News and Updates

Photos & Highlights from the Final Day of the 2018 MERGE! Conference in Orlando

DN Journal - Thu, 2018-09-20 00:23
The 2018 MERGE! Conference is now history. We have photos & highlights from the busy closing day in Orlando, Florida on Tuesday.
Categories: News and Updates

Lessons Learned from the Namejuice/DROA/DROC Outage

Domain industry news - Wed, 2018-09-19 19:27

Last week an ICANN registrar, Namejuice, went off the air for the better part of the day — disappearing off the internet at approximately 8:30 am, taking all domains delegated to its nameservers with it, and did not come back online until close to 11 pm ET.

That was a full business day and more of complete outage for all businesses, domains, websites, and email who were using the Namejuice nameservers — something many of them were doing.

Over the course of the day, speculation abounded around the cause of the outage (and we look at some of them below). None of their customers whom I was in communications with, nor anybody in the Reddit thread reported receiving any communication from Namejuice about the cause of the outage or an ETA for the restoration of service. They were simply gone, and given the lack of information, there was a scant basis to discern whether this was a temporary or a permanent condition.

Needless to say, as far as outages go, this wasn't handled well by the vendor. The lessons learned make for an effective case study that validated the unifying theme of my book (sorry, I'm talking up my book here).

The underlying theme of Managing Mission Critical Domains and DNS is that in today's IT landscape, there is a divide between DNS operations and domain portfolio management. That divide is an artificial one, and it leads to disconnects that can result in domain outages. Those outages can take your company down, or even entire chunks of the internet, based on the dependencies of any given domain.

The two logical realms of a domain name

Namejuice's background

Namejuice is not unknown throughout IT circles owing to their practice of allegedly soliciting customers via "domain slamming".

They have had their ICANN accreditation suspended at least once, CIRA de-certified them as a Canadian .CA registrar, and the Canadian Competition Bureau has issued at least one warning about the practice of domain slamming to consumers.

I mention all this because domain slamming is one of the topics covered in my book under the "common pitfalls" chapter. It relates to the various vulnerabilities companies can expose themselves to by inadvertently authorizing a transfer of their domains to a new registrar without fully understanding what that entails.

It cannot be emphasized enough that when the administrative functions of managing domain portfolios, like registering and renewing domains, are separated from the ops aspect of making sure they work on the internet; it can lead to a situation that puts your organization at risk.

Bookkeeping or accounting may have filled out the form they received in the email, thinking it was a legitimate account payable, triggering the transfer. IT goes along with it because somebody in management must have done it for a reason, right?

Then last Monday comes along and *whammo*, everything's offline, the entire company is down and there's nothing anybody can do about it.

Overview of the Outage

The outage began around 8:30am in the morning Sept 10, 2018 and a Reddit thread in /r/sysadmin starting forming around the incident. The rumors were that the outage was caused by a power outage at Namejuice's data center in Markham. There were a few power outages throughout the GTA that morning.

The word was that somebody at ICANN had spoken to somebody at Namejuice and they were given a 1 pm ETA for the restoration of power to the data center. 1 pm came and went and nothing happened:

"We were able to get ahold of someone at ICANN. data center has suffered a power outage and their backup generator failed. The power company is currently working to resolve the issues. We were given an ETA of 1 pm EST to when the power is restored. Hope this helps."

However, as a subsequent Redditor noted, that comment was posted from an account that was created that day and had only ever posted one comment, that one.

There are a lot of data centers in Markham. Whatever datacenter Namejuice is using couldn't get their backup generator working, which seems like one of the basics that any DC would need to get right. Even if the backup gens didn't kick in automatically, they should have been able to manually start them. Also, had the entire data center lost power without backup, then we would have expected to have seen reports of more outages from any other outfits who were co-located within the same datacenter.

Weirder still is that the Namejuice outage appeared to be caused by a DNS failure. All four nameservers were completely offline and unresponsive to ping requests, yet, only two of those name servers looked to be within the Markham DC.

Chart via

The other two nameservers were offsite, at Digital Ocean, but they were down too. Why would they be down if the outage was caused by a power failure in Markham?

I dwell on this because it leads directly to our next lesson learned from this outage, which is also in my book, under the "Nameservers Considerations” chapter, where we look at numbering and address schemes for allocating production nameservers, see below.

Rumours of ICANN de-accreditation

At one point in the day, I received an email from a sysadmin acquaintance whose company was down (an investment fund) because their domains and DNS were impacted, and he said: "GoDaddy verified that ICANN finally took them down."

I replied quickly to this one, that had to be a flat-out false rumor: There is no way an ICANN decertification would happen in such a "band-aid moment" fashion. It would be telegraphed well in advance, announced by ICANN via its website and all domains would have been transitioned to another registrar via a tender process.

Further, even if that all had happened, nothing ICANN does would impact the existing DNS. They don't have some magic killswitch that just shuts down a deaccreditted registrar's nameservers, that would be so far outside ICANN's purview as to be draconian. The only thing that would happen in such a situation is the decertified registrar can no longer register, transfer or renew domains and their existing customers get moved to a new registrar.

Again, absent any communications from the vendor, via some out-of-band medium like Twitter, these types of rumors were bound to circulate.

This outage was possibly caused by a DDoS attack.

By the end of the day, I was already skeptical of the power outage narrative and I knew it wasn't an ICANN thing, the most likely remaining explanation was that Namejuice's nameservers were under a DDoS attack.

My suspicions were reinforced the next morning when the CEO of another Markham datacenter I know personally discussed the events with me. He told me that somebody who peers at 151 Front experienced some degradation on their cross-connects with Zayo associated with a DDoS on port 53 UDP (which is DNS). The Markham IPs for Namejuice are Zayo/Allstream. It started around 8:30 am.

