Post on 26-Dec-2015
Making the Internet DNS More Secure and Resilient: An ICANN Perspective
Greg RattrayICANN Chief Internet Security Advisor
The Internet as an Ecosystem• Built as experiment; now part of everyday life
– Assumed benign, cooperative users• Now involves a wide variety of systems,
stakeholders, opportunities & risks– Governments, corporations, civil society, criminals
• Malicious actors now use Internet– Growing centers of gravity – militarily, economically, socially– Anonymity & ability to leverage 3rd Parties for Bad Acts
• Will we a tipping point in inability to address growth of malicious activity and capability?– My mother-in-law: Can I safely use my credit card?
Bot Nets and Complexity of Attacks
Bot
DNS resolution
Bot Code Bot Code
Routing
Botnet Developer
Bot Bot
Target(s)
Bot ControllerC2
Attacker
Multiple purposes;Possibly nodigitalconnection
Who’s responsible? Who should be subject of retaliation? - What type? Legal notice, arrest, digital disruption?Who should be part of a cooperative mitigation and defense?
Actors Involved- Code Developers- Botnet Developer (t = X)- Bot Controller (t = Y)- Owners of assets ( C2 and bots)- DNS operators - ISPs- Target(s)
Attack the swamps, not the fever
The Internet: coordinated, not controlled
Just some of the major organizations concerned with the Internet
What is Domain Name?
Mechanism for translating name into numberwww.icann.org = 192.0.32.7 (IP address)
• ccTLD (country code top-level domain)• Generally used or reserved for a country • .jp, .kr, .uk, .my …etc
• gTLD (generic top-level domain)• .com, .info, .net, .name, .biz, .pro …etc
• others (infrastructure top-level domain)• .arpa, .int ...etc
.
ICANN/IANA(Internet Assigned
Numbers Authority)ip address
.se .jp
ccTLD registry
..com
.net
gTLD registry
domain names
registrar
Root Zonew/ USG and VeriSign
.net zone
I want ‘example.net’to setup www.example.net
www.example.net = = 192.0.2.1
example.net zone
AfriNICARIN RIPE NCC
LACNIC
RIR
ISPISP
ISP
LIR
JPNICCNNIC
KRNIC
NIR
APNIC
I need 1 ip addressto setup www.example.net
ICANN’s Role and Plan
ICANN Plan for Enhancing Internet Security, Stability and Resiliency established in 2009
• Core: Ensure DNS system stability and resiliency• Enabler: Work with broader Internet and security
communities to combat systemic DNS abuse; assist operators to protect DNS registration and publication processes
• Contributor: Identification of risks to security, stability and resiliency of the DNS as part of larger cybersecurity challenges
• Not involved in cyber war/espionage or content control
Plan available at www.icann.org/en/security
DNS System-wide SSRCoordination, Analysis and Planning
Provide for coherence in concepts of a key sub-system of a larger Internet ecosystem
• Conduct annual DNS SSR symposium. This year in Kyoto in early February focused on Measuring DNS Health – Baselined what metrics and measurements exist and where gaps
exist in terms of getting more comprehensive– Key parameters for DNS health – coherency, integrity, speed,
availability, resiliency
• Developing set of key contingencies for use in ICANN and community efforts related to response and exercise planning
• Finalizing continuity plan for failures of DNS registries to address how to protect registrants
DNS Vital Signs
Coherency
Integrity
Speed
Availability
Resiliency
Mitigation of Malicious Conduct in New Top Level Domains
Practical measures for extending the DNS in a more secure and accountable fashion
• Requirement for employing key security technology (DNSSec)• Prohibition on undermining protocol (Wildcarding )• Requirements to enhance trust in people (background checks) • Enable a scalable approach to investigation and response
(Zone File Access)• A voluntary program for higher trust in key zones (TLD
certification program)
DNS Collaborative Response
Enabling effective private sector response and leadership
• Working closely with FIRST and national CERT community– Joint session in Nairobi; help set up East African CERT– DNS Security workshop at FIRST general meeting in June
• Continue collaboration in stopping spread of Conficker as well as lessons learned and follow-up efforts
• Continue to have security team incident reporting mechanisms to identify potential systemic DNS incidents
Capacity Building Programs
Enabling effective security and resilience at the edge of the system
• Continue conduct of ccTLD security and resiliency training program – Attack and Contingency Response Program focused on managerial
level threat awareness and contingency planning– Joint registry operations training program initiated focused on basic,
advanced and security DNS technical skill building
• Reaching over 100 DNS ccTLD operators in 41 ccTLDs in the last six months
Global EngagementFoster a global dialogue on how to most effectively pursue
security/resiliency for Domain Name System
• Work closely with regional TLD associations and network operators groups
• Work to enhance regional outreach activities– INTERPOL workshop – Asia-Pacific Economic Cooperation – Telecommunications and Information Working Group – Commonwealth Telecommunications Organization
• This ICANN – MSU Institute for Information Security Issues annual forum
Discussion Questions
What are the expectations of private sector/multi-stakeholder organizations to provide security and resilience in key aspects in the global information infrastructure?
What are the right mechanisms for achieving transparency and accountability in this regard?