CSRIC Approves DNS Best Practices Report
The Communications Security, Reliability and Interoperability Council (CSRIC) approved a report on Domain Name System (DNS) best practices, which summarizes what industry has found to be the best solutions on how to protect the DNS from hacking, insider attacks, account takeovers and other attacks. The report also looks at protecting domain names from hijacking or misconfiguration and how to ensure the resiliency of DNS architecture as a critical infrastructure. The report, described at the CSRIC meeting at the FCC Wednesday, was not immediately available.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
"DNS is a key component of services offered by ISPs, both from allowing customers of ISPs to use the Internet at all, it’s the name resolution service, … and then of course for allowing people, businesses, organizations, government and enterprises to create an Internet presence and have people get to it,” said Rod Rasmussen of Internet Identity, chairman of the working group that wrote the report. “It’s something that needs to be resilient to attack, to misconfiguration, to outages, to all those kinds of things that are important for any kind of operation. … It’s also a challenge because it’s a distributed infrastructure. A lot of the parts of the infrastructure are not within the control of the organizations, the ISPs, themselves.” Rasmussen said the task force sought to build on other work that has already been done. “Our thinking process here was to create a report that didn’t reinvent the wheel but actually told you where to get the various wheels and put things in context,” he said.
The report also recommends that ISPs implement best current practice 38 on “ingress filtering,” developed by the Internet Engineering Task Force, for ensuring that incoming packets are from the networks that they claim to be from. “It turns out from the discussions in our group that it sounds like a majority of U.S. ISPs are already employing this,” Rasmussen said. “But we don’t have control of the thousands of other [ISPs] and millions and billons of IP addresses out there that can be routed around the world."
AT&T Chief Security Officer Edward Amoroso, a member of CSRIC, said DNS attacks are a growing problem. “What we saw this summer was in many cases DNS instances that see traffic like one [megabyte] per day or something, some crazy kind of averages on a given day and something like 70 or 80 [gigabyte] aimed at them in a DDoS [distributed denial of service] attack, which is just mindboggling when you think of the engineering implications,” Amoroso said. “As an engineer I've never seen anything like it in my life."
Rasmussen said he was familiar with the DDoS attack mentioned by Amoroso. “That attack was brutal … and there have been others in the same scale,” he said. “We did reference the issues in the report. … It’s well beyond anything anyone would have originally planned for.” Another problem is that DNS servers face more “background radiation,” Rasmussen said. “There’s a lot more just kind of noise going on, being directed at DNS servers, and we're not sure necessarily in all cases why.” Next up for the working group is a report on border gateway protocol (BGP) routing issues to be delivered at CSRIC’s March meeting, Rasmussen said.
FCC Public Safety Bureau Chief David Turetsky told CSRIC the work it’s doing is critical. “Whether it’s from the security side, where this multistakeholder model has produced an anti-bot code of conduct, endorsement of new steps toward implementing security improvements to the domain name system, the routing work that you've done,” Turetsky said. “The work on improving location accuracy is just another example of what’s vital. The next-generation issues are important and we're reminded so by not only the fact that consumers are carrying around enormous capacity in their pockets that could inform first responders if they had that information, whether it’s photos and text and videos … they can send. It also will remind you of this when we see what the aftermath can be of natural disasters.” Turetsky said communications problems that followed the June 29 derecho wind storm must be addressed. “The level of bumps is much too high,” he said.
But there’s still more work left to do, said Michael O'Reirdan, chairman of the Messaging Anti-Abuse Working Group. In the second phase of the project, CSRIC should “identify the barriers to code participation” that have kept about 11 percent of the nation’s ISPs from getting involved with the anti-bot code of conduct, he said. And even among those who participate, the development of “bot metrics” is “proving to be considerably more challenging,” he said. Different ISPs are collecting different numbers -- it’s very hard for them to agree on what constitutes a “bot,” an “infection,” or “cleaning.” O'Reirdan said CSRIC should work on these definitional issues going forward.