Latest news of the domain name industry

Recent Posts

.home gets half a billion hits a day. Could this put new gTLDs at risk?

Kevin Murphy, July 17, 2013, Domain Tech

New gTLDs could be in jeopardy following the results of a study into the security risks they may pose.

ICANN is likely to be told to put in place measures to mitigate the risk of new gTLDs causing problems, and chief security officer Jeff Moss said “deadlines will have to move” if global DNS resolution is put at risk.

His comments referred to the potential for clashes between applied-for new gTLD strings and non-existent TLDs that are nevertheless already widely used on internal networks.

That’s a problem that has been increasingly highlighted by Verisign in recent months. The difference here is that the study’s author does not have a .com monopoly to protect.

Interisle Consulting, which has been hired by ICANN to look into the problem, today released some of its preliminary findings during a session at the ICANN 47 meeting in Durban, South Africa.

The company looked at domain name look-up data collected from one of the DNS root servers over a 48-hour period, in an attempt to measure the potential scope of the clash problem.

Some of its findings are surprising:

  • Of the 1,408 strings originally applied for in the current new gTLD round, only 14 do not currently have any root traffic.
  • Three percent of all requests were for strings that have been applied for in the current round.
  • A further 19% of requests were for strings that could potentially be applied for in future rounds (that is, the TLD was syntactically well-formed and not a banned string such as .local).
  • .home, the most frequently requested invalid TLD, received over a billion queries over the 48-hour period. That’s compared to 8.5 billion for .com

Here’s a list of the top 17 invalid TLDs by traffic, taken from Interisle’s presentation (pdf) today.

Most Queried TLDs

If the list had been of the top 100 requested TLDs, 13 of them would have been strings that have been applied for in the current round, Interisle CEO Lyman Chapin said in the session.

Here’s the most-queried applied-for strings:

Most Queried TLDs

Chapin was quick to point out that big numbers do not necessarily equate to big security problems.

“Just occurrence doesn’t tell you a lot about whether that’s a good thing, a bad thing, a neutral thing, it just tells you how often the string appears,” he said.

“An event that occurs very frequently but has no negative side effects is one thing, an event that occurs very infrequently but has a really serious side effect, like a meteor strike — it’s always a product of those two factors that leads you to an assessment of risk,” he said.

For example, the reason .ice appears prominently on the list appears to be solely due to an electricity producer in Costa Rica, which “for some reason is blasting .ice requests out to the root”, Chapin said.

If the bad requests are only coming from a small number of sources, that’s a relatively simple problem to sort out — you just call up the guy responsible and tell him to sort out his network.

In cases like .home, where much of the traffic is believed to be coming from millions of residential DSL routers, that’s a much trickier problem.

The reverse is also true, however: a small number of requests doesn’t necessarily mean a low-impact risk.

There may be a relatively small number of requests for .hospital, for example, but if the impact is even a single life support machine blinking off… probably best not delegate that gTLD.

Chapin said that the full report, which ICANN said could be published in about two weeks, does contain data on the number of sources of requests for each invalid TLD. Today’s presentation did not, however.

As well as the source of the request, the second-level domains being requested is also an important factor, but it does not seem to have been addressed by this study.

For example, .home may be getting half a billion requests a day, but if all of those requests are for bthomehub.home — used today by the British ISP BT in its residential routers — the .home registry might be able to eliminate the risk of data leakage by simply giving BT that domain.

Likewise, while .hsbc appears on the list it’s actually been applied for by HSBC as a single-registrant gTLD, so the risk of delegating it to the DNS root may be minimal.

There was no data on second-level domains in today’s presentation and it does not appear that the full Interisle report contains it either. More study may be needed.

Donuts CEO Paul Stahura also took to the mic to asked Chapin whether he’d compared the invalid TLD requests to requests for invalid second-level domains in, say, .com. He had not.

One of Stahura’s arguments, which were expounded at length in the comment thread on this DI blog post, is that delegating TLDs with existing traffic is little different to allowing people to register .com domains with existing traffic.

So what are Interisle’s recommendations likely to be?

Judging by today’s presentation, the company is going to present a list of risk-mitigation options that are pretty similar to what Verisign has previously recommended.