A DDoS attack against Namejuice's DNS would explain everything, and this is the point where we hit that next point I cover in my book under "Nameserver Considerations". That's the selection of the IP space your DNS provider uses to operate its nameservers on.

The path of least resistance is to simply get IP space from your upstream provider, or use the IPs assigned to you by some cloud provider and set your nameservers up on those IPs.

The problem is when you get DDoS-ed, your upstreams simply null route those IP addresses to preserve the rest of their infrastructure, and there's nothing you can do about it until they decide to lift those null routes. Different places have different policies but in general, they aren't too keen to do it until they are sure the DDoS is over. Back when we were still on external IPs one provider's policy was that once they dropped in a null route the soonest they would even look at it again was 24 hours later. I remember at least one DDoS where we ended up renumbering nameservers.

Ideally, your DNS provider is using IPs within their own netblocks so that they are in control of their own ASN and routing announcements. That way when a DDoS comes and if your upstream provider drops your routes to save themselves, you at least still have the option to bring up your routes someplace else to get back online, like a DDoS mitigation solution.

Without this, you're at the mercy of your upstream, unless, as I mentioned, you decide to completely renumber your nameserver IPs, and this is a practical option when it has to be. Of course, this only works if you can quickly get all of your hosted zones over to a new location and that new location has the capability and the willingness to deal with the DDOS which is almost certain to follow you there.

The big caveats with these tactics are that you should have all of it set up in advance. Run warm spare nameservers that you aren't using in other locations, in a DDOS mitigated DC or have access to a reverse proxy or GRE tunnel that you can turn up when you need it.

These solutions are non-trivial to set up, I guess it just comes down to how seriously you take your clients' uptime as to whether you would do this.

The other concern if it was a DDoS attack is that it may happen again. Was it against a Namejuice customer, who is still there? Or was it against Namejuice themselves? (Again, in my book we talk about tools like dnstop and delegation numbering schemes that provide ways to figure all this out). There are unanswered questions around how Namejuice reacted to this possible DDoS and what, if any, their DDOS mitigation capabilities are.

Registrar transfer-locks can backfire

One aspect of this outage has had me pondering what the best practice should be for transfer locks. We always say they should be on all the time until the time comes where you want to transfer out.

In this case, that would be bad advice. Even if people made it a habit to keep a local copy of their domain auth codes (good idea), it would have done them no good if the transfer lock was on and the registrar was down.

If you leave your lock off so that you can escape an out of commission and unresponsive registrar, you would want to use a registrar with enhanced security functions like 2FA and event notifications.

The other option is to leave your transfer lock on, but, as is our mantra:

Use multiple DNS providers

Is something we've been saying for years: use multiple DNS providers. Either in an active/active setup where you mix nameservers from multiple providers in your live delegation, or active/passive, where you run hot spares that are up to date and current with your DNS zone and have them kick in if your primary provider goes down.

That's what our proactive nameservers does automatically. That's failover at the nameserver level and it's something that will work even if the rest of our platform is being DDoS-ed, because nothing within the proactive nameserver system is public facing.

To this day we're still the only registrar providing that as a service but who are we to argue? All I know is it works and if anybody who had been on Namejuice nameservers last Monday was using it they would have had a much different Monday.

There are other options for running multiple DNS providers, we run them down on our High Availability DNS page here.

If you're using multiple DNS providers, then you can keep your registrar transfer locks enabled, because if your registrar blows up, you'll still be online and then you can take any corrective action required once your registrar is back online. In an emergency transfer (non-responsive registrar) or complete registrar failure situation you're looking at 3 to 5 days, minimum before anything can happen via ICANN, probably longer. So bear that in mind as you set your expire times, and be prepared to switch any secondaries to becoming primaries if your primaries are in danger of timing out or use an unpublished primary under your direct control.

The key takeaways

The lessons from all this come down as follow:

  • Have a coherent internal policy on registration and renewals so that your domains don't wind up anyplace unexpected
  • Stick with providers who are known for excellent client communications and support. The mettle test for this is looking at how they behave during Black Swan Events like outages.
  • Use DNS operators who run their nameservers on their own IP space and ASNs
  • Use multiple DNS providers
  • At the risk of sounding like "Scagnetti on Scagnetti", Read my book

Ultimately it really doesn't matter what caused the outage, all we really care about in the art and science of domain portfolio management is to be able to stay online whenever one of your key vendors experiences an outage.

The easyDNS mantra for 20 years is…

DNS is something nobody cares about… until it stops working.

But outages can and will happen to everyone, sooner or later. Take the time to really think about your DNS and domain portfolio before the outage hits, then you'll be ready for it.

Written by Mark Jeftovic, Co-Founder, easyDNS Technlogies Inc.

Follow CircleID on Twitter

More under: Cyberattack, Cybersecurity, DDoS, DNS, Domain Names

Categories: News and Updates

How Dropbox got the domain name

Domain Name Wire - Wed, 2018-09-19 19:00

Co-founder tells the engaging story on Tim Ferris’ podcast.

Dropbox co-founder Drew Houston explained the long journey to acquiring Photo courtey Dropbox.

Dropbox founder Drew Houston was on The Tim Ferriss Show recently and discussed how his business was able to get the domain name. It’s a long interview, but tune in around 1:12:25 to hear the story.

They started with but obviously wanted to drop the ‘get’. After getting brushed off by the domain owner many times, Houston and his co-founder drove to the guy’s house with a bottle of champagne.

The two explained why they were interested in the domain and that they had just gotten funding from Sequoia. Although he joked that they were “hemorrhaging leverage” by giving the full story, they decided that playing coy hadn’t gotten them anywhere so far.

That was a Friday night. They left excited about the potential of getting the domain. They drove back to his house on Monday, only to have him say ‘nope’.

Then Dropbox launched publicly and the domain owner started receiving emails from people who wanted to get in on the beta. He added Whois privacy and made one other change…he parked the domain with ads.

