Data breach prevention for all 6.2 million .nl domain names
Detection of mail traffic to cancelled domain names extended to whole .nl zone following successful pilot
The original blog is in Dutch. This is the English translation.
Authors: Maarten Wullink, Moritz Müller (SIDN Labs), Joost Pisters (Argeweb), Miquel Orozco (Openprovider) In the recent past, cancelled domain names have been central to multiple large-scale data breaches. Our LEMMINGS project is intended to prevent the same thing happening again. In the last year, we've run two successful pilots with registrars, testing LEMMINGS with cancelled domain names managed by the two participating registrars. Building on the results from the pilots, we're now ready to extend LEMMINGS protection to cover all .nl domain names. In this blog, we share our initial experiences with LEMMINGS and our plans for the year ahead.
LEMMINGS
Suppose that you've got a .nl domain name that you don't need any more, so you cancel the registration. After forty days in quarantine, the name's released for re-registration by anyone. However, there may be people out there who are still sending mail to e-mail addresses at your old domain. If someone else picks up your unwanted domain name and creates addresses like your old ones, or sets up a catch-all, they can take delivery of mail that's meant for you. Including potentially sensitive mail. That's what happened to the Dutch police and to certain care providers, resulting in serious data breaches. LEMMINGS, whose acronym is derived from deLetEd doMain MaIl warNinG System, is a system we've created to reduce the risk of such problems arising. Cancelled .nl domain names are monitored while in quarantine and, if signs of continuing legitimate mail are detected, the former registrants are alerted. What we do is check our DNS traffic for queries asking for the cancelled domain's mail (MX) records. If the query traffic exceeds a certain trigger level, we contact the former registrant to tell them what we've observed. No information about the mail itself is processed: we don't know who sent it, who it was for or what its content was.
For details of how LEMMINGS works, take a look at our previous blogpost introducing the system, and at the LEMMINGS FAQ page.
Pilot schemes
In the last year, we've evaluated the LEMMINGS concept with the help of two registrars: Argeweb and Openprovider. An extensive pilot scheme was run with each registrar, in order to pick up any unexpected issues before rolling out LEMMINGS across the .nl domain.
The pilots were designed to answer the following questions:
How well does LEMMINGS work?
What did the participating registrars think of LEMMINGS?
What did the registrants who were contacted think of LEMMINGS?
Question 1 related mainly to the technical performance of the system: does LEMMINGS work as it should, without faults and/or other problems? To answer question 2, we sought feedback from Argeweb and Openprovider about how they thought the pilots went. Did they see LEMMINGS as having added value? What did they think of the way LEMMINGS worked? Central to question 3 was how former registrants felt about receiving LEMMINGS alerts. We wanted to know that in order to minimise the risk of the alerts being misunderstood or causing unnecessary alarm, leading to an increased support desk workload for registrars and SIDN. The first pilot was run with the help of Argeweb, from 1 June 2021 to the end of the year. Because LEMMINGS had never before been used 'for real', we were keen to discover whether everything would work as intended. From a technical viewpoint, everything went smoothly. However, Argeweb already had a proactive retention policy, designed to minimise cancellations. That made it difficult to objectively assess LEMMINGS' effectiveness. We therefore decided to start a second pilot with Openprovider. Our second pilot started in September 2021 and also continued until the end of the year. Openprovider was an attractive pilot partner for two reasons. First, the company is one of the biggest .nl registrars. Second, Openprovider makes considerable use of resellers. The involvement of resellers necessitated various modifications to LEMMINGS. For example, the alert e-mails were adapted to include the reseller's name where relevant, so that former registrants knew who to contact for assistance.
Results
Now that the pilots have ended, we're in a position to try to answer our research questions.
How well does LEMMINGS work?
