Category: SSAC

Feb 25

SSAC Issues New Report On DDoS Attacks Against DNS

SSAC logoWhat can be done to prevent Distributed Denial of Service (DDoS) attacks against the DNS infrastructure? What can individuals or organizations who operate DNS servers do to their own systems to help reduce the threat of DDoS attacks?   ICANN’s Security and Stability Advisory Committee (SSAC) took on this issue recently and released a new report this week: “SAC065: SSAC Advisory on DDoS Attacks Leveraging DNS Infrastructure“.  It is available as a free PDF download in English.

While the report is not about DNSSEC, per se, it is about the overall issue of “DNS security” and outlines steps that can be taken to reduce the potential of DNS-based DDoS attacks.  This is critical if we are to get DNSSEC more widely deployed because there are some DNS server operators who have pushed back about DNSSEC citing concerns about the larger size of DNSSEC packets could help amplify DDoS attacks.

The recommendations for the industry include the following (with the report providing more detail on each):

Recommendation 2: All types of network operators should take immediate steps to prevent network address spoofing.

Recommendation 3: Recursive DNS server operators should take immediate steps to secure open recursive DNS servers.

Recommendation 4: Authoritative DNS server operators should investigate deploying authoritative response rate limiting.

Recommendation 5: DNS operators should put in place operational processes to ensure that their DNS software is regularly updated and communicate with their software vendors to keep abreast of latest developments.

Recommendation 6: Manufacturers and/or configurators of customer premise networking equipment, including home networking equipment, should take immediate steps to secure these devices and ensure that they are field upgradable when new software is available to fix security vulnerabilities, and aggressively replacing the installed base of non-upgradeable devices with upgradeable devices.

We agree with those recommendations and definitely encourage people to read the SSAC report and implement as many recommendations as possible.

Working together we can make the Internet more secure!

Nov 14

Should The Root DNSSEC Key Be Rolled? ICANN’s SSAC Issues Some Guidance

ICANN SSAC 63Should the root key of DNSSEC be rolled over?  And if so, when and under what conditions?  We’ve mentioned this discussion before and even sent in our own comments to ICANN.  After reviewing all those comments and consulting with many people, the ICANN Security and Stability Advisory Committee (SSAC) has now issued their guidance in a document, “SAC063 – SSAC Advisory on DNSSEC Key Rollover in the Root Zone“.  The document is well worth a read and explains SSAC’s thinking on a variety of issues.  For a quick summary, SSAC issued five recommendations that I would paraphrase as:

1:  ICANN and partners should immediately undertake a worldwide communications effort to publicize the root zone KSK rollover motivation and process as widely as possible.

2: ICANN staff should coordinate a testing program to analyze the behavior of validating resolvers to identify problems that could be caused the the root KSK rollover.

3: ICANN staff and the community should identify clear and objective metrics for acceptable levels of “breakage” resulting from a key rollover.

4: ICANN staff should coordinate the development of rollback procedures to be executed in case things go wrong.

5: ICANN staff should coordinate the collection of information during this KSK rollover so that lessons can be learned for future rollovers.

This SSAC report is issued in time for next week’s ICANN 48 meeting in Buenos Aires where this topic will again be in the conversation within DNSSEC circles.  ICANN has contractual requirements to roll the key within five years of the signing of the root in July 2010 and so efforts are underway to make sure this can be done in a sensible manner.