According to Houston, the ads were for all of their competitors.

So Houston looked into trademark law. He found out that you can’t just take a domain from someone because they aren’t using it. But now that the registrant was confusing visitors with ads for rivals, that created a legal issue.

Dropbox sued the domain owner.

That led to further discussions to sell the domain. Dropbox offered him cash or stock. He took $300,000 in cash.

Houston said that the stock would be worth “hundreds of millions” at today’s valuation. Dropbox is now a public company with a $10 billion market cap.

(Hat tip: Jeff Sass)

© 2018. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact copyright (at) Latest domain news at Domain Name Wire.

No related posts.

Categories: News and Updates

New Brandsight Domain Management Survey Reveals Companies Face Challenges Managing Domain Portfolios

Domain industry news - Wed, 2018-09-19 18:34

Brandsight recently concluded their Second Annual Domain Management Survey. Respondents to the survey were corporate domain name professionals. Of those that responded, 35% had portfolios that were between 3,000-10,000 domains and another 30% had portfolios greater than 10,000 domains. Fifty-seven percent of respondents reported that they manage domains out of the legal department, with the remaining respondents' portfolios managed out of IT, marketing and other groups.

This year's survey revealed that for 53% of respondents, managing domain name portfolios has become more difficult. Given the impact of GDPR, along with the desire to right-size portfolios, drive traffic to relevant content, and reduce expenditures, these results confirm what we have been hearing in the market — that companies are still facing a number of domain management challenges.

Highlights from the survey include:

  • 22% of respondents spend 2-3 days each week managing their portfolio, and 32% spend 4-5 days each week, with a close correlation between portfolio size and the amount of time spent managing the portfolio
  • 53% of respondents said that managing their domain name portfolio has become more difficult over the past year
  • 88% of respondents said that dealing with the impact of GDPR and the inability to access WHOIS contact information has been a challenge for them
  • 81% of respondents said that paring back bloated portfolios has been a challenge for them
  • 97% of respondents said that ensuring the security of their domain portfolio is an important goal
  • 88% of respondents said that reducing domain management expenditures is an important goal

Clearly, domain professionals have been presented with a new host of challenges. However, as a new mechanism for accessing non-public WHOIS becomes available and companies begin to rely on technology solutions to assist with right-sizing portfolios, domain name professionals will hopefully have an easier time managing their portfolios in the coming years. Of course, that assumes that there won't be any other major changes impacting domain professionals, which undoubtedly there will be.

Written by Elisa Cooper, SVP Marketing and Policy at Brandsight, Inc.

Follow CircleID on Twitter

More under: Domain Management, Domain Names

Categories: News and Updates

Domain names ending in .Charity available starting today

Domain Name Wire - Wed, 2018-09-19 17:22

Donuts released .charity domain names today.

Domain names ending in the .Charity top level domain name are now available in general availability.

A quick survey of domain name registrars shows that prices are generally in the $25-$35/year range.

Top level domain name company Donuts faced a multi-year battle for rights to operate the domain name.  The Independent Objector filed a community objection against Donuts’ and Famous Four Media’s applications for the TLD. A panelist agreed with the Independent Objector when it came to Donuts’ application, but allowed Famous Four Media’s application to go forward because of a Public Interest Commitment it submitted.

Needless to say, Donuts was rather upset. It challenged the decision with an Independent Review Panel and won. That kicked it back to a panel to rehear the original objection and it took another year for the panel to find in Donuts favor. All told it was a 4-5 year delay.

Donuts paid off Famous Four Media earlier this year to win the contention set.

© 2018. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact copyright (at) Latest domain news at Domain Name Wire.

Related posts:
  1. Domain Name Association creates new TLD primer at
  2. New TLDs this week: .Video, .Fit and .Sale
  3. Premium domains are confusing, but can be profitable for domain name registries
Categories: News and Updates

Uniregistry tips hand with “Registry in a Box” trademark application

Domain Name Wire - Wed, 2018-09-19 15:51

Company wants to use “Registry in a Box” for registry services product.

Frank Schilling’s Uniregistry runs its own technical registry for its top level domain names such as .tattoo and .diet. It also provides these services to other top level domains such as Cayman Island’s .ky domain name.

Apparently, Uniregistry wants to up its game in this department. It just applied to register a trademark for “Registry in a Box”.

The intent-to-use application is for “Domain name registry services, namely, coordinating the registration of domain names on the Internet; providing an online computer database in the field of domain name registration information”. It was filed on September 10.

I wonder how this company feels about Uniregistry’s choice of name.

The registry business is extremely cutthroat these days with prices racing to the bottom. Frank has been looking ahead to the next round of top level domains, but that is many years away.

© 2018. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact copyright (at) Latest domain news at Domain Name Wire.

Related posts:
  1. Uniregistry takes over .HIV domain name
  2. Uniregistry to release over one million domains through registrar channel
  3. NamesCon acquired by WorldHostingDays
Categories: News and Updates

Will .Amazon ever see the light of day? There’s some movement.

Domain Name Wire - Wed, 2018-09-19 13:59

Amazon region countries reject $5 million gift card but ICANN pushes forward to help get .Amazon top level domain name.’s (NASDAQ: AMZN) long battle to get rights to run the .Amazon top level domain name might still pay off, but countries that are part of the Amazon region continue to play hardball.

On Sunday, ICANN’s board resolved to have ICANN continue serve as a sort of mediator between countries such as Brazil and Peru and the United States’ second most valuable company.  It wants ICANN to come back with a proposal that will allow the region and company to essentially share the top level domain. applied to run the .amazon domain name as part of the 2014 top level domain name expansion. It was one of 76 domains the company applied for. Some of the domains were generic in nature, and others were branded domains like .AWS.