In both pilots, the LEMMINGS system worked well in technical terms. Although it was only a prototype, we designed the system to meet high stability and availability criteria, with a view to facilitating zone-wide rollout in the future. We analysed 8,194 quarantined domain names in the Argeweb pilot, and 17,437 in the Openprovider pilot. That led to alerts going out to 1,408 former registrants. In other words, alerts were sent in roughly 5 per cent of cases, across the two registrars' cancellations during the entire pilot period. LEMMINGS assigns each cancelled domain name to a risk category. In the pilots, fewer than 1 per cent of cancelled domain names were categorised as 'High risk' (see table 1). In some cases, a single alert is sent regarding multiple domain names. That feature of LEMMINGS is intended to ensure that a former registrant who cancels multiple domain names at the same time isn't flooded with alerts.
Risk category | Number of domain names | Percentage |
|---|---|---|
Low | 1,015 | 3.97 |
Medium | 184 | 0.72 |
High | 209 | 0.81 |
Table 1 Overview of the number of warnings per risk category during the 2 pilots.
What did the participating registrars think of LEMMINGS?
Both registrars were very pleased with the pilot. Argeweb saw LEMMINGS as complementing existing activities. The company is always looking for ways of keeping customers informed without frightening them or causing undue concern, and LEMMINGS helps in that context. Openprovider also regarded LEMMINGS as a very useful initiative. The company is committed to identifying transparent solutions that enhance customer security, are easy to implement, and don't interfere with customers' processes. During the pilot, LEMMINGS met all those criteria.
What did the registrants who were contacted think of LEMMINGS?
For Argeweb, Openprovider and us, it was very important that the LEMMINGS notifications should be understandable and not unsettling for former registrants. Argeweb's experience is that translating technical information into clear, non-alarming customer information can be difficult. We therefore kept a sharp eye out for any negative feedback, either to the participating registrars or to our own support team. Fortunately, everything worked out well: neither we nor the registrars received any negative responses, and the notifications generated only a small number of enquiries. Openprovider's reseller helpdesks were also untroubled. Naturally, we also wanted to know whether former registrants acted on the information they received. Of the 1,408 quarantined domain names regarding which LEMMINGS notifications were sent, five (0.4 per cent) were reinstated after we contacted the former registrants. Of all the .nl domain names quarantined in the same period, only 0.2 per cent were reinstated. It does therefore appear that the LEMMINGS alerts have an effect, but that effect cannot be reliably quantified on the basis of such small absolute numbers.
Conclusions
Because of the limited scale and duration of the LEMMINGS pilots, relatively few notifications were sent out. Furthermore, the number of domain names reinstated from quarantine was relatively small. We should stress, incidentally, that encouraging reinstatement was not the objective. There are other ways for a former registrant to ensure that sensitive mail is not sent to a disused domain. Nevertheless, because of the limited data, it is impossible to draw firm conclusions about LEMMINGS' effectiveness in preventing data breaches. However, on the basis of the two pilots and given the potential seriousness of data losses, Argeweb, Openprovider and we believe that LEMMINGS is a useful additional tool for the prevention of data breaches and the protection of .nl registrants. Argeweb therefore wants to see the LEMMINGS pilot rolled out more widely. In the company's experience, customers tend to be unaware of the full implications of domain name cancellation, in terms of lost value and risk exposure. Argeweb is therefore keen to promote awareness. Openprovider also believes that increased security is always desirable. The company's hope is therefore that LEMMINGS will be put to more general use and that other schemes for protecting registrants are devised.
What next?
With a view to evaluating LEMMINGS more conclusively and protecting more .nl domain names, we've agreed with the Registrars' Association (RA), the organisation that represents .nl registrars, that a third LEMMINGS pilot will be organised. The new pilot will run for an extended period and will cover the entire .nl zone, thus protecting a much larger number of domain names (including potentially vulnerable domain names) and facilitating impact assessment. We expect the third pilot to start in March and run for a year. On the RA's advice, three new functions will be added to LEMMINGS for the third pilot:
All registrars will be automatically included, but will have opportunity to opt out.
Registrars will have the option of having LEMMINGS notifications sent to them, so that they can automatically alert the former registrants concerned.
Once a week, LEMMINGS will send each participating registrar a list of the domain names cancelled from their portfolio, whose former registrants have been sent LEMMINGS notifications.
We will inform the .nl registrars extensively about this no later than 2 weeks before the start of the new pilot.
