DNS Security Survey for National Computer Security Incident Response Teams December 2010



Similar documents
ICANN: achievements and challenges of a multi-stakeholder, bottom up, transparent model

Internet Technical Governance: Orange s view

Internet Security and Resiliency: A Collaborative Effort

PLAN FOR ENHANCING INTERNET SECURITY, STABILITY, AND RESILIENCY

IANA Functions to cctlds Sofia, Bulgaria September 2008

New gtld Basics New Internet Extensions

2014 IANA FUNCTIONS CUSTOMER SERVICE SURVEY RESULTS. Survey by Ebiquity Report by Leo Vegoda & Marilia Hirano

Year End Results for FY10 Trimester Goals Color Key: T1 T2 T3

Protecting your trademarks online. FACTS & FAQs

Domain Name Market Briefing. 24 June 2012

Internet Structure and Organization

Security related proposals in the DAG v3

ICANN STRATEGIC PLAN JULY 2012 JUNE 2015

Domain Name Control Considerations

Measures to Protect (University) Domain Registrations and DNS Against Attacks. Dave Piscitello, ICANN

NATIONAL CREDIT UNION ADMINISTRATION 1775 Duke Street, Alexandria, VA 22314

Establishing and supporting CERTs for Internet security

The Internet Ecosystem and ICANN!! Steve Stanford University, Center for Information and Society! 29 April 2013!

Monitoring the DNS. Gustavo Lozano Event Name XX XXXX 2015

.ASIA Reserved Names Policies

DOMAIN NAME DAY. + Helsinki; 14 th February; Nigel Hickson, ICANN

DANCERT RFC2350 Description Date: Dissemination Level:

Domain Name Management for Professionals

Current Counter-measures and Responses by the Domain Name System Community

PIR Going Global. Ulrich Retzlaff. Public Interest Registry

EFFECTIVE AS OF AUGUST 15, 2015

FAQ (Frequently Asked Questions)

Telecom and Internet Regulatory Challenges and Opportunities Names, Numbers, Internet Governance

ACCEPTABLE USE AND TAKEDOWN POLICY

Strengthening our Ecosystem through Stakeholder Collaboration. Jia-Rong Low, Sr Director, Asia 20 August 2015

ARTE TLD REGISTRATION POLICY

CYBERSECURITY INESTIGATION AND ANALYSIS

2015 IANA Functions Customer Service Survey Results

Review of.au domain name policy framework Submission to.auda

ICANN Seeks Public Comment: Supporting the DNS Industry in Underserved Regions 14 May 2014

Redelegation of Country Code Top Level Domains. February 2003

Security in the Network Infrastructure - DNS, DDoS,, etc.

DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment

Policy Overview and Definitions

The future of International SEO. The future of Search Engine Optimization (SEO) for International Business

New gtld Program Reviews and Assessments. Draft Work Plan

SDNP.mw cctld DOMAIN REGISTRATION POLICY Ver 1.2 of 23 July 2015

DNS Abuse Handling. Champika Wijayatunga APRICOT2015 Fukuoka Japan Feb 2015

Draft WGIG Issue Paper on the Multilingualization of

Computer Networks: Domain Name System

ICANN Engagement Strategy Middle East! Baher Esmat!! MENOG 13! Kuwait, September 2013!

Securing DNS Infrastructure Using DNSSEC

Guidance for Preparing Domain Name Orders, Seizures & Takedowns

SAC 049 SSAC Report on DNS Zone Risk Assessment and Management

<.bloomberg> gtld Registration Policies

THE DOMAIN NAME INDUSTRY BRIEF VOLUME 11 ISSUE 2 AUGUST 2014

SAC 044 A Registrant s Guide to Protecting Domain Name Registration Accounts

REQUEST FOR PROPOSALS

.IBM TLD Registration Policy

Domain Name Registration and ICANN

Radix Reserved Names Policy

A Survey of cctld DNS Vulnerabilities. ITU cctld Workshop March 3, 2003

ECTA Position paper. November 27, 2015

.bbva TLD Registration Policy

THE DOMAIN NAME INDUSTRY BRIEF VOLUME 11 ISSUE 1 APRIL 2014

BUENOS AIRES ccnso Secure Communication for cctld Incident Response Working Group [C]

Policy on Transfer of Registrations between Registrars Takes effect 31 January 2015

Innovating with the Domain Name System: From Web to Cloud to the Internet of Things

Kim Davies Internet Assigned Numbers Authority

The DOMAIN NAME INDUSTRY BRIEF VOLUME 8 - ISSUE 3 - AUGUST 2011

Law Enforcement and Internet Governance: An Ounce of Prevention Is Worth a Pound of Cure

.hitachi Domain Name Registration Policies

The Environment Surrounding DNS. 3.1 The Latest DNS Trends. 3. Technology Trends

Phishing Trends Report

COMMENTS OF THE SOFTWARE & INFORMATION INDUSTRY ASSOCAITION (SIIA)

CSIRT Description for CERT OPL

What the Impending New Domain Names Mean for Nonprofits

Best Practices in Domain Name Registry Solutions Understanding the Technical Requirements of ICANN's Applicant Guidebook

Organizational internal computer security incident responding structure : CSIRT

Philippines Philippines Philippinen. Report Q173. in the name of the Philippine Group

The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0)

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

.AXA Domain Policy. As of March 3, 2014

Data publication and access policy on.fr registrations - 1 -

"Branding Strategies in light of the. Kevin G. Smith Sughrue Mion, PLLC Washington, D.C.

