Re: [ga-sys] Registrants Charter - FREEDOMS - Part 1

[Joanna Lane <jo-uk@rcn.com>]

on 5/16/01 5:22 AM, Roeland Meyer at rmeyer@mhsc.com wrote:

>> Question: Could WHOIS data be restricted on a "need to know"
>> basis and if
>> so, how could that work ?
> 
> Some of us have actually been batting that problem around for a few years.
> We don't have an answer. It's like trying to copy protect an image on a web
> site, once you see it on a browser, you can copy it and there is no way to
> stop that. The bits are on another machine, in its memory, which you do not
> control.
> 
> The fundimental problem is that there is no way to predict which SysAdmin,
> in which domain, will need that data. In the case of DDoS attacks, that
> information should really be fetched by automated scripts. uuid/passwd
> protocols would make those scripts unusable. We are talking about 10-20
> cascaded lookups, with a number of different whois servers, in under a
> second here.


Technically, I'm lost on the details of what's involved, but I get some of
the picture. In laymen's terms, would it be correct to say that you need
emergency contacts for owners of Domains who may not know that they are
involved (their servers having been co-opted as zombies) in a Denial of
Service attack, in which you or your customers are the victims?

If so, what use is a postal address? Surely, it's a phone number for the
technical contact you need, not the registrant's postal address? Also, for a
DN that registers in the name of a corporation or firm of attorneys working
9am-5pm, what use is even a phone number at 4am?

I'm not one for analogies, but it sounds like you need an alarm system on
your home (servers) connected to a police station (WHOIS database) through a
central station (selected custodians to logfile/ monitor access to database,
with 24/7 customer service). I appreciate it may slow things down in the
first instance, but advantages would include

1) accurate information once accessed.
We agree that Registrants are protecting their privacy by using a false
address or providing 000-000-0000 phone numbers, hence a vast number of DN
contact details are no use in a DOS emergency anyway.

What you need is *accurate* and *updated* information, and for people to
actively cooperate with you in providing that information. It is unrealistic
to think that will change present habits while the WHOIS remains in the
public domain. Public cooperation requires trust and to obtain that, the
data must be kept in a fairly secure system that has some deterrants to
discourage, if not entirely eliminate, opportunities for abuse.

2) deterrants to abuse
If you can live with accessing WHOIS data by subscribing to a 24/7 central
monitoring station that allows instant access when an alarm goes off on your
servers, but actually logfiles use, and states what are the authorized
conditions of use, this would act as a deterrant.

3) WHOIS conditions of use
What are the appropriate reasons for accessing WHOIS data and what
information is needed exactly?

3.1 Denial of Service Attacks:- 24/7 requirement to contact DN technical/
admin/ registrant by phone.
3.2 Other kinds of network troubleshooting?
3.3 Service of Legal Notices for trademark and other kinds of infringement?
3.4.Police and other relevant authorities.
3.5. Registry - Registrar records of customers
 
>> The idea is
>> to remove personal data from casual scrutiny that serves no
>> purpose, not to
>> stop Registries keeping private records of their customers,
>> as any other business would do.
> 
> How do you define access as casual v. non-casual?
See above attempts to clarify. Please add to the list.

There is no way to do that
> without some form of authentication mechanism, to identify the requestor.
> This means that each contact needs a uid/realm/key. In the case of COM, this
> runs into the millions. It doesn't scale. In the specific example I
> mentioned, their pipes are clogged and they are probably using a spare dial
> port to another ISPs system and doing the queries there. Normal
> authentication can be difficult.

Just your name and phone number would do, or an ID and password, either or
both registered with the WHOIS Central Station. I wouldn't propose tracing
back to IP numbers and 100% authentication, because of the spare dial
problem. We are talking about a deterrant, like a burglar alarm, which
doesn't stop people breaking in, but tells you when people are there, that
can be used to log useage, pick up patterns of abuse and trace if necessary
through contacts provided. Tell people that random checks and audits will be
made. The remedy would be loss of access to WHOIS.

Just a few thoughts....but without something along these lines, you will not
have any access at all to WHOIS for EU registered DNs.

Regards,
Joanna

--
This message was passed to you via the ga-sys@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga-sys" in the body of the message).
Archives at http://www.dnso.org/archives.html