Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CIRA - Protect your Business


Published on

While much attention is given to website attacks, domain name hijacking and attacks on the Domain Name System (DNS) are often overlooked. The Canadian Internet Registration Authority (CIRA) tracks and monitors trends on the Canadian and global Internets and provides technology for organizations to help protect their online presence.

This talk will provide an overview of domain name and DNS security risks before delving into how domain names are hijacked and the DNS exploited. Presenters will help administrators understand the technology that can be used to help combat hackers, including:
- Best practices for securing a domain name portfolio and preventing domain name hijacking
- Analysis of typical DNS configurations seen across Canadian municipalities and their associated risks
- Methods for strengthening the DNS using Anycast technology
- Case studies from recent attacks, describe how they were mitigated, and how they could have been avoided altogether.

Published in: Business
  • Be the first to comment

  • Be the first to like this

CIRA - Protect your Business

  1. 1. DOMAINS (andtheDomainNameSystem)
  2. 2. Why are we looking at this The DNS is as old as WWW so why do we need to learn about it?
  3. 3. Because of this Because of this
  4. 4. And because of this Source: Arbor Networks Digital Attack Map (
  5. 5. First A stark reality
  6. 6. 94% of Higher education websites are exposed to DNS outages 100% are candidates for DNS hijacking
  7. 7. WHO IS CIRA? • The Canadian Internet Registration Authority (CIRA) manages a 100% up time service - the .CA domain name registry for over 2.4 million domains • Provide DNS for .CA, answering 3 billion DNS queries per month • CIRA is a non-profit member-driven organization of 75 employees and an elected 12-person board • CIRA supports the growth of a strong and reliable Internet for all Canadians by investing in Internet projects, and helping to represent Canadian Internet interests around the world The organization responsible for a critical part of the Internet infrastructure, is expanding its services to help organizations secure their DNS systems in Canada
  8. 8. In short  Manage the .CA domain  Provide infrastructure and services  Do good things for the Internet
  9. 9. Agenda • Best practices for protecting your domain name • Best practices for protecting your domain’s DNS • What is happening with new gTLDs (and why it matters to your domain)
  10. 10. Domain Name Protection Owning a domain requires good parenting skills
  11. 11. Domain Hijacking • Domain hijacking could be the act of a hacker using social engineering to trick the technical support workers at a registrar (like GoDaddy, Webnames, Domains at Cost, etc.) into making critical changes to the DNS. • OR…It can be done by the malicious act of someone within your organization
  12. 12. It looks like this…
  13. 13. …or this
  14. 14. Recent Domain Name Hijackings • The dancing banana appeared on the City of Ottawa website (apparently) in response to the arrest of a person who had been arrested for SWATting and other nuisance cyber crimes • The smoking lizard appeared on Air Malaysia’s website just as it was trying to recover from two high profile crashes. What is common with these? They are not traditional targets. They aren’t Microsoft, they aren’t e-commerce sites and they aren’t banks.
  15. 15. The responsibility for locking the domain rests with the IT Administrator • Domain locking is a manual process in a cloud world because it provides the highest level of protection – Not an application – Not a vendor • Highest security Lock Flag placed on your domain that prevents any changes. Turned on and off by CIRA (or other Registries).
  16. 16. Registry Lock • When Registry Lock is applied to a domain name, no attributes of the domain are changeable and no transfer or deletion transactions can be processed against the domain name, with the exception of renewals. .CA, .com, and others all offer this service. • If the Registrant wishes to make any changes to their domain, the Registrant must first work with their Registrar, who will in turn work with the .CA Registry. • The .CA Registry will respond to any lock and unlock requests in under one hour (typically under 5 mins), on a 24x7 basis, so accessing your .CA domain name is not an administrative burden. Registrant Requests unlocking Registrar Key contacts use admin protocols to authenticate with CIRA CIRA Unlocks the domain for the proscribed period of time
