This means, for current attacks, ensuring that the domain is not present in the TLD zone, since everything below that is in the hands of the criminals. I agree that it doesn’t matter then whether the domain is made available for others to register (though given its history they’d be unwise to purchase), or whether the registrar attempts to monetise it by keeping it in the zone, but with name servers that direct traffic to advertising pages.

My point is that either the registry or the registrar has to do something to the TLD zone — nothing else will work reliably, and the WG suggestions relating to lifetimes, TXT records, whois data and so forth don’t do anything to change the zone contents.

As to the suggestion that the domain doesn’t need to be removed because filters are so ubiquitous and perfect that the domain no longer is of value… that’s far from universally true. Yes our data does show that some of the gangs employ new domains even when old ones are not yet removed, but other attackers clearly don’t change to new domains until they have to.

I’ve seen this most frequently in the noisier anti-spam crowd. They’re more concerned with making others jump at their command than they are with effectiveness. As a result, when they succeed in coercing a registrar into de-registering a domain, they do actual harm to anti-spam work.

The harm is caused by removal of useful, known tags (the spammed, phished, etc. domains) from our filtering decisions and our monitoring.

The thesis of your post is nearly as damaging to our efforts. Accordingly, please step back a bit, and make sure you’re taking the right tree. Don’t knock down the whole grove unnecessarily; others of us rely, for our mutual protection, upon it remaining there.

You don’t have to advocate removing the useful (even necessary) sigil provided to us by the domain name to accomplish disabling the botnet. All we need to do is turn off the DNS service necessary for the botnet operation.

Please make that distinction (DNS service is separate from domain registration), and help minimize the harm otherwise done to our ability to protect ourselves from that botnet.

Thanks!

It is in fact what is done today; nothing else works!

@Clive For instance how does a LEO in one place convince a registry else where that their request is legitamate and not somebody trying a DOS attack.

Well indeed — exactly the sort of thing that a working group could start to thrash out, and start drafting Best Practice for.

@Clive Furtherthere is the question of legal liability.

Absolutely, if someone dumbly asks for “geocities.com” to be removed, and the registrar slips up, then the requester should take some of the blame. If that means damage$, then so be it.

In practice, it is immediately obvious to the competent which are the 20 domains a day that need to be rapidly suspended, and although the bad guys always have the option of bringing the take-down process into disrepute — provided that a little bit of care is taken, there should be no problem. Once again, there’s a role here for WGs in writing Best Practice and suggesting what level of damage insurance might be appropriate to obtain.

viz: a WG is just the sort of place to do _process_ and _best_practice_ work. It’s seldom (unless absolutely the right set of people are brought together) the place to do engineering or research.

Although I agree suspension of the domain naime would be an effective method of dealing with the current Fast-Flux.

I suspect that the method chosen is likley to be problematic.

For instance how does a LEO in one place convince a registry else where that their request is legitamate and not somebody trying a DOS attack.

Furtherthere is the question of legal liability.

I can see this simple solution hitting a significant quagmire if the correct suport structure is not put in place first.

And with all things involving potential liability I suspect it will be argued to death to avoid taking any action 8(