Brazil and Peru filed an “early warning” through the ICANN Governmental Advisory Committee (GAC) saying that it was opposed to the application for .Amazon. It argued:

[g]ranting exclusive rights to this specific gTLD to a private company would prevent the use of this domain for the purposes of public interest related to the protection, promotion and awareness raising on issues related to the Amazon biome. It would also hinder the possibility of use of this domain to congregate web pages related to the population inhabiting that geographical region.

(No mention was made to how the region has been hurt by the ecommerce company owning

The GAC provided official advice to ICANN that it didn’t approve of the .Amazon domain application, and ICANN rejected’s application as a result. then tried to work with the member states of the Amazon Cooperation Treaty Organization (ACTO). Its negotiations failed, and filed for Independent Review of the decision to reject its application. It won that review.

Since then, the company has continued to work with the ACTO to come up with a solution that makes them it comfortable. Its latest proposal includes reserving domains the ACTO would like held back, helping ACTO create a website to promote the region (and funding it), and giving a big, fat $5 million gift card to ACTO member states.

Still, no dice.

The board now wants ICANN to present it with a proposal that will let use the domain for its business purposes but appease ACTO members.

In a battle of hard-headed governments vs. the U.S.’s second biggest company, delay is the big winner.


© 2018. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact copyright (at) Latest domain news at Domain Name Wire.

Related posts:
  1. Amazon wins: .Shop and .通販 not confusingly similar after all
  2. gets big win in domain battle, may yet get .Amazon domain
  3. If .amazon is killed, will Amazon bail on the new TLD program?
Categories: News and Updates

15 more end user sales up to $25K

Domain Name Wire - Wed, 2018-09-19 13:27

Several web design and development companies, a personal finance service provider, a British boutique law firm and a healthcare service comparison tool bought domain names last week.

It was a solid week for end user domain sales as Sedo. was the top end user sale this week (that I could identify) at nearly $25K, but it remains to be seen what the web service provider who purchased this will use it for. The overall top sale of the week actually went at $27,250 but I wasn’t able to pinpoint the end user for this domain yet.

(You can view previous lists like this here.) $24,950 – Bought by Electronic Creations Corporation which is a website creation and management service provider. This could be for a new project but for now this page has a “Coming Soon” message saying the website is currently undergoing a major re-design and expansion. $15,000 – This domain is registered to Shanda Interactive Entertainment Limited, which is a Shanghai-based online publisher of books and games. In 2017 they were acquired by the Zhejiang Century Huatong Group. €10,450 – The domain isn’t resolving yet but there is a cryptocurrency payment processing service by the name of Pay Bit who uses This might be part of an expansion or brand protection. previously sold on Sedo for $27,915. £8,400 – This two letter ccTLD already has a fully functioning site up and running for a boutique law firm based in Horsham specializing in intellectual property and business law. €6,000 – Whois is redacted due to GDPR but I couldn’t help associating the name with the heavily advertised Smile Direct Club which currently uses Maybe they will adopt this shorter domain name in the future. SmileDirect(.)com is also in use (NSFW). $5,199 – This site was bought by RAR Info Solutions LTD, an online SEO, PPC, Web Design and Development agency. There’s nothing on their site about Jass but maybe this could be a new product or service or for a client. $5,000 – This domain currently forwards to, the site of a financial company called Happy Money that used to be called Payoff. It doesn’t appear to be associated with the book of the same name. The company offers services under the name Happy Money Score. $5,000 – VO1, Ltd in the UK. €4,500 – Purchased by the Oases Health Group, a European healthcare service provider and online comparison tool to arrange for health care services across different EU countries. €4,000- Purchased by the German print company Print.point, which currently used the address That’s a play on the words Drucken=print, and drucksen means “hum and haw”. I’d say this new domain is an improvement, even with the hyphen (which is common in Germany). This domain currently has a “Coming Soon” sign up in German. $3,500 – Whois is showing the registrant as Black Media Group, which is a web design firm out of Hong Kong. Tai Hing is also the oldest existing public housing estate in the Tuen Mun neighborhood, but it’s not clear if there’s a connection between the web design firm and this domain. $3,000 – Organic foods company Hain Celestial Group has a large assortment of natural food brands under its umbrella. Maybe Joy Made is the next brand launching? $2,888 – Has a coming soon sign up but this could be the Swiss landing page for Swipe, a service that allows presentations to be made mobile friendly in an easy streamlined process. They use the domain €2,500 – The Germany company Behning bought this domain and it appears they will use it to offer inventory assessments for pharmacies to save them time and HR resources. $2,000 – PCB Software s.r.o. PCB is the name for electronic design automation software.

© 2018. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact copyright (at) Latest domain news at Domain Name Wire.

Related posts:
  1. What domain names Mozilla and others bought last week
  2. What domain names Goldman Sachs and others bought this week
  3. More end user domain name sales
Categories: News and Updates

Photos & Highlights from Day 3 Monday at the 2018 MERGE! Conference in Orlando, Florida

DN Journal - Tue, 2018-09-18 22:38
Monday was a busy day (and night) at the big conference in Orlando. We have all of the details.
Categories: News and Updates

Microsoft Cancels Plans to Move Its Internal Wireless Network to IPv6-Only

Domain industry news - Tue, 2018-09-18 21:47

Microsoft has digressed from a previously announced plan to move its internal wireless guest network to IPv6-only. Veronika McKillop, Network Architect at Microsoft, in a post on Monday says: "Unfortunately, we had to stop this work because we came across something that the previous internal testing had not uncovered — a team member attended a conference where Internet access was provided as IPv6-only and 99% of attendees could not get their VPN clients to connect on this network. VPN failing on IPv6-only networks (through NAT64) is, as we then found out, well documented in RFC 7269. This finding made it clear that visitors to Microsoft offices who rely on the Guest network would be heavily impacted unless their VPN gateways were IPv6-enabled."

