Domain name registrants - who? where?
Introduction
Domain names are a crucial part of the Internet's infrastructure. However, as we have shown in previous security articles, registration of special domain names may be used as an attack vector for spreading malware. See for example our article Domain name registration - a malware spreading vector from 2009.
The domain name system (in brief)
In short the domain name system is a global scheme that translates a computer name into a unique numerical address. If you typed in www.norman.com to reach this web site, that name was translated into the Internet Protocol (IP) address 87.238.48.130.
The organization responsible for coordination and maintenance of this system at the top level is ICANN (The Internet Corporation for Assigned Names and Numbers). To quote from ICANN's web site:
"To reach another person on the Internet you have to type an address into your computer - a name or a number. That address has to be unique so computers know where to find each other. ICANN coordinates these unique identifiers across the world. Without that coordination we wouldn't have one global Internet.
ICANN was formed in 1998. It is a not-for-profit public-benefit corporation with participants from all over the world dedicated to keeping the Internet secure, stable and interoperable. It promotes competition and develops policy on the Internet’s unique identifiers.
ICANN doesn’t control content on the Internet. It cannot stop spam and it doesn’t deal with access to the Internet. But through its coordination role of the Internet’s naming system, it does have an important impact on the expansion and evolution of the Internet."
A computer's name on the Internet (www.norman.com in the example above) is translated into the IP address by the Domain Name System (DNS). In order to use a domain name (norman.com for example), one has to register that domain. Information about the person/organization that has registered a particular domain is available on the Internet through the WHOIS services.
Techniques for abusing DNS
There are several techniques that can be used for abusing the domain name system. Suffice it in this article to point to the following:
Registration of a domain name that is similar to another
Several variations are in use:
- Registration of an identical name in another top level domain (xxxyyyzzz.com instead of the one already in use xxxyyyzzz.gov).
- Registration of a similar name as an existing one - speculating in misspelling - e.g. xxxyyyzzz.com instead of the existing xxyyyzzz.com.
The idea is that "the casual surfer" will believe the bogus name is the correct one belonging to the legitimate organization, and thus trustworthy.
Registration of a domain name which is "hot"
A person or an organization may register a domain name associated with a topic that is hot at the moment. The thinking behind this is to get more people to visit a (potentially malicious) web site, by clever use of search engine optimization. You will find more about this in our article Domain name registration - a malware spreading vector.
One may wonder how anyone dares to register a domain name that is used for malicious and/or criminal activity, if the authorities can get the person's name and information simply by using the WHOIS system.
Alas, there are weaknesses in the system - the control mechanisms for verifying the registrant are imperfect.
The Accuracy of WHOIS Registrant Contact Information
To get a better understanding of the registrants' WHOIS information, ICANN has given National Opinion Research Center (NORC) at the University of Chicago, USA, the commission to make a study of the accuracy the registrants' contact information in the WHOIS system.
The draft report is now available for comment and the findings are very interesting reading.
A representative sample of top domain names from .com, .net, .org, .info and .biz are used in the study.
One should note that the various country domains (like .de, .no, .es etc) may have special requirements regarding registrants' requirements and more. These varies considerably between countries, and some are quite unrestrictive. Some countries have recently taken initiative to strengthen the system in order to limit abuse. See for example this article in Computerworld about how Russia is tightening its procedures regarding registration of domains.
In its report NORC has attempted to classify the different registration information available, to find out whether it is reliable. The report takes into account that some information may be unreliable, but not for malicious purposes (misspelling for example), while other is obviously incorrect by intent.
Using he following criteria for accuracy of registrant information:
- address must be deliverable
- an independent linkage between name and address exists, or the WHOIS information enables us to track down the respondent, even if we cannot otherwise confirm a link between name and address
- the respondent must acknowledge ownership,
the report shows that 46% met these criteria and 6% failed on all three.
One intriguing aspect is to see whether stolen identities are used in order to register (malicious) domain names. Interestingly, the report laconically concludes about this:
"(...) identity theft may not be necessary; it is all too easy for registrants to enter any or no name, along with an unreliable or undeliverable address."
The report's concluding paragraph is worth quoting:
"Most of the barriers to accuracy found (concerns about privacy, confusion about information needed, lack of clarity in the standard to which information should be entered, no requirement for proof of identity or address, the structure of WHOIS itself) can be addressed by the internet community. However, the cost of ensuring accuracy will escalate with the level of accuracy sought, and ultimately the cost of increased accuracy would be passed through to the registrants in the fees they pay to register a domain. Cooperation among all registrants and other ICANN constituents will be needed to eliminate any commercial disadvantage accruing from enforcing greater accuracy."
The draft report is avalable for review and comments through 15 April 2010.
It will be interesting to see if ICANN uses the report's findings and the comments to change the requirements needed to register domain names. Stricter requirements to prove registrants' identity and location seem like a minor nuisance if this can help securing the Internet.
Relevant resources
