ccNSOMembersDayMarch14,2017
ICANN58,Copenhagen
CristianHesselman,.nl(TLD-OPSStandingCommitteeChair)
TLD-OPSUpdateccTLDSecurityandStabilityTogether
TLD-OPSStandingCommittee
TLD-OPS
• GlobaltechnicalincidentresponsecommunityforandbyccTLDs,opentoallccTLDs
• Bringstogether~330peoplewhoareresponsiblefortheoperationalsecurityandstabilityof187differentccTLDs
• Goal:enableccTLDoperatorstocollaborativelydetectandmitigateincidentsthatmayaffecttheoperationalsecurityandstabilityofccTLDservicesandofthewiderInternet
• Furtherextendsmembers’existingincidentresponsestructures,
processes,andtoolsanddoesnotreplacethem
• GuidancebyTLD-OPSStandingCommittee– ccTLDrepsandLiaisons(SSAC,IANA,ICANN’ssecurityteam)
TLD-OPSStandingCommittee
ContactRepositoryEmail
Stats:328subscribersfrom186ccTLDs
“JohnDoe,#1,.nl,+31123456789”[email protected]“JaneDoe,#1,.vn,+84123456789”[email protected]
TLD-OPSStandingCommittee
SecurityAlertsandQueries
# Descrip*on Month
10 Registryfront-endcompromizedueto0-dayvulnerability Mar-17
9 QueriesonlatencyproblemswithDNSanycastoperator Dec-16
8 SecuritywarningregardinglargevolumesofCutwailTraffic Nov-16
7 Alert:severalmembersreporJnglargeDNStrafficspikes Nov-16
6 SecuritywarningforaccTLDthatwashacked Aug-16
5 HelpedccTLDwithproblemswiththeirDNSanycastservice Jul-16
4 SecuritywarningonDDoSaQackonDNSroot Jun-16
3 Alert:spear-phishingaQacksagainstccTLDoperators Apr-16
2 LargemalverJsingcampaigntargeJngpopularccTLDwebsites Apr-16
1 AransomwarethatuseddomainnamesofvariousccTLDs Feb-16
TLD-OPSStandingCommittee
All Members % Missing % TotalTotal 187 64% 104 36% 291
ASCII Members % Missing % TotalTotal 158 64% 87 36% 245AF 23 45% 28 55% 51AP 49 60% 33 40% 82EU 65 100% 0 0% 65LAC 17 40% 25 60% 42NA 4 80% 1 20% 5
IDN Members % Missing % TotalTotal 29 63% 17 37% 46
TLD-OPSMembershipStats
Lastupdate:February27,2017
TLD-OPSStandingCommittee
ProgressSinceICANN57
• Securityalerts– Registryfront-endcompromizedueto0-dayvulnerability(Mar)– QueriesonlatencyproblemswithDNSanycastoperators(Dec)– SecuritywarningregardinglargevolumesofCutwailTraffic(Nov)– LargetrafficspikesatthreeccTLDs,likelyareflectionattack(Nov)
• Membershipupdates– Joined:.as(AmericanSamoa),.ir(IslamicRepublicOfIran)– Contactupdates:5(new/removal)– PuttwoccTLDsbackonthelistafterexcessbounces
TLD-OPSStandingCommittee
Outreach:TLD-OPSWorkshop,March12
• Goal:explorehowTLD-OPSmemberscancollaboratetodetectandmitigateDDoSattacks
• Motivation:– Recentlarge-scale(IoT)attacksontheDNS(suchasDyn,root)– NeedtomobilizethecollectiveexperienceoftheTLD-OPScommunity
• Approach– Facilitatedialog:sharingofexperiences,discussion,generationofideas– Consideringperspectivessuchastechnical,operational,andstrategic– ClosedworkshopformemberccTLDsonly
• Targetedresults– SharedunderstandingofroleofTLD-OPSinhandlingDDoSevents– GuidelinesandtoolstointegrateTLD-OPSintoccTLDoperations– Itemsforfurtherdiscussion
TLD-OPSStandingCommittee
WorkshopStats
A1endees 55(61registra*ons)ASCIIccTLDs 35IDNccTLDs 11ccTLDreps 52(4alsoontheSSAC,butccTLDrepstoday)Proxies 9SSACmembers 2RSSACmembers 1Regions AF,AP,EUR,LAC,NAExperJse operaJonal,technical,strategicSCmembers 6(Fred,Jacques,Erwin,CrisJan,Jay,Warren)
Lastupdate:March12,2017
TLD-OPSStandingCommittee
BreakoutGroupsandLotsofInteraction!
TLD-OPSStandingCommittee
WorkshopResults(FirstSelection)
• Initialfeedback:increasedtrustamongTLD-OPSmembers
• Excellentparticipationandattendance
• Workshopformatworkedwell
• Secondaryemailaddressforeveryincidentresponsecontact
• Livecommunicationfacilitiesduringanattack(chat,bridge)
• Sharebestpracticesandenablepeerstolearn
• Longerterm:sharedservices(sinkhole,threatanalysis,monitoring)
• Nextstep:lookintoflipchartsinmoredetailandputintoaction
TLD-OPSStandingCommittee
WasItUseful?
TLD-OPSStandingCommittee
Outreach:TLD-OPSPostcard(January2017)
TLD-OPSStandingCommittee
ObjectivesICANN58
• IncreasethenumberofASCIIccTLDsmembersby5%to194throughwebinarsforLACandAFandpossiblyAPregions
• OrganizeaTLD-OPSworkshopatICANN58todiscusshowccTLDscollaborativelydetectandmitigateDDoSattacks
TLD-OPSStandingCommittee
ObjectivesICANN59
• Potentiallyorganize2ndTLD-OPSworkshop(focusonAFregion)
• PutoutcomesSunday’sworkshopandsurveyintoaction
• FinalizeTLD-OPSmembershipupdateprocedure
• Increasemembershipby3to190
TLD-OPSStandingCommittee
TLD-OPSStandingCommitteeFredericoNeves,.brJacquesLatour,.caErwinLansing,.dkAliHadjiMmadi,.kmCristianHesselman,.nl(chair)JayDaley,.nzAbibuNtahigiye,.tzWarrenKumari(SSACliaison)JohnCrain(ICANN’ssecurityteamliaison)KimDavies(IANAliaison)ICANNStaffKimCarlson
Q&A
TLD-OPSHomehttp://ccnso.icann.org/resources/tld-ops-secure-communication.htmTLD-OPSLeaflethttps://ccnso.icann.org/workinggroups/tld-ops-enhanced-incident-response-capabilities-cctlds-14apr16-en.pdfArabic,Chinese,English,French,Russian,Spanish,RussianContactCristianHesselmanStandingCommitteeChair+31625078733cristian.hesselman@sidn.nl@hesselma