Bottom line: The network part is easy, barring software bugs, applications are the big unknown, says McKillop. "Not just our own but the third-party applications that often claim 'IPv6 compatible' however when it comes to a real deployment, the experience is quite different."

Follow CircleID on Twitter

More under: IP Addressing, IPv6, Networks, Wireless

Categories: News and Updates

Giuseppe Graziano launches three-letter domain marketplace

Domain Name Wire - Tue, 2018-09-18 18:30

New domain marketplace is dedicated to just 17,576 possible domains.

Giuseppe Graziano, a domain broker who runs, has launched a new marketplace for buying and selling three-letter .com domain names. has always specialized in short domain names, so Liquid Domain Market Exchange is right up its alley. Still, can a marketplace dedicated to a maximum pool of 17,576 possible listings work?

If you want instant liquidity, it probably will. During the beta period, a domain owner sold his domain within 15 minutes of setting his price.

Graziano says the marketplace is not for selling domains to end users, so sellers need to price their domains with domain investors in mind.

Premium account holders can set up alerts to quickly know when a domain that meets their requirements is listed. A premium account is free for the remainder of 2018 if you sign up by September 25.

© 2018. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact copyright (at) Latest domain news at Domain Name Wire.

Related posts:
  1. Why rebranded as Sonic, and how it got
  2. Trump is still trending…in .com
Categories: News and Updates

Domain name sinkholes and those funky domain registrations

Domain Name Wire - Tue, 2018-09-18 17:06

Sinkholes are why you see companies register a bunch of weird domain names.

A different kind of sinkhole.

Palo Alto Networks Inc was granted a patent today related to domain sinkholing, and it’s a continuation patent of one that was granted in 2016.

It reminded me of times I’ve seen companies (notably Microsoft) register a bunch of nonsensical domain names. Why would a company register a lot of domains with random digits and letters?

The answer is often that it’s a sinkhole.

A sinkhole redirects or blocks traffic meant for a destination. They are used by the security community to stop botnet traffic, phishing and other bad activity.

There are many ways to create a sinkhole. An ISP can simply divert traffic from the IP address you see in Whois to another. A company (or the government) can also go through the courts to get control of a domain name and then change its nameservers.

Some malware campaigns continually register new domain names as their other names get snuffed out and blocked by security companies. It’s sometimes possible to figure out what the future domain registrations will be, and that’s when you might see a company register a huge list of odd domain names. They know what domains the malware will register next, so the company registers the domains to prevent them from being registered by the bad guys.

A famous example of registering a domain to stop an attack was the domain name iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea(.)com. A person researching the WannaCry ransomware noticed this domain in the malware and registered it. It turns out that registering the domain acted as a killswitch. The malware was programmed to check in on this domain and stop if the domain was registered.

While the WannaCry example isn’t a typical sinkhole, it’s interesting to think about how domain names are used to propagate malware and botnets, and how registering domains can thwart the bad guys.

© 2018. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact copyright (at) Latest domain news at Domain Name Wire.

Related posts:
  1. The Weakest Security Link is You
  2. This week’s new TLDs: 3 more from XYZ
  3. Secure your accounts better with a U2F security key
Categories: News and Updates

Caribbean Candidates Vie for Posts in ARIN Elections

Domain industry news - Tue, 2018-09-18 17:02

Three Caribbean candidates — Peter Harrison, Kerrie-Ann Richards and Alicia Trotman — have been named among the final candidates to contest elections for leadership roles at the American Registry for Internet Numbers (ARIN) in October.

ARIN is one of five Internet registries worldwide that coordinate the distribution and administration of number resources. The registry serves the United States, Canada and several territories in the Caribbean.

Richards and Trotman will vie for posts on the ARIN Advisory Council. In 2017, Jamaican-born Richards and Barbadian-born Trotman made history, becoming the first Caribbean members of the ARIN advisory council since the registry was founded on April 18, 1997.

"I am running again because there is still much work to be done," Trotman said.

"The Caribbean voice matters at this level because policy decided here will affect the growth of the Internet in the region," said Richards, chairperson of education non-profit Vision for Jamaica.

"We are the only ones shortlisted from outside North America. I feel that we bring valuable perspectives to the table and added diverse insight from our Caribbean experience," she added.

Jamaican-born Harrison will contest for a seat on the ARIN Board of Trustees. Harrison is the chief technical officer and co-founder of Silicon Valley-based colocation services provider Colovore. He is also the founder of the Palisadoes Foundation, a registered non-profit that coordinates student internships in software development for Jamaican residents.

"My work with Palisadoes has many parallels with the ARIN fellowship program and I believe my broad experience would be of benefit to the ARIN and to the Caribbean," said Harrison, who has worked with hyperscale companies like Google, Netflix and eBay, as well as smaller ones in the Caribbean.

In an August 9 post, ARIN announced that Regenie Fräser, the former Secretary General of a regional trade association, had been selected to a special appointment to serve on its Board of Trustees for a one-year term "so as to provide more diversity in the Board's composition." Fräser became the first non-white and Caribbean person appointed as a trustee.

The final 2018 candidate slate for the ARIN Advisory Council also includes Brad Gorman (Verisign), Kathleen Hunter (Comcast), Rob Seastrom (ByteGrid) and Amy Potter. The final slate for the ARIN Board of Trustees includes Anna Valsami (Telstra), Cathy Chen-Rennie (Capriole Consulting) and Paul Andersen (EGATE Networks).

On October 4, during ARIN's public policy meeting in Vancouver, British Columbia, candidates will have the opportunity to address ARIN members. More information on each candidate is available on the ARIN website.

Online voting opens on October 4 at 6 pm EDT and closes on October 12 at 6 pm. All terms will begin on January 1, 2019.

