1 / 14

Making the Internet DNS More Secure and Resilient: An ICANN Perspective

Making the Internet DNS More Secure and Resilient: An ICANN Perspective. Greg Rattray ICANN Chief Internet Security Advisor. The Internet as an Ecosystem. Built as experiment; now part of everyday life Assumed benign, cooperative users Now involves a wide variety of systems,

aoife
Download Presentation

Making the Internet DNS More Secure and Resilient: An ICANN Perspective

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Making the Internet DNS More Secure and Resilient: An ICANN Perspective Greg Rattray ICANN Chief Internet Security Advisor

  2. The Internet as an Ecosystem • Built as experiment; now part of everyday life • Assumed benign, cooperative users • Now involves a wide variety of systems, stakeholders, opportunities & risks • Governments, corporations, civil society, criminals • Malicious actors now use Internet • Growing centers of gravity – militarily, economically, socially • Anonymity & ability to leverage 3rd Parties for Bad Acts • Will we a tipping point in inability to address growth of malicious activity and capability? • My mother-in-law: Can I safely use my credit card?

  3. Bot Nets and Complexity of Attacks • Actors Involved • Code Developers • Botnet Developer (t = X) • Bot Controller (t = Y) • Owners of assets • ( C2 and bots) • DNS operators • ISPs • Target(s) Bot Bot Code Bot Bot Bot Code C2 Botnet Developer Attacker Multiple purposes; Possibly no digital connection Bot Controller DNS resolution Routing Who’s responsible? Who should be subject of retaliation? - What type? Legal notice, arrest, digital disruption? Who should be part of a cooperative mitigation and defense? Target(s) Attack the swamps, not the fever

  4. The Internet: coordinated, not controlled Just some of the major organizations concerned with the Internet

  5. What is Domain Name? Mechanism for translating name into number www.icann.org = 192.0.32.7 (IP address) • ccTLD (country code top-level domain) • Generally used or reserved for a country • .jp, .kr, .uk, .my …etc • gTLD (generic top-level domain) • .com, .info, .net, .name, .biz, .pro …etc • others (infrastructure top-level domain) • .arpa, .int ...etc

  6. domain names ICANN/IANA (Internet Assigned Numbers Authority) ip address ccTLD registry RIR Root Zone w/ USG and VeriSign ARIN AfriNIC RIPE NCC . .jp .se gTLD registry APNIC LACNIC . .net NIR .com .net zone JPNIC KRNIC CNNIC LIR ISP ISP example.net zone ISP registrar I want ‘example.net’ to setup www.example.net I need 1 ip address to setup www.example.net www.example.net = = 192.0.2.1

  7. ICANN’s Role and Plan ICANN Plan for Enhancing Internet Security, Stability and Resiliency established in 2009 • Core: Ensure DNS system stability and resiliency • Enabler: Work with broader Internet and security communities to combat systemic DNS abuse; assist operators to protect DNS registration and publication processes • Contributor: Identification of risks to security, stability and resiliency of the DNS as part of larger cybersecuritychallenges • Not involved in cyber war/espionage or content control Plan available at www.icann.org/en/security

  8. DNS System-wide SSRCoordination, Analysis and Planning Provide for coherence in concepts of a key sub-system of a larger Internet ecosystem • Conduct annual DNS SSR symposium. This year in Kyoto in early February focused on Measuring DNS Health • Baselined what metrics and measurements exist and where gaps exist in terms of getting more comprehensive • Key parameters for DNS health – coherency, integrity, speed, availability, resiliency • Developing set of key contingencies for use in ICANN and community efforts related to response and exercise planning • Finalizing continuity plan for failures of DNS registries to address how to protect registrants

  9. DNS Vital Signs

  10. Mitigation of Malicious Conduct in New Top Level Domains Practical measures for extending the DNS in a more secure and accountable fashion • Requirement for employing key security technology (DNSSec) • Prohibition on undermining protocol (Wildcarding ) • Requirements to enhance trust in people (background checks) • Enable a scalable approach to investigation and response (Zone File Access) • A voluntary program for higher trust in key zones (TLD certification program)

  11. DNS Collaborative Response Enabling effective private sector response and leadership • Working closely with FIRST and national CERT community • Joint session in Nairobi; help set up East African CERT • DNS Security workshop at FIRST general meeting in June • Continue collaboration in stopping spread of Conficker as well as lessons learned and follow-up efforts • Continue to have security team incident reporting mechanisms to identify potential systemic DNS incidents

  12. Capacity Building Programs Enabling effective security and resilience at the edge of the system • Continue conduct of ccTLD security and resiliency training program • Attack and Contingency Response Program focused on managerial level threat awareness and contingency planning • Joint registry operations training program initiated focused on basic, advanced and security DNS technical skill building • Reaching over 100 DNS ccTLD operators in 41 ccTLDs in the last six months

  13. Global Engagement Foster a global dialogue on how to most effectively pursue security/resiliency for Domain Name System • Work closely with regional TLD associations and network operators groups • Work to enhance regional outreach activities • INTERPOL workshop • Asia-Pacific Economic Cooperation – Telecommunications and Information Working Group • Commonwealth Telecommunications Organization • This ICANN – MSU Institute for Information Security Issues annual forum

  14. Discussion Questions What are the expectations of private sector/multi-stakeholder organizations to provide security and resilience in key aspects in the global information infrastructure? What are the right mechanisms for achieving transparency and accountability in this regard?

More Related