This document discusses the need for a DNS Coordination Center (DNS-CERT) to address growing security risks and incidents affecting the Domain Name System (DNS). It notes several past incidents like Conficker that stressed DNS resources and highlighted the need for improved coordination. A DNS-CERT could serve as a dedicated response team to foster situational awareness, assist operators during incidents, and coordinate the existing capabilities of stakeholders. The document seeks feedback on establishing such a center and addresses open questions around its scope, governance model, and funding.

1. Global DNS
CERT
Business
case
for
collabora/on
in
security

2. Background
• Growing
risks
to
DNS
security
and
resiliency
– Emergence
of
Conficker.
– Growing
number
of
domain
hijacking
cases
• Community
calls
for
systemic
DNS
security
planning
and
response
• ICANN
commitments
under
Affirma/on
of
Commitments
• Ini/a/ves
called
for
in
ICANN
2010-­‐2013
Strategic
Plan

3. Objectives of threats to DNS
• Politically-motivated disruption of DNS
• Desire for financial gain
• Demonstration of technical superiority
• Gratuitous defacement or damage
Source: 2009 Information Technology
Sector Baseline Risk Assessment,
US Dept of Homeland Security

4. Potential impacts
• Long lasting damage to “Trust” in system
• Significant and lasting economic harm
• Is the Internet as we know it at Risk from
malicious behavior?

5. Lessons learned
• Conficker (’08- )
– DNS played a role in slowing Conficker
– Complex interactions with DNS community
– Resource-intensive response activity
• Conficker WG noted need for a dedicated
incident response capability

6. Lessons learned
• Protocol vulnerability (’08)
– Fast response, but
– Predicated on ability to
find “key people”
• A coordination center
would have improved
situational awareness
Diagram of cache poisoning attack

7. Lessons learned
• Avalanche (’08- )
– Targets financial sector
– Exploits the limited
resources of registrars
– Trend continues upward
• Complex coordination
requires dedicated team

8. Maybe a DNS-CERT?
hLp://www.icann.org/en/topics/ssr/
dns-­‐cert-­‐business-­‐case-­‐10feb10-­‐
en.pdf

9. Mission of DNS CERT
“Ensure
DNS
operators
and
suppor/ng
organiza/ons
have
a
security
coordina-­‐/on
center
with
sufficient
exper/se
and
resources
to
enable
!mely
and
efficient
response
to
threats
to
the
security,
stability
and
resiliency
of
the
DNS”

10. Goals
• Validate need for standing collaborative response
capability to address systemic threats/risks
– Full-time/global; coordinate existing capabilities; serve
all stakeholders especially less resourced operators
• Operational focus determined in engagement with
stakeholders and leveraging existing efforts
– Fostering situational awareness; incident response
assistance/coordination;

11. Stakeholders by role

12. Participation and feedback
• DNS CERT must respond to constituency
needs
• Participation by key constituents
– Adds capability to CERT
– Extends its geographic reach
– Helps keep focus on constituency needs

13. Open questions include:
• Where should it be housed?
• What is best model?
• How should it be funded?
• Etc. etc.

14. Way Forward
• This is a “proposal” we need feedback!
• Seek community feedback
– Email yurie.ito@icann.org with comments

15. Thank you
John Crain
Senior Director, SSR
ICANN
john.crain@icann.org