop Badware, 2011). If the domain is hosted at a so called bullet proof hoster, the hoster will very likely not respond to complaints. The domain name itself is probably registered with fake information as well which is an incentive for registrars to cancel the registration. Finally, SIDN has still the possibility to remove the domain from their zone file and thereby increase the barrier for accessing the website through DNS. SIDN has strict notice and take down (NTD) procedures and considers the take down of a domain name as ”a last resort” in the fight against abuse (SIDN, 2014a).

Compromised Domains If malicious content is hosted on a compro- mised website, contact details of the registrant are usually correct, such that the website owner can be contacted directly. If the registrant has the technical knowledge to clean up the site from the malicious content, then the problem should be solved. Moore and Clayton (2009b) have shown that contacting the administrator of a website can be an efficient measure to take down phishing content. In case the registrant does not have the technical knowledge or does not respond to the complaint, then the hosting company can be contacted. A survey among people whose website got compromised showed that occasionally hosting companies actively or after notification re- move malicious content from the compromised server (Stop Badware, 2012). If web hosting companies are notified about malicious content on one of their customer’s websites, then 50 % of the firms do not react at all. In case they do respond, they reply withing 48 hours (Canali et al., 2013). For exam- ple, they suspend the account of the customer with the consequence that the benign service running on the server is interrupted as well or remove the ma- licious files. The notification of the authors included the URL that referred to the malicious content. If a complaint at the web hosting company is not successful, a registrar might take actions. However, suspending the account of the registrant has the consequence that benign content is not reachable as well. NTD carried out by SIDN is only an option in very serious cases.

6.3.2 Alternative Approaches

If we would try to take down a domain detected bySIDekICk, then we would face several issues while following the chain of responsibilities.

First, following this process is rather time consuming. If we detect a newly registered phishing domain, then we need to act within hours to ef- fectively reduce the impact of the campaign (Aaron and Rasmussen, 2015). Second, we cannot block compromised domains that have been classified by SIDekICk-Comp due to the high false positive rate and the high chance that benign content might be blocked. Third, even if we would be almost certain that a domain is compromised, we often cannot provide the actual URL to the malicious content such that the informed web hosting company is probably less likely to react to the request. Finally, even if we would be able to successfully take down malicious content on a compromised website, the chance that a website gets reinfected is still around 20% (Moore and Clayton, 2009a).

The first issue can be solved rather easily. Submitting the detected phishing website manually to theNetcraftfeed or to the Google Safe Brows- ing initiative2 is an efficient way to reach a broad user base on the Internet. Many modern browsers rely on these services and block the content automat- ically as soon as the domain is listed. Taking down suspected compromised websites is a greater challenge, especially if we are not sure if the domain is actually infected.

One solution is to improve the precision of the classifier as described in Section 6.2. Another one is to rely on third parties to examine the suspicious domains further. For example, registries could collaborate with developers of intrusion detection systems and firewalls or anti-virus vendors. If for example a firewall detects traffic which is directed to one of the suspicious domains, then a rule could be triggered that puts files, which are downloaded from this domain, first into quarantine for further examination. Anti-virus vendors could use the list of suspicious domains as another indicator whether a client is infected. Also, ISPs could observe the traffic to these suspicious domains. If many clients request a previously unknown URL, then malicious content might be hosted on this site. In this approach, the privacy of the customers of the ISPs needs to be taken into account.

So far, SIDN does not have guidelines how to proceed with domains that have been detected by the research and operations teams but decide individually if and which actions should be taken.