.tirol Anti-Abuse Policy

The Future of the Internet

MULTILINGUALISM AND THE DOMAIN NAME SYSTEM 1

.Brand TLD Designation Application


Acceptable Use Policy and Terms of Service

2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer

.SKI DOMAIN NAME POLICY. May 21, Starting Dot Ltd. .SKI DOMAIN NAME POLICY

Root zone update for TLD managers Mexico City, Mexico March 2009

2013 IANA Functions Customer Service Survey Results

Legal and Technological Preparation for ICANN's New gtlds

DNS Risks, DNSSEC. Olaf M. Kolkman and Allison Mankin. and 8 Feb 2006 Stichting NLnet Labs

Domain Names and their Role for the Net

The Importance of Cyber Threat Intelligence to a Strong Security Posture

Order of introduction of «.ҚАЗ» domain name

The registry has received complaints from registrants and registrars about the registry practice of deleting names pending verification.

Outsourcing your domain name portfolio provisioning. Aggressively reduce the costs of managing a domain portfolio

Computer Security Incident Response Team

Response to Solicitation Number: SA R-P0-016

Microsoft s.office Registry Domain Name Terms & Conditions

Transcription:

DNS Security Survey for National Computer Security Incident Response Teams December 2010 Summary As referenced during the ICANN meeting in Brussels, Belgium in June 2010, ICANN developed a survey on DNS security response operations for national computer security incident response teams (CSIRTs). The survey was sent in August 2010 via the Computer Emergency Response Team Coordination Center at Carnegie Mellon University (CERT/CC) (distributed worldwide), the European Network and Information Security Agency (ENISA, covering the European region), APCERT (covering the Asia Pacific region) and the Organization of Islamic Conference CERT secretariat (OIC CERT, covering Islamic countries) to 55 CSIRTs with national responsibility. Responses were received from 26 national CSIRTs. The survey results are not comprehensive enough data to draw any broad conclusions. While there are over 246 cctlds and 22 gtlds (not including newly delegated IDN cctlds), according to CERT/CC, there are a total of only 56 National CSIRTs from all regions (see http://www.cert.org/csirts/national/contact.html). te while this list of CSIRTs is complete to the best of CERT/CC s knowledge, it is not an authoritative number and does not cover all the National CSIRTs. Less than half of the CSIRTs in each region responded. Additionally, analysis has not been conducted on potential bias of those who did and did not respond to the survey. Main Themes 1. There are clearly areas that specific CSIRTs identify gaps related to DNS operations and security operations. 2. Most of the survey respondents believe National CSIRTs work sufficiently as a means to reach DNS operators in another country when there is presence. However the sufficiency of this mechanism depends on the country and obviously the presence of a national CSIRT. 3. 17 of 26 respondents identify contact points database for response and information sharing/mechanism is needed to improve incident coordination on issues involving DNS at CSIRT community. 6 of 26 respondents identify coordination center is needed to improve incident coordination on issues involving DNS at CSIRT community. 4. Almost all the respondents who answered named WHOIS as the mechanism to identify outreach points of contact despite weaknesses in the accuracy of WHOIS data. 5. Two questions drew very consistent answers: Q2 1, where almost all National CSIRTs would like to receive information on trends in the use of DNS by attackers including new attack methodologies and how CSIRTs can best respond to them or advise their constituencies on the defense from them. Additionally Q 4 shows only 15% of teams subscribed to any security/response mailing lists for DNS registries / 22 December 2010 1

Survey Results registrars operators. 6. Those who do not subscribe to the DNS security relating mailing list look for following kinds of information DNS attack method trends, Incident response techniques, DNS spoofing issues, New attack trend and methodologies of DNS related incidents and effective response methods, Knowledge about new vulnerabilities, Case studies, Best practices Detailed Data What do you think the CSIRT community needs to improve incident coordination on issues involving DNS? [Original Comments:] Respondents from AP region - Coordination centre, Contact point database, Information Sharing, and Incident Cases Sharing. - Attacks, incidents and contact point database - Information sharing related to concrete and actual way of response to contemporaneous incidents. - Coordination work through issuance of advisories or alerts - Knowledge about new attack techniques, new vulnerabilities, case studies, best practices - A single and reliable interface for escalating incidents, discussions and information sharing. Initiatives like this already exist but probably not formalized and/or completed. Respondents from Latin America and Caribbean region - The real problem with taking down domains being used for criminal activities are the gtlds registrars and resellers that don t have policies and don t act on the problems. It is also hard to find contact information for abuse reports and most don t understand the problem e.g. several times they don t have knowledge of local issues, like brands or other names used for fraud. If a central entity would be created it would be useful for helping CSIRTs to find the right contacts and help the registrars and resellers to prioritize which requests are more urgent and also identify if the organization complaining is really a CSIRT or a victim of a crime/abuse using a given domain name. - Coordination centre, contact point database, technical knowledgment, etc.) - Coordination Center 22 December 2010 2

Survey Results Respondents from Middle East and Africa region - Share information and best practices - To have a trusted central database for PoC - Define a coordination framework to facilitate incident response. - Sharing lessons learnt about incidents, publicize work below between different TLDs, joint projects and specialized trainings. Respondents from Europe region DNS security is a serious issue, where several parties are involved (which is true for every internet related issue). There is no single DNS authority but merely a chain of services and capabilities offered to operate and safeguard name resolution services. In that respect it is early to propose a single DNS CERT, since incident response is already handled by the different owners of systems. We support the increased attention for DNS Security and we are interested further advise in how this can be achieved best, knowing the existing expertise, ownership, relationships and capabilities. Establish good working contacts to key stake holders: Registries, Policy makers, In many (European) countries the Domain business is regulated by the government. For.ch we talked for more than a year with the respective authorities to changes the laws, so we could actually react to misuse and still respect the Swiss legal system. At the end few changes hat a big impact in misuse patterns, the time speaking to the authorities are was well spent. I can elaborate on this if needed. A contact point DB would be lovely. Moreover, we need someone to raise the awareness level of cctlds about security and abuse issues. Information sharing between response teams, Incident coordination center to improve the handling effort on a given incident, Push for implementing security measures and standard baseline for all registrars. CSIRT teams efficiently cooperate with each other and provide response to all kinds of incidents. Some countries might need to strengthen cooperation with their cctld on the national level, Probably an international coordination centre and single contact point in each country Detailed (technical) publicly available information I think that would be useful a coordination center, mainly based in provide correct contacts points and also providing guides, manuals, etc. related to DNS security and incident handling. Another goal should be interchange information between different cctld and CSIRTs with their experience. Also if possible share information how to mitigate real attacks and how they handled incidents involving. I think there is no crucial need for a separate coordination infrastructure for DNS incident response from CSIRT s point of view. I expect there are operational means of communication between registries and the question should be rather addressed to them. - ICANN should seek to facilitate needs of existing CSIRTs and possibly implement safeguards that would minimize emergence of fast flux and similar problems. 22 December 2010 3

Survey Results Anonymous - Contact list, information sharing, new vulnerabilities reports - A reliable and current contact database regarding all cctld and major DNS product and related infrastructures. A center of excellence for accumulated knowledge may also be useful. - Contact point database - Point of Contact, Referral Centre for DNS Q1 Do you have an incident response point of contact at your national cctld? Q1 1 Do you think that you have sufficient contacts in the National CSIRT or cctld registries to reach the appropriate people in other involved countries when dealing with incidents involving DNS? 22 December 2010 4

Survey Results Q2 Do you need more DNS technical expertise to provide support for DNS related incident handling including work with your cctld and others in the DNS community? Q2 1 Would it be helpful to receive information on trends in the use of DNS by attackers including new attack methodologies and how CSIRTs can best respond to them or advise their constituencies on the defense from them? Q3 What type of working relationship do you have with your cctld? 22 December 2010 5

Survey Results Q4 Do you subscribe to any security/response mailing lists for DNS registries / registrars operators? Q5 Do you have a mechanism to identify contact point at registry/registrar for malicious domain incident response coordination? Appendix A 22 December 2010 6

Survey Results National CSIRT Survey on DNS Security Your Name Affiliation 1. Do you have an incident response point of contact at your national cctld? 1 1. Do you think that you have sufficient contacts in the National CSIRT or cctld registries to reach the appropriate people in other involved countries when dealing with incidents involving DNS? 2. Do you need more DNS technical expertise to provide support for DNS related incident handling including work with your cctld and others in the DNS community? (Comments) If yes, please check which of following expertise sets you think are useful. (Check all that apply) 2 1. Would it be helpful to receive information on trends in the use of DNS by attackers including new attack methodologies and how CSIRTs can best respond to them or advise their constituencies on the defense from them? 3. What type of working relationship do you have with your cctld? ( ) DNS protocol expertise ( ) DNS root or TLD operations ( ) DNS server software expertise ( ) DNS resolver software expertise ( ) Other questions involving DNS when handling incidents ( ) Incident response coordination/support ( ) Vulnerability response support ( ) Security Training ( ) Monitoring ( ) Others (free form) [ ] 22 December 2010 7

Survey Results 4. Do you subscribe to any security/response mailing lists for DNS registries / registrars operators? Please specify [ ] If yes, do these lists meet your needs from an incident response perspective? If not, what kind of information do you need? 5. Do you have a mechanism to identify contact point at registry/registrar for malicious domain incident response coordination? 6. What do you think the CSIRT community needs to improve incident coordination on issues involving DNS? Information you need [ ] Please specify [ ] Free form: (e.g. coordination centre, contact point database, etc.) [ ] 22 December 2010 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information