Security Experts:

Network Solutions' June "Snafu" - Why Heads Should Roll

If you are the domain manager for a major enterprise and are still using a consumer-grade registrar for your company’s main domain names, you should lose your job. Period.

When it comes to Internet security, there is absolutely no way major corporations would use consumer grade anti-malware and anti-phishing solutions as a one-stop security solution. So why would major organizations – we’re talking major Fortune 500 companies, government agencies, financial services and critical infrastructure organizations – put their domains in the hands of consumer grade registrars? By businesses using these registrars, they are essentially simply utilizing the same registration process and capabilities that any consumer could sign up for—bypassing many of the procedures, big-picture thinking and security measures enterprise-grade registrars come equipped with. We’ll get to the downsides of corporations leveraging consumer-grade registrars in a bit, but first let’s look at a recent incident where domains were suddenly redirected and the suspected culprit was a consumer-grade registrar.

Domains Moved, Trail Leads to Network Solutions “Mishap”

Securing Interent Domain NamesThis June, thousands of domains were moved; everything from mom-and-pop shops to huge Internet properties like LinkedIn, Fidelity, Craigslist, Yelp and even the US Postal Service (USPS). The domains started resolving to a so-called “parking” page on the Web, and then with the crush of traffic, stopped working at all. Email, DNS provisioning and other services tied to those domains also started resolving to an oddball network out of the US Virgin Islands—this sent the security community into frenzy as you might think. This was well documented albeit explained various ways, especially in the case of LinkedIn. However, to date, there is still much speculation as to what really happened. Was their DNS hijacked (as was initially reported) or was there some sort of infrastructure snafu?

All of these domains had one thing in common; their registrar was consumer registrar, Network Solutions. To this point, Network Solutions has only provided a very brief blog post about the event that relegated it to almost a non-event. Network Solutions’ stunning lack of transparency or public explanations of this event has certainly not helped, and I would say that heads should roll over there too. You don’t take out several major Internet companies, one of the largest financial services in the world including their websites and email, much less US Government assets like the post office and then just post an “oops, sorry” blog post that says almost nothing. As it is, we only have speculation and some anecdotal conversations that leave many of us in the security industry wondering whether this was a simple fat-finger, a malicious insider, a breach of their databases or something worse. As this piece was being written in mid July, Network Solutions experienced a major DDoS attack against their nameserver infrastructure, at least according to their tweets and Facebook posts. This event was also poorly handled by Network Solutions in my opinion, with most registrants and users of Network Solutions’ authoritative DNS services left in the dark about what was transpiring.

Now back to June’s events. Speculation about what happened revolves around a seeming partnership Network Solutions has with a company in the U.S. Virgin Islands called Confluence Networks Inc. to transfer expired domains to them. It appears that Network Solutions, like many other retail registrars, monetizes the traffic being sent to domain names once they expire. It is the hypothesis of many in the industry that Network Solutions sets up an automated nameserver transfer as soon as a domain it handles expires. When such domains are transferred, they are redirected to Confluence Networks’ domain parking services. The speculation is something went wrong with this process and Network Solutions accidentally transferred the large batch of domains that appeared to be hijacked to Confluence Networks because the domains—including LinkedIn, Fidelity, USPS, Yelp, etc.—hadn’t expired.

Throughout this entire process, Network Solutions has been extremely tight-lipped about exactly what happened. As mentioned above, they put out a blog post acknowledging, “In the process of resolving a Distributed Denial of Service (DDoS) incident on Wednesday night, the websites of a small number of Network Solutions customers were inadvertently affected for up to several hours.” There has been no follow-on to this, and no one I’ve talked to with visibility into major DDoS events can corroborate their claim. So what was it then?

So how could this have happened? Although a warning system should have noticed such an anomaly and stopped it before it happened, the complete blame shouldn’t necessarily be pointed at Network Solutions. The blame should largely lie in the fact that major organizations placed their trust in a consumer-grade registrar. With Network Solutions, as is the case with other consumer focused registrars, they are in the business of quantity and not high-end services, surviving on margins of pennies per domain name. Their business is built for the masses, small businesses and consumers, that want a Web presence. Not Fortune 500 companies.

That’s fine, consumers and SMBs desire low-cost registrations tied to other product offerings that these types of registrars provide. However, they aren’t running billion-dollar Internet transaction-based services or mission critical operations that rely on their DNS to be there. Think of it like trying to put your corporate database on a cheap PC on a desktop rather than a clustered, highly redundant, RAID-enabled series of high-end database servers behind highly secure firewalls. Sure you might be able to get the thing running, but it will fall over or get breached pretty quickly, and the guy from the PC store has zero culpability.

This Network Solutions incident is the latest in a long-string of domain hijackings and other DNS events involving consumer registrars over the past several years, so one can’t say they weren’t warned (and thus the lose your job thing!). In fact, ICANN’s Security and Stability Advisory Committee put out a pair of advisories on the dangers of using a consumer registrar several years ago. (www.icann.org/en/groups/ssac/documents/sac-040-en.pdf and www.icann.org/en/groups/ssac/documents/sac-044-en.pdf‎).