Written by Gerard Best, Development Journalist

Follow CircleID on Twitter

More under: Internet Governance, IP Addressing

Categories: News and Updates

ICANN loses in German court (again)

Domain Name Wire - Tue, 2018-09-18 14:01

Attempts to get an injunction forcing a German registrar to collect certain Whois data are failing.

ICANN has yet again failed to convince German courts that an injunction is needed to force domain name registrar EPAG to continue collecting certain information for Whois.

The non-profit domain name overseer sued EPAG, part of Tucows, the day the EU’s General Data Protection Regulation (GDPR) went into effect. EPAG had informed ICANN it would no longer collect Administrative and Technical contact data for Whois because of its interpretation of GDPR.

EPAG’s arguments included that it didn’t necessarily have a contractual relationship with the Admin or Tech contacts and that it was still collecting the registrant information.

The court denied the injunction and ICANN has gone through several appeals processes, bouncing between the courts.

In light of yet another ruling from an appeals court, ICANN said that it was limited to the issue of the necessity of an injunction.

Tucows CEO Elliot Noss has said that the lawsuit isn’t really adversarial. Both ICANN and Tucows no doubt believe they are correct but would welcome some clarification from the courts on how GDPR applies to Whois.

© 2018. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact copyright (at) Latest domain news at Domain Name Wire.

Related posts:
  1. ICANN files legal action against Tucows registrar over GDPR
  2. Tucows responds to ICANN legal action related to GDPR
  3. German court denies injunction against Tucows’ registrar EPAG over GDPR
Categories: News and Updates

UDRP has its limits when it comes to taking down counterfeit websites

Domain Name Wire - Tue, 2018-09-18 12:28

Even if the domain owner is doing a bad thing, UDRP can only be used if all three prongs of the policy are met.

This website looks like that of Zimmermann, even showing a picture of one of its storefronts. It’s a fake, but UDRP isn’t the appropriate way to take it down.

The Uniform Domain Name Dispute Resolution Policy (UDRP) is a good tool to take over cybersquatted domain names. These names are often being used for nefarious purposes such as phishing or selling counterfeit goods.

One such case involving counterfeit goods that was just decided by National Arbitration Forum shows the limits of using UDRP to take down a site: you still have to prove that the domain is cybersquatting under the three prongs of UDRP.

The case was filed by Australian clothier Zimmermann Wear Pty Ltd against ZimOutlet(.)com. There’s no question that the domain owner is up to no good. The site is made to look like the clothing company and is allegedly shipping counterfeit goods when someone orders.

The problem is that Zimmermann and Zim aren’t that similar. Panelist David E. Sorkin did a good job comparing this case to others in which only part of the trademark was used in the domain:

Although Complainant has not offered any authority on this issue, the Panel has considered various decisions under the Policy involving domain names that incorporate the first few letters of a longer mark. In Fuji Photo Film U.S.A., Inc. v. Center for Ban on Drugs, D2004-0970 (WIPO Feb. 25, 2005), the Panel found to be confusingly similar to FUJI, on the grounds that it combined the first three letters of the four-letter mark—”essentially the entirety of Complainant’s mark”—with a generic term for the complainant’s principal product. Similarly, in Chevron Intellectual Property LLC v. Linda Hearn, FA 1409285 (Forum Nov. 15, 2011), the Panel found to be confusingly similar to CHEVRON, combining the first four letters of the mark with a term descriptive of the complainant’s products and services. In Tesco Stores Ltd. v. Mat Feakins, DCO2013-0017 (WIPO Oct. 4, 2013), the Panel found to be confusingly similar to TESCO, even though the second-level component of the domain name corresponded to only the first three letters of the mark, on the grounds that the domain name taken in its entirety was identical to the complete mark but for the intervening dot.

Confusing similarity is particularly likely to be found where a mark is commonly referred to by its first syllable, and of course where the complainant also possesses trademark rights in the truncated form of the mark. See, e.g., Supercell Oy v. Ltd / Jordan Rash, Application Automation LLC, D2015-1445 (finding confusingly similar to CLASH OF CLANS, based upon evidence that the mark is often abbreviated to “CLASH”); Caterpillar Inc. v. Jonathan Scandreth, FA 1348137 (Forum Nov. 8, 2010) (finding and other domain names confusingly similar to CAT and CATERPILLAR, based upon registered trademark rights in both forms of the mark); Anheuser-Busch Inc v. Dot Com Internet Solutions, D2001-0500 (WIPO June 13, 2001) (finding and other domain names confusingly similar to BUD and BUDWEISER, based upon registered trademark rights in both forms of the mark).

The decisions cited above are all distinguishable from the present matter. The disputed domain name incorporates only three letters of a ten-letter trademark. While those letters correspond to the first syllable of the mark, it is not clear that they serve as the distinctive or dominant aspect of the mark. Complainant has not claimed that it has rights in ZIM or that its ZIMMERMANN mark is commonly referred to in this truncated manner. (Indeed, a cursory Google search for “zim” would likely lead one to conclude that these letters standing alone almost never refer to Complainant.) Nor does the generic term “outlet” that the domain name appends to these three letters bear any obvious connection to Complainant or its products; an “outlet” could be a discounter or retailer of virtually any sort of products.

It’s quite clear that the domain owner is doing a bad thing. Sometimes panelists make the wrong decision for the right reason, effectively trying to remedy a wrong using UDRP. But it’s important for panelists to apply the same standards across all cases. Kudos to Sorkin for his decision in this case.

© 2018. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact copyright (at) Latest domain news at Domain Name Wire.

Related posts:
  1. Twitter finally gets domain it won in dispute
  2. Reverse domain name hijacking in Hakoba Saree case
  3. saved in UDRP despite no-show by domain owner
Categories: News and Updates

Day 2 Photos & Highlights from the 2018 MERGE! Conference in Orlando Sunday

DN Journal - Mon, 2018-09-17 22:59
The 2nd annual MERGE! conference continued Sunday in Orlando with the 2nd of 4 days of non-stop activity. We have the Sunday photos and highlights for you.
Categories: News and Updates

Rob Monster exits DigitalTown, George Nagy takes over CEO role

Domain Name Wire - Mon, 2018-09-17 18:46

Rob Monster has left DigitalTown.

