Making the Internet DNS More Secure and Resilient: An ICANN Perspective

Greg RattrayICANN Chief Internet Security Advisor

The Internet as an Ecosystem• Built as experiment; now part of everyday life

– Assumed benign, cooperative users• Now involves a wide variety of systems,

stakeholders, opportunities & risks– Governments, corporations, civil society, criminals

• Malicious actors now use Internet– Growing centers of gravity – militarily, economically, socially– Anonymity & ability to leverage 3rd Parties for Bad Acts

• Will we a tipping point in inability to address growth of malicious activity and capability?– My mother-in-law: Can I safely use my credit card?

Bot Nets and Complexity of Attacks

Bot

DNS resolution

Bot Code Bot Code

Routing

Botnet Developer

Bot Bot

Target(s)

Bot ControllerC2

Attacker

Multiple purposes;Possibly nodigitalconnection

Who’s responsible? Who should be subject of retaliation? - What type? Legal notice, arrest, digital disruption?Who should be part of a cooperative mitigation and defense?

Actors Involved- Code Developers- Botnet Developer (t = X)- Bot Controller (t = Y)- Owners of assets ( C2 and bots)- DNS operators - ISPs- Target(s)

Attack the swamps, not the fever

The Internet: coordinated, not controlled

Just some of the major organizations concerned with the Internet

What is Domain Name?

Mechanism for translating name into numberwww.icann.org = 192.0.32.7 (IP address)

• ccTLD (country code top-level domain)• Generally used or reserved for a country • .jp, .kr, .uk, .my …etc

• gTLD (generic top-level domain)• .com, .info, .net, .name, .biz, .pro …etc

• others (infrastructure top-level domain)• .arpa, .int ...etc

.

ICANN/IANA(Internet Assigned

Numbers Authority)ip address

.se .jp

ccTLD registry

..com

.net

gTLD registry

domain names

registrar

Root Zonew/ USG and VeriSign

.net zone

I want ‘example.net’to setup www.example.net

www.example.net = = 192.0.2.1

example.net zone

AfriNICARIN RIPE NCC

LACNIC

RIR

ISPISP

ISP

LIR

JPNICCNNIC

KRNIC

NIR

APNIC

I need 1 ip addressto setup www.example.net

ICANN’s Role and Plan

ICANN Plan for Enhancing Internet Security, Stability and Resiliency established in 2009

• Core: Ensure DNS system stability and resiliency• Enabler: Work with broader Internet and security

communities to combat systemic DNS abuse; assist operators to protect DNS registration and publication processes

• Contributor: Identification of risks to security, stability and resiliency of the DNS as part of larger cybersecurity challenges

• Not involved in cyber war/espionage or content control

Plan available at www.icann.org/en/security

DNS System-wide SSRCoordination, Analysis and Planning

Provide for coherence in concepts of a key sub-system of a larger Internet ecosystem

• Conduct annual DNS SSR symposium. This year in Kyoto in early February focused on Measuring DNS Health – Baselined what metrics and measurements exist and where gaps

exist in terms of getting more comprehensive– Key parameters for DNS health – coherency, integrity, speed,

availability, resiliency

• Developing set of key contingencies for use in ICANN and community efforts related to response and exercise planning

• Finalizing continuity plan for failures of DNS registries to address how to protect registrants

DNS Vital Signs

Coherency

Integrity

Speed

Availability

Resiliency

Mitigation of Malicious Conduct in New Top Level Domains

Practical measures for extending the DNS in a more secure and accountable fashion

• Requirement for employing key security technology (DNSSec)• Prohibition on undermining protocol (Wildcarding )• Requirements to enhance trust in people (background checks) • Enable a scalable approach to investigation and response

(Zone File Access)• A voluntary program for higher trust in key zones (TLD

certification program)

DNS Collaborative Response

Enabling effective private sector response and leadership

• Working closely with FIRST and national CERT community– Joint session in Nairobi; help set up East African CERT– DNS Security workshop at FIRST general meeting in June

• Continue collaboration in stopping spread of Conficker as well as lessons learned and follow-up efforts

• Continue to have security team incident reporting mechanisms to identify potential systemic DNS incidents

Capacity Building Programs

Enabling effective security and resilience at the edge of the system

• Continue conduct of ccTLD security and resiliency training program – Attack and Contingency Response Program focused on managerial

level threat awareness and contingency planning– Joint registry operations training program initiated focused on basic,

advanced and security DNS technical skill building

• Reaching over 100 DNS ccTLD operators in 41 ccTLDs in the last six months

Global EngagementFoster a global dialogue on how to most effectively pursue

security/resiliency for Domain Name System

• Work closely with regional TLD associations and network operators groups

• Work to enhance regional outreach activities– INTERPOL workshop – Asia-Pacific Economic Cooperation – Telecommunications and Information Working Group – Commonwealth Telecommunications Organization

• This ICANN – MSU Institute for Information Security Issues annual forum

Discussion Questions

What are the expectations of private sector/multi-stakeholder organizations to provide security and resilience in key aspects in the global information infrastructure?

What are the right mechanisms for achieving transparency and accountability in this regard?