Consumer-Grade vs Enterprise-Grade Registrars

Let’s take a look at what you get with consumer-grade vs enterprise-grade registrars:

Service Level Agreement—Consumer-focused registrars typically don’t have any sort of service level agreement for anything, much less if a domain gets moved. They just register domains and sell you email or web services, and you click on a box on their website that states you accept their terms of service. They usually accept no liability for any lack of resolution of your domain or if it gets hijacked or compromised in any way. Corporate registrars (or the corporate arm of a multi-faceted registrar) on the other hand have very specific SLAs sometimes stating that if a domain is to be moved, that action has to be verified through a domain manager. It also spells out the registrar’s culpability should there be a domain breach. Customers of corporate-focused registrars usually negotiate specific contract terms and require large insurance policies be held by their registrars as well.

The Human Touch—Sure it would be great if you registered for a domain and that was that. But as we know, things change and problems happen, either on purpose or by accident, as appears to be the situation with Network Solutions. In these cases, wouldn’t it be nice to always know you had a fully staffed 24/7 help desk with a clue and the authority to fix things that you had a personal relationship with? With consumer registrars, you’re lucky if you get someone on the phone that knows how to help you with your credit card payment. You are just a number to them. With corporate registrars, you have an account rep that instantly knows what domains and major contract you represent. They are generally on call for you 24x7, mainly because they know with corporations that the difference between being online and offline could be the matter of tens of millions of dollars in lost revenue in just minutes.

Security Posture—Multi-factor authentication. Seems so five years ago, wouldn’t you say? Not so with consumer registrars. You see, consumer registrars typically don’t usually assume risk for domain management (see the SLA section above). Therefore, they don’t adopt the latest security techniques to protect registrants. Corporate registrars on the other hand usually have a huge security posture and insurance, therefore they have a lot of “skin in the game” and take on a lot of liability for their customers. In order to ensure corporations don’t get redirected on their watch, they adopt several security measures, multi-factor authentication being one of them.

Furthermore, people tasked with registering domains don’t have security or risk in mind. In many corporations, the marketing department, the procurement office or a junior person in the legal department handles this task. While such people typically aren’t the ones who negotiate leases for buildings or ensure network security, they are doing the equivalent in cyberspace—real versus virtual real estate. It’s just that the risks associated with your domain name presence still just aren’t well understood in many organizations. That has to change. The importance of working with people who DO understand security and risk, corporate registrars, can help fill the gap left by people at corporations tasked with registering domains.

Complacency and Cost

So why would anyone go with a consumer registrar? In Network Solutions’ case, they were a monopoly initially. That’s right, until 1999, they were the ONLY registrar. So, many Fortune 500 corporations who signed up with Network Solutions early on were complacent about changing once new options were available. They have stayed with Network Solutions and haven’t demanded more out of their registrar. If it ain’t broke, don’t fix it, right? That kind of excuse doesn’t work well with corporate risk managers, who by the way, are also on my “hit list” at any major company still using consumer-grade registrars for their primary domain—the risks are well known now and should be part of any company’s risk management strategy.

Another reason someone would go with a consumer registrar comes down to simple arithmetic. With some consumer registrars charging around $10 or less a year for a domain, corporations go with them because they don’t see the benefit of going with a more expensive registrar (despite the points above). The clear calculus shows that anyone with a major domain portfolio should be using a registrar that understands this and how to protect major assets like this. Now one exception to this rule could well be in registering “defensive” domain names—ones you don’t use, but are similar to your own name, and thus ripe for cybersquatters or phishers. If you have to register thousands of such domains that you’ll never use or just redirect, it may make sense to take advantage of the low prices offered by a consumer-focused or reseller-model registrar. However, one could negotiate registering such domains at your corporate registrar at a low price too.

Having a Plan in Place

I just laid out SOME of the reasons why a consumer registrar should not be leveraged for the primary domain names used by corporations. But in no way, should a domain manager think, “Great, I’ve picked a registrar. My job is done there.” That couldn’t be further from the truth.

If something goes wrong, you need to have a plan in place. Ask yourself, “Do I have a an emergency alert system if something goes wrong?” That can only be obtained through shared intelligence and active monitoring. And once you find out about your domain being hijacked, do you have a plan in place on how you are going to work with your registrar to fix it?

While a registrar may seem to some as just a necessary evil to register domains, they are on the front lines of corporations’ domain presence. Treating them as a second thought could have dire consequences for your company and if you are a domain manager, looking for another job.

view counter
Rod Rasmussen co-founded Internet Identity and serves as its lead technology development executive. He is widely recognized as a leading expert on the abuse of the domain name system. Rasmussen is co-chair of the Anti-Phishing Working Group’s Internet Policy Committee and serves as the APWG’s Industry Liaison, representing and speaking on behalf of the organization at events around the world and works closely with ICANN. He also is a member of the Online Trust Alliance’s (OTA) Steering Committee and an active member of the Digital PhishNet and is an active participant in the Messaging Anti-Abuse Working Group. Rasmussen earned an MBA from the Haas School of Business at UC-Berkeley and holds two bachelor’s degrees, in Economics and Computer Science, from the University of Rochester.