For example, some strings could be permanently banned, or there could be a “trial run” — what Verisign called an “ephemeral delegation” — for each new gTLD to test for impact before full delegation.

It seems to me that if the second-level request data was available, more mitigation options would be opened up.

ICANN chief security officer Jeff Moss, who was on today’s panel, was asked what he would recommend to ICANN CEO Fadi Chehade today in light of the report’s conclusions.

“I am not going to recommend we do anything that has any substantial SSR impact,” said Moss. “If we find any show-stoppers, if we find anything that suggests impact for global DNS, we won’t do it. It’s not worth the risk.”

Without prompting, he addressed the risk of delay to the new gTLD program.

“People sometimes get hung up on the deadline, ‘How will you know before the deadline?’,” he said. “Well, deadlines can move. If there’s something we find that is a show-stopper, deadlines will have to move.”

The full report, expected to be published in two weeks, will be opened for public comment, ICANN confirmed.

Assuming the report is published on time and has a 30-day comment period, that brings us up to the beginning of September, coincidentally the same time ICANN expects the first new gTLD to be delegated.

ICANN certainly likes to play things close to the whistle.

Seized .eu, .be counterfeiting domains now pointing to US government servers

Kevin Murphy, November 27, 2012, Domain Policy

At least three of the European domain names seized in this year’s batch of Cyber Monday anti-counterfeiting law enforcement are now pointing to servers controlled by the US government.

We’ve found that chaussuresfoot.be, chaussurevogue.eu and eshopreplica.eu are now hosted on the same IP addresses as SeizedServers.com, the US Immigration and Customs Enforcement site.

But the three domains, believed to be among the 132 grabbed ahead of this year’s online shopping rush, display warnings incorporating the logos of multiple European law enforcement agencies.

While domains in .dk, .fr, .ro and .uk were also targeted by this year’s transatlantic crackdown, none appear to be using SeizedServers.com.

According to an ICE press release yesterday, this was the first year that Operation In Our Sites, which kicked off at this time in 2010, has included overseas law enforcement.

The partnership, coordinated between ICE and Europol, was code-named Project Transatlantic.

Cops seize 132 domains in Cyber Monday crackdown

Kevin Murphy, November 26, 2012, Domain Policy

Law enforcement agencies in the US and Europe have shut down 132 domain names in order to stop the selling of counterfeit merchandise online.

According to the US Immigration and Customs Enforcement agency, the now-annual Cyber Monday crackdown included domain names in the .eu, .be, .dk, .fr, .ro and .uk ccTLDs.

Law enforcement from those countries were involved, via Europol, in their respective local seizures, while ICE nabbed 101 domains in generic TLDs whose registries are based in the US.

One person was also arrested, and ICE plans to seize $175,000 in ill-gotten gains sent to a PayPal account connected with the sites.

It’s the third year in a row that ICE has led an operation of this kind before “Cyber Monday”, which in recent years has become the most popular day of the year for e-commerce deals.

The operation started when ICE and Europol “received leads from various trademark holders regarding the infringing websites”, ICE said in a press release.

Congressmen quiz ICE over domain seizures

Kevin Murphy, September 3, 2012, Domain Policy

Three US members of Congress have expressed “deep concern” over the alleged lack of due process followed when the Department of Homeland Security seizes domain names.

Rep. Zoe Lofgren, Rep. Jared Polis and Rep. Jason Chaffetz quiz DHS (pdf) about the methods employed by the Immigration and Customs Enforcement agency in its Operation In Our Sites.

The Congressmen’s letter highlights the case of the hip-hop web site Dajaz1.com, which had its .com seized by ICE and then returned.

“Much of Dajaz1’s information was lawful,” the letter reads. “Despite this, DHS and the Department of Justice suppressed this website for more than a year.”

The Congressmen say that “if a website’s domain is seized, it needs to be given meaningful due process that comports to the US Constitution and US law”.

Operation In Our Sites has seen ICE seize hundreds of domains — mainly .coms accused of copyright infringement — from US-based registries including Verisign since late 2010.

Despite the relatively small number of domains seized, there have been a number of controversies.