  17. 17. Four top tips for managing your domain 1. Conduct a good domain name audit 2. Know your Registrar(s) 3. Keep your .CA contact information current 4. Don't lose control: Renew your domain name We learn a lot by managing a technical support desk. These tips are based on the hundreds of calls we field every day.
  18. 18. Good domain hygiene Oops!
  19. 19. Other Tips and Tricks 1. Don’t let a supplier register your domains 2. Select the right Registrant and Administrative Contacts 3. Avoid free email services 4. Password selection and storage 5. Use security tools provided by your Registrar 6. Whitelist the domain names for your service providers (eg GoDaddy) These sound simple, they are important, and they cause problems to somebody every single day
  20. 20. BESTPRACTICES FORTHEDNS (theAchillesheeloftheInternet)
  21. 21. What does the DNS mean to an Education IT Administrator DNS website email courses schedules accounting maintenance E-learning Assignment submissions conferences Researcher profiles Coop programs Faculty microsites Satellite campuses
  22. 22. EXTERNAL DNS IS VULNERABLE • Failures – equipment, network, power etc. • DDoS attacks – 10% of all attacks are directed at the DNS – DNS resources can be flooded in any type of attack • High latency – global lookups, local DNS servers Authoritative external DNS infrastructure is vulnerable to failures, attack and performance issues
  23. 23. DNS IS MISSION CRITICAL • During a DNS outage websites, web applications, and email are down • DNS outages result in brand damage and/or lost revenue – Losses range from hundreds to millions of dollars per hour – Damage to reputation is another cost • DNS lookups contribute to website performance – 40% of people abandon a website after only 3 seconds – Amazon calculated that a 1 second increase in page load time would result in $1.6 billion in lost revenue per year – Google calculated 400ms delay in returning search results would result in 8 million less searches per day DNS is a mission critical service that requires 100% uptime and low latency
  24. 24. STRENGTHEN DNS WITH ANYCAST Unicast – Traditional DNS deployments • Nameservers are implemented on single nodes, each with a unique IP address Anycast – Adding resiliency to your DNS • Nameservers are implemented on a multiple geographically distributed nodes that share a single IP address • Layer 3 routing sends packets to the geographically nearest nameserver • Built in redundancy, failover and load distribution UNICAST ANYCAST
  25. 25. CHALLENGES WITH ANYCAST Anycast is expensive to setup and operate • High capital expense, high operating expense, complex to manage • Commercial offerings are available as a service • CIRA saw that no commercial organizations were providing a solution for Canada’s Internet
  26. 26. A GLOBAL ANYCAST DNS SERVICE THAT PUTS CANADA AND CANADIAN TRAFFIC FIRST Location Cloud Miami, FL 1 Los Angeles, CA 1 London, UK 1 Hong Kong, CN 1 Calgary, AB 1 Montreal, QC 1 Toronto, ON 1 Winnipeg, MB 1 Location Cloud Vancouver, BC 2 Montreal, QC 2 Toronto, ON 2 Halifax 2
  27. 27. University Customer Example 1000 Queries Per Minute 40M Queries Per Month 60% Canadian 20% US 20% Europe
  28. 28. Summary on Anycast DNS • If you aren’t currently using anycast, then it is worth an investigation • CIRA delivers an anycast solution called D-Zone that several Canadian universities have added to their infrastructure • We are on the show floor and interested in getting every institution in this room on board – it takes less than ten minutes to set up and if it saves one outage, “the service pays for itself many times over”
  29. 29. In summary • Follow-the tips and tricks to avoid administrative headaches and mitigate the risk of bad actors bringing down your applications or embarrassing your institution • Unicast is old. Get an anycast DNS solution to improve the performance, resilience, and DDoS protection for your site Protecting your domains and websites requires the consistent application of best practices – like parenting
  30. 30. D-ZONE Anycast DNS • Contact Mark Gaudet or Shawn Beaton for more information on participating in an enterprise trial of D-Zone Anycast DNS. Mark Gaudet Manager, Business Development Canadian Internet Registration Authority ( CIRA ) Tel: (613) 237-5335 x 223 Cell: (613)-799-5789 CIRA is inviting CANHEIT participants to evaluate D-Zone Sign up today and receive wireless Bluetooth headphones. (no commitment)