Monster pares CEO roles down to one.

Rob Monster has resigned as CEO of DigitalTown, a company that provides community building platforms. The company owns a large portfolio of domain names, including 11,000 .city domain names.

Monster told Domain name Wire that the move has been planned for a while. In an email, he said that new CEO George Nagy, who was the COO, “brings significant experience with running and selling public companies and with working with institutional investors, both which will be highly relevant for the next phase.”

He was CEO of both DigitalTown and domain name company Epik. He will now have more time to focus on Epik and other endeavors.

He noted:

As a general statement, my competency leans more toward vision, strategy and corporate development. Over the last 2.5 years, we completed 7 acquisitions with which we assembled the technology and team that has allowed us to start rollout of DigitalTown around the world as well as secure deals with both private developers and government clients.

Blockchain, Crypto and Decentralized Apps are a logical response to the pattern of winner-take-all and the policies that allow it. Timing-wise, I believe the world is on the cusp of a major catalyzing event that will make DigitalTown a lot more relevant. The economic situations that are unfolding in Puerto Rico, Turkey, Venezuela and Argentina are not isolated events.

Looking ahead, I continue to be a significant DigitalTown shareholder with 18 million shares and to be an informal advisor. I have high hopes for George and the team we built. Epik continues to manage DigitalTown’s domain portfolio and will help accelerate progress on selling domains into the hands of end-users, an area that was lower priority while I was running both companies.

On the personal side, after 3 years of working 100 hour weeks while running 2 companies, I am looking forward to devoting more time to equipping Epik for the next phase. I also plan to devote more time to Christian ministry and philanthropy. My family doubts that I will slow down. Regardless I am taking a measured and Spirit-led approach to what comes next.

© 2018. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact copyright (at) Latest domain news at Domain Name Wire.

Related posts:
  1. Monster Venture Partners Closing Doors
Categories: News and Updates

ICANN #63 in Barcelona is next month

Domain Name Wire - Mon, 2018-09-17 17:54

Meeting will attract policymakers, registries, registrars and domain investors.

ICANN #63 takes place in Barcelona, Spain next month from October 20-25. I was on the fence about going but booked my travel over the weekend.

I find ICANN meetings to be a good place to catch up with registries, registrars, service providers and domainers in one place. I’ve heard lots of chatter from domain investors about going to this event, so it should be a good one to attend.

There will also be lots of continuing discussion about GDPR as it relates to domain names. Policy stuff might not be fun, but it has a huge impact on everyone in the business.

Details are here if you’re interested in attending. Nearby hotels are available starting at €185 per night and there is no cost to attend.

If you are going and want to meet up, please drop me a line.

© 2018. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact copyright (at) Latest domain news at Domain Name Wire.

No related posts.

Categories: News and Updates

XYZ files renewed motion for fees against Verisign

Domain Name Wire - Mon, 2018-09-17 17:06

District Court will reconsider request for Verisign to pay legal fees stemming from lawsuit.

After winning its second Appeals Court case against Verisign, top level domain name registry .XYZ is renewing its request (pdf) for Verisign to pay attorney fees.

Here’s the background:

Verisign (NASDAQ:VRSN) sued XYZ for false advertising. A federal district court granted summary judgment in XYZ’s favor, and XYZ asked the court to award it legal fees of over $1 million. Verisign then appealed the original case and lost the appeal. The federal district court then ruled against awarding legal fees (beyond about $57,000 related to discovery.)

XYZ appealed the attorney fees decision. In May, the Appeals Court agreed with XYZ that the lower court did not consider the motion for fees correctly. It wrote:

…we hold that a prevailing party need only prove an exceptional case by a preponderance of the evidence, rather than by clear and convincing evidence, as the district court below required. We further clarify that a prevailing party need not establish that the losing party acted in bad faith in order to prove an exceptional case.

That sent the case back to the lower court to apply the correct standard to XYZ’s motion for fees. On Saturday, XYZ filed its post-remand submission in support of its motion for fees.

XYZ gives a long list of reasons the case should be considered exceptional, including Verisign’s broad discovery requests, 25 depositions and 17 third-party subpoenas. XYZ wrote:

Why would a sophisticated company with competent legal counsel file such a flimsy case? XYZ said nothing about .com that hadn’t been said before, and Verisign’s own numbers showed .com registrations continued to grow even after XYZ’s statements. Why draw further attention to those statements by filing a lawsuit over them? Why drag that suit on as the odds of victory grew ever longer, all the while refusing to ever meaningfully discuss settlement? The reasonable inference is that Verisign’s primary motive wasn’t winning the lawsuit so much as sending a message, not only to XYZ but to all of the other new top-level domains that entered the market and presented Verisign with meaningful competition for the first time in decades.

The circumstantial evidence supports an inference that Verisign’s true motive in pursuing a claim this weak, this aggressively, was to drain XYZ’s resources, intimidate its principal, and send a message to its other new competitors. [redacted] Under these circumstances, fee-shifting is warranted to both deter such conduct going forward and to compensate XYZ for enduring, defending and defeating Verisign’s tenuous claims and faulty lawsuit.

XYZ spent over $1 million defending itself in the lawsuit.

© 2018. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact copyright (at) Latest domain news at Domain Name Wire.