Notably, the Spanish TV download web site RojaDirecta, which lost its .com and .org domains despite being ruled legal by a court in its home nation, last month had them returned to it by ICE.

Buy a .com in England, go to jail in America?

Kevin Murphy, July 5, 2011, Domain Policy

People who register .com or .net domain names to conduct illegal activity risk extradition to the United States because the domains are managed by an American company.

That’s the startling line reportedly coming from the Immigration and Customs Enforcement agency, which is trying to have the British operator of TVShack.net shipped out to stand trial in the US.

According to reports, 22-year-old student Richard O’Dwyer is fighting extradition to face charges of criminal copyright infringement.

ICE assistant deputy director Erik Barnett told The Guardian that any overseas web site using a .com or .net address to spread pirated material is a legitimate target for prosecution in the States.

The agency has already started shutting down .com and .net sites by seizing their domains, even if the sites in question had been found legal in their own overseas jurisdictions.

It does so by serving a court order to VeriSign, the registry manager, which is based in Virginia. The company is of course obliged to obey the order.

TVShack.net provided links to bootleg movies and TV shows, rather than hosting the content itself. It appears to be a matter of some confusion in the UK whether that behavior is actually illegal or not.

The site reportedly was hosted outside the US, and O’Dwyer never visited the US. The only link was the domain name.

I’m British, but DI is a .com, so I’d like to exercise my (presumed conferred) First Amendment rights to call this scenario utterly insane.

The issue of legal jurisdiction, incidentally, is one that potential new gTLD applicants need to keep in mind when selecting a back-end registry services provider.

Most incumbent providers are based in the US, and while we’ve seen plenty of upstarts emerge in Europe, Asia and Australia, some of those nations sometimes have pretty crazy laws too.

Feds did not seize conspiracy domain

Kevin Murphy, June 9, 2011, Domain Policy

I reported earlier in the week that the US Immigration and Customs Enforcement agency had seized a domain name belonging to an anti-vaccine conspiracy theorist.

It seems I may have jumped the gun. The seizure of lowellsfacts.com almost certainly didn’t happen.

Ars Technica called up ICE for the affidavit used to win the court order to seize the domain, and received this statement from an apparently baffled press officer:

ICE has not taken any enforcement action against this site. The site owner/administration redirected www.lowellsfacts.com to our name server, where the seizure banner is hosted.

If this is true, it seems that any idiot can change their name servers to ns1.seizedservers.com and ns2.seizedservers.com and ICE will happily serve up a warning about copyright infringement without even checking whether the domain has actually been seized.

While the lowellsfacts.com case did seem odd, I had assumed that ICE was doing some basic domain verification before displaying its increasingly infamous banner.

This was not an unreasonable assumption – previously, domains seized due to child pornography have displayed a different banner to those involvement with counterfeiting.

There is some code on the site checking the incoming domains before displaying the banner, in other words, apparently just not enough to stop the wave of spoof seizures we’re now likely to see.

Feds seize conspiracy theorist’s domain

Kevin Murphy, June 7, 2011, Domain Policy

The US Immigration and Customs Enforcement agency has seized the domain name of an anti-vaccine conspiracy theorist.

Update: This story is probably bogus.

The domain lowellsfacts.com has started resolving to the now-familiar ICE banner, warning visitors about the penalties for counterfeiting and copyright infringement.

Its name servers switched this week to ICE-owned seizedservers.com.

Judging from the Google cache, the site was devoted to spreading dangerous misinformation about the the efficacy of various vaccines, particularly Gardasil, which is used to prevent HPV infection.

Unlike previously seized domains, lowellsfacts.com does not, at least from the cache, appear to have been prominently pimping counterfeit goods.

It was registered using Go Daddy’s private registration service, but once belonged to one Lowell Hubbs.

You can listen to Hubbs’ theory about vaccines and the Rockerfellers on YouTube. He makes Jenny McCarthy look sensible. He was apparently a regular Huffington Post commenter.

A blog devoted to criticizing Hubbs and his theories can be found at lowellhubbs.blogspot.com and the reply to that blog, purportedly written by Hubbs, can be found, confusingly, at costnermatthews.blogspot.com.

The Hubbs’ blog claims the seized site had been hacked and filled with illegal porn links. His critic’s blog says he was likely shut down for using copyrighted material without permission.

ICE seizes more piracy domains

Kevin Murphy, May 23, 2011, Domain Policy

The US Immigration and Customs Enforcement agency has seized a small number of domain names that were allegedly being used to distribute bootleg movies and other goods.

But the number of domains falling to Operation In Our Sites in the latest round appears to be smaller than reported over the weekend by TorrentFreak.

The newly seized domains seem to be watchnewfilms.com, mygolfaccessory.com and re1ease.net.

Another half-dozen domains reportedly grabbed within the last few days were actually seized last November, as part of ICE’s major Thanksgiving crackdown.

The false positives were likely spotted because the domains recently changed name servers to ICE’s seizedservers.com, but this appears to be due to a domain management issue, rather than a fresh seizure.

ICE domain seizures enter second phase

Kevin Murphy, April 20, 2011, Domain Policy

The US Immigration & Customs Enforcement agency seems to be consolidating its portfolio of seized domain names by transferring them to its own registrar account.

Many domains ICE recently seized at the registry level under Operation “In Our Sites” have, as of yesterday, started naming the agency as the official registrant in the Whois database.

ICE, part of the Department of Homeland Security, has collected over 100 domains, most of them .coms, as part of the anti-counterfeiting operation it kicked off with gusto last November.

The domains all allegedly either promoted counterfeit physical goods or offered links to bootleg digital content.

At a technical level, ICE originally assumed control of the domains by instructing registries such as VeriSign, the .com operator, to change the authoritative name servers for each domain to seizedservers.com.

All the domains pointed to that server, which is controlled by ICE, resolve to a web server displaying the same image:

ICE seized domains banner

(The banner, incidentally, appears to have been updated this month. If clicked, it now sends visitors to this anti-piracy public service announcement hosted at YouTube.)

Until this week, the Whois record associated with each domain continued to list the original registrant – a great many of them apparently Chinese – but ICE now seems to be consolidating its portfolio.

As of yesterday, a sizable chunk — but by no means all — of the seized domains have been transferred to Network Solutions and now name ICE as the registrant in their Whois database records.

Rather than simply commandeering the domains, it appears that ICE now “owns” them too.

But ICE has already allowed one of its seizures to expire. The registration for silkscarf-shop.com expired in March, and it no longer points to seizedservers.com or displays the ICE piracy warning.

The domain is now listed in Redemption Period status, meaning it is starting along the road to ultimately dropping and becoming available for registration again.

Interestingly, most of the newly moved domains appear to have been transferred into NetSol from original registrars based in China, such as HiChina, Xin Net and dns.com.cn.

After consulting with a few people more intimately familiar with the grubby innards of the inter-registrar transfer process than I am, I understand that the names could have been moved without the explicit intervention of either registrar, but that it would not be entirely unprecedented if the transfers had been handled manually under the authority of a court order.

If I find out for sure, I’ll provide an update.

Plug-in works around seized domains

Kevin Murphy, April 15, 2011, Domain Tech

Disgruntled coders have come up with a new Firefox plug-in to help people find piracy web sites after their domain names are seized by the authorities.

MAFIAA-Fire hooks into the browser, checking DNS queries against a list supplied by the developers, to see if the name corresponds to a seized domain.

If it does, the browser is redirected to an approved mirror. If it does not, the DNS query is handled as normal through the browser’s regular resolvers.

The plug-in was created in response to the seizure of domain names alleged to be involved in distributing bootleg movies, music and software.

The US Immigration and Customs Enforcement agency has been sending court-ordered take-down notices to US-based registry operators such as VeriSign for the last several months.

Some sites immediately relocate to top-level domains outside of US jurisdiction. MAFIAA-Fire is designed to make the process of finding these new sites easier.

As the plug-in site acknowledges, if any fraudulent data were to make its way onto its manually-authenticated list of domains, it could cause a security problem for end users.

MAFIAA stands for “Music and Film Industry Association of America”, a corruption of RIAA and MPAA. The “Fire” suffix comes from the fact that fire melts ICE.

The plug-in, which was first reported by TorrentFreak, is hosted at a .com address.

  • Page 1 of 2
  • 1
  • 2
  • >