Re: [weirds] I-D Action: draft-hollenbeck-dnrd-ap-query-00.txt

Dave Piscitello <dave.piscitello@icann.org> Mon, 30 April 2012 22:44 UTC

Return-Path: <dave.piscitello@icann.org>
X-Original-To: weirds@ietfa.amsl.com
Delivered-To: weirds@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 681CF21E80E4 for <weirds@ietfa.amsl.com>; Mon, 30 Apr 2012 15:44:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EJT40FVHsaDc for <weirds@ietfa.amsl.com>; Mon, 30 Apr 2012 15:44:04 -0700 (PDT)
Received: from EXPFE100-1.exc.icann.org (expfe100-1.exc.icann.org [64.78.22.236]) by ietfa.amsl.com (Postfix) with ESMTP id AFA1F21E80E3 for <weirds@ietf.org>; Mon, 30 Apr 2012 15:44:04 -0700 (PDT)
Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-1.exc.icann.org ([64.78.22.236]) with mapi; Mon, 30 Apr 2012 15:44:04 -0700
From: Dave Piscitello <dave.piscitello@icann.org>
To: "ebw@abenaki.wabanaki.net" <ebw@abenaki.wabanaki.net>
Date: Mon, 30 Apr 2012 15:44:03 -0700
Thread-Topic: [weirds] I-D Action: draft-hollenbeck-dnrd-ap-query-00.txt
Thread-Index: Ac0nIr6EaF/2z6jjROmoyi8XPFPrUw==
Message-ID: <844B6516-A657-41C5-AA72-64C713BB8D67@icann.org>
References: <831693C2CDA2E849A7D7A712B24E257F0D5F47A3@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <831693C2CDA2E849A7D7A712B24E257F0D5F4898@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <82189D85-608F-4FC0-8DF4-51D343CF51C6@icann.org> <4F9F0266.1050202@abenaki.wabanaki.net>
In-Reply-To: <4F9F0266.1050202@abenaki.wabanaki.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_844B6516A65741C5AA7264C713BB8D67icannorg_"
MIME-Version: 1.0
Cc: "weirds@ietf.org" <weirds@ietf.org>
Subject: Re: [weirds] I-D Action: draft-hollenbeck-dnrd-ap-query-00.txt
X-BeenThere: weirds@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "WHOIS-based Extensible Internet Registration Data Service \(WEIRDS\)" <weirds.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/weirds>, <mailto:weirds-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/weirds>
List-Post: <mailto:weirds@ietf.org>
List-Help: <mailto:weirds-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/weirds>, <mailto:weirds-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Apr 2012 22:44:05 -0000

On Apr 30, 2012, at 5:21 PM, Eric Brunner-Williams wrote:

On 4/30/12 12:01 PM, Dave Piscitello wrote:
These would be interesting in a number of malicious registration/forensics scenarios. For example, think about DGAs that generate names across multiple registries (like Conficker). Now think about trying to pattern match to see if there is a common registrar being used or exploited.

i made, or thought i made, the point

Yes, you did. I'm expanding that to considering the volumes of registration data that people o/t registries and registrars store. Individual investigators, researchers in academia or organizations that have tens of thousands of whois records associated with malicious registrations, phished domains, malware hosting domains, etc. At the moment, much of this information is not easily normalized. Also, certain companies provide historical whois as a service. All of these would benefit from structured, searchable data, and there's keen interest in registrar and reseller info. The 2H2012 APWG Global Phishing Survey, for example, made use of Domain Tools historical Whois to identify "phished registrars" (Presented last week during APWG Prague, I wrote about it today).


Since many information flows identify IP addresses initially and either resolve to names later or not at all, I suspect that this, too, would be valuable for any investigator.

These would also be extremely valuable if consensus policy were to consider and add reseller objects to the data model. This is my personal opinion and speculative as well. My company and members of the broader community may think differently.

your company? that would be the rhs of "dave.piscitello@icann.org<mailto:dave.piscitello@icann.org>"?

Apologies, that is ambiguous. In this case, I'm speaking of ICANN.
I suspect no one at Core Competence disputes my opinion but I did send this from the ICANN address not dave@corecom.com<mailto:dave@corecom.com> :-)