Related posts:
  1. Judge: .XYZ statements were puffery and opinion
  2. .XYZ asks Verisign to pay $1.6 million in fees from lawsuit
  3. XYZ files opening brief in request for Verisign to pay $1.6 million
Categories: News and Updates

Continued Threats from Malware

Domain industry news - Mon, 2018-09-17 16:14

As part of my job, I manage an incident response team that was engaged by a significant organization in Georgia whose network was infected by the QBOT (a.k.a. QAKBOT) malware. The customer had been infected for over a year, several teams before ours had failed to solve the problem, and they continued to get reinfected by the malware when they thought they had eradicated it. Over time it had spread to more than 1,000 computers in their ecosystem stealing user credentials along the way. Malware is a real problem for businesses and consumers, but how many people really understand what it is? I was recently asked this same basic question and realized that even my answer as a security subject matter expert was not as clear as it could have been. So, I thought it was time to put together this article to answer not only what malware is, but what it does, how to eradicate it and what are the best practices to remain secure.

To begin with, malware is a generic industry term that refers to malicious software designed to do harm to computer systems. Many people use the terms malware and computer virus interchangeably but technically that would be incorrect. The three most common categories malware falls into are viruses, worms and trojans. Ransomware, a specific type of malware, can result from any of these three malware categories' but typically is the result of a trojan. A computer virus is a malicious software that, when executed, replicates itself by modifying other computer programs and inserting its own code. Computer viruses typically need a human to execute them for a computer system to get infected. A computer worm is a malicious software whose primary function is to infect other computers while remaining active on infected systems. A computer worm is a self-replicating malware that duplicates itself (without human interaction) to spread to uninfected computers and it does not need to attach itself to another program in order to cause damage. Lastly, a trojan is malicious software that looks legitimate but can take control of your computer. A trojan is designed to damage, disrupt, steal, or in general inflict some other harmful action on your data or network, much like other types of malware. The QBOT malware I referenced earlier is somewhat unique in that it is defined as both a trojan and a worm. It is self-replicating, spreading to other computers on its own, steals user credentials and in this case disrupted the customer's active directory environment on their network.

Malware can infect your computer in a number of ways. The most common ones are the opening of an infected email attachment, connecting to an infected data source (e.g. thumb drive, network drive, etc.) and going to an infected website. According to Google, they identify and blacklist thousands of unsafe websites every week, which contain some sort of malicious software dangerous to their visitors (Google Transparency Report). It is estimated that nearly three-quarters of all websites have at least one vulnerability. Infected websites can have automatic malware downloads referred to as "drive-by-downloads", exploit kits that search your computer for unpatched vulnerabilities, JavaScript infections that download malicious software your browser then executes, URL injections commonly embedded inside of compromised WordPress blog sites or browser hijacks that constantly redirect you to other pages, collect personal information, or act as gateways to rootkits. This issue has even impacted well known and reputable websites due to their advertiser's and included 3rd party content that became compromised without their knowledge. The truly dangerous stuff and luckily less common today either happens before you receive your device somewhere in the supply chain or infects your machine at a level prior to your operating system loading. Some of the newest malware are known to infect your computer's BIOS or mobile device's bootloader.

Once infected, the malware is likely to spread through email, file sharing or your network to other workstations, servers, mobile devices or less protected devices like copiers and printers. Imagine everything you copy or print becoming available for sale on the internet. If connected to a network it can take advantage of existing file-transport or information-transport capabilities on the system itself, allowing it to travel unaided. If it can't find the mode of transport it wants, advanced malware is able to download additional post-exploitation modules to gain access to additional tools of the trade. Don't be surprised if you see malware utilizing older protocols like NetBIOS, which for today's operating systems is only used for file or printer sharing on a local area network. Once the new device is infected it doesn't always require human intervention to activate or launch the malware, many times simply exploiting a vulnerability on the target system. When on a file share, like a network drive, malware will typically infect files (e.g. MS Word or Excel) which it knows a human will eventually launch, activating hidden macros it has infected them with to perform its malicious intent.

To eradicate malware from your environment most incident response teams will implement a multi-step process but all of them should include some type of detection, analysis, containment, mitigation and lessons-learned to be applied after the incident. Our customer in Georgia failed to eliminate their malware issues prior to our involvement, by failing to properly perform two of these steps. They were unable to properly detect the QBOT malware due a lack of internal monitoring capabilities and its self-mutating nature rendering their signature-based tools completely ineffective. They also failed to contain the outbreak allowing it to reinfect systems immediately following their cleaning. There are no shortcuts. Each step in your incident response team's playbook will be important. Even basic things like changing access credentials and patching software are critical steps in your remediation plan.

If our customer in Georgia had properly segmented their network, it would have eliminated the propagation of exploits to a single segment and the malware's ability to laterally move around the network. Allowing unfiltered workstation-to-workstation communications (as well as other peer-to-peer communications) creates serious vulnerabilities, and can allow malware to easily spread to multiple systems. If malware can establish an effective "beach head" within your network, and then spread to create backdoors to maintain persistence, it will be difficult for defenders to contain and eradicate it. Monitoring for this lateral network traffic and external communications with command and control servers can identify a large majority of malware infections on a network.

Best practices to avoid getting infected by malware and reducing the impact if you do become infected include development of pre-establish security policies & procedures, companywide staff training, constant backups, consistent software vulnerability patching, use of a behavioral-based endpoint protection platform (EPP), proper network segmentation, encryption of data, effective monitoring of network traffic and security alerts, implementation of least-privilege based access rights for users, accounts, and computing processes and finally network edge-based protections (e.g. UTM, NGF, DNS, etc.) to block access to malicious sites and exfiltration of data. If you are not utilizing any of these best practice items I highly recommend contacting a qualified vendor to help. The risk is real and after the Target breach in 2013, it is widely recognized that all levels of management can now be held accountable for cybersecurity breaches.

Written by Rick Rumbarger, Technology Executive

Follow CircleID on Twitter

More under: Cyberattack, Cybercrime, Cybersecurity, Malware

Categories: News and Updates

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer