IANA 2.0: Ensuring ICANN Accountability and Transparency for the Future

Keith Drazek | Jun 25, 2014

The National Telecommunications and Information Administration’s (NTIA) March 14, 2014, announcement proposing the transition of its legacy Internet Assigned Numbers Authority (IANA) stewardship role has presented the Internet Corporation for Assigned Names and Numbers (ICANN) multi-stakeholder community equal amounts of opportunity and responsibility. We have been handed a singular opportunity to define the terms of any stewardship transition and the fundamental responsibility to get it right.

Getting it right means ensuring, through a bottom-up, multi-stakeholder process, the reform of ICANN’s accountability structures to protect the community and the multi-stakeholder model prior to NTIA’s disengagement from its oversight and stewardship role. It also means acting quickly and efficiently so our window of opportunity is not missed.

At ICANN’s 50th meeting taking place in London this week, some have suggested that there are “elements” or “forces” among us who oppose the IANA stewardship transition and that calls for accountability reform are tantamount to delay tactics. I have found the opposite to be true. There is significant community support for NTIA’s announcement. There is significant support for NTIA’s four key principles. There is universal support for initiating a bottom-up, multi-stakeholder process to develop a recommended transition plan for NTIA’s consideration. The community also recognizes our limited time to get the work done and the need to propose concrete and implementable enhancements. And, perhaps most importantly, there’s a rapidly growing and strong consensus that ICANN’s accountability reform is a key dependency for any successful IANA stewardship.

On March 24, 2014, at the 49th ICANN meeting in Singapore, Verisign’s Pat Kane, senior vice president of Naming and Directory Services, made the following statements in support of the NTIA announcement, accountability and the multi-stakeholder process:

  • Verisign recognizes that it is probably the right time to transition the IANA functions and stewardship of those functions away from the United States government.
  • Verisign further recognizes that the ICANN community is ready to begin the conversation and its multi-stakeholder, bottom‐up structures have matured and will be the means by which a proposed solution for the transition is developed for continued operations of the IANA functions.
  • We support ICANN as the convener of this process as we find solutions for the clerical, authorizing, and technical operations of IANA which are all tied to accountability to the community.
  • The accountability regime that replaces the NTIA's stewardship should ensure enforceable and auditable transparency and accountability mechanisms. The DNS community and the global business and user communities deserve no less as such mechanisms are critical to the functioning of an open and secure Internet for everyone.
  • We look forward to contributing to the process and the proposed solution.
Those comments were made almost exactly three months ago.  To eliminate any uncertainty around Verisign’s position on the issues of IANA Stewardship Transition and ICANN Accountability, I will take this opportunity to dispel any question or misinformation and reaffirm our views:

  • Verisign supports NTIA’s March 14, 2014, announcement;
  • Verisign supports NTIA’s four key principles;
  • Verisign supports the bottom-up, multi-stakeholder process now under way;
  • Verisign supports the target date of September 2015 for transition;
  • PROVIDED the multi-stakeholder community recommendations for ICANN’s accountability reform are accepted by NTIA before the final transition and sufficiently implemented by ICANN subject to measurable deliverables.
Read more

The Evolving Threat of Amplification DDoS Attacks

Sean Leach | Jun 12, 2014

If there is one trend in the cybersecurity world over the last 12-18 months that cannot be ignored, it is the increasing prevalence and destructive power of amplification-based distributed denial of service (DDoS) attacks.

An amplification attack is a two-part DDoS attack that generally uses the User Datagram Protocol (UDP).  An attacker first sends a large number of small requests to unsuspecting third-party servers on the Internet.  The attacker crafts these requests to result in large responses, but they are otherwise normal except that their source addresses are rewritten (spoofed) so they appear to have come from the victim instead of the attacker.  When all the third-party servers send their large responses to the victim, the resulting amount of traffic is much more than the attacker could have generated alone. These attacks often overwhelm the resources of the victim, as attacks in the hundreds of Gbps are possible using this method.

Two protocols heavily targeted for this technique over the last few months have been the domain name system (DNS) protocol and the network time protocol (NTP).  For example, certain DNS queries sent to an authoritative DNS server will result in responses with a 10-20x amplification factor (e.g. a 40-byte DNS question can result in a 400-byte or greater response).  Attackers can either generate the attack traffic themselves or use a botnet of compromised PCs to hide their footprints, but in either case they take advantage of a huge number of "open" DNS servers on the Internet that will respond to any request sent to them.  This is a relatively easy technique that has proven successful in launching very large-scale attacks (i.e., several hundred Gbps in size).

NTP is commonly used to synchronize electronic clocks so computers around the world all agree on the time. This is critical to the functioning of electronic commerce.  NTP relies on the UDP protocol just like DNS does and it is vulnerable to similar attacks.  One particularly damaging NTP attack uses the MONLIST command, which is found in older NTP servers.  MONLIST returns the last 600 clients that an NTP server has talked to, which results in responses with an amplification factor of 10-200x with just a single NTP server.  Attacks that combine thousands of NTP servers can do incredible damage while using very little of the attacker's resources.  

In the first quarter of this year, Verisign DDoS Protection Services saw an 83 percent jump in average attack size over Q4 2013, which was primarily attributed to NTP-based attacks.  While DNS amplification was the most common vector in 2013 and continues to be seen, the NTP attack type is the largest attack vector seen this year. We mitigated multiple amplification attacks -- commonly ranging from 50 to 75 Gbps -- for our customers.  Directly related to the popularity of amplification attacks was the sharp decline in more complex application-layer attacks.  With so many vulnerable NTP servers and reflection vectors readily available on the Internet, attackers were able to cause maximum disruption with minimum effort on their part, ditching smarter layer-7 attacks in favor of volume-based amplification attacks (Read Verisign’s Q1 2014 DDoS Trends Report for more information.).

Read more

Verisign Named to the OTA’s 2014 Online Trust Honor Roll

Blog Moderator | Jun 11, 2014

We are pleased to announce that Verisign has made the 2014 Online Trust Honor Roll for demonstrating exceptional data protection, privacy and security in an effort to better protect our customers and brand from the increased threats of cybercriminals.  

The Online Trust Alliance (OTA), a nonprofit organization that works collaboratively with industry leaders to enhance online trust, completed comprehensive evaluations of more than 800 sites and mobile applications by analyzing companies’ data protection, security and privacy practices, including over two-dozen criteria. In total, approximately 10,000 webpages and more than 500 million emails were reviewed.

In addition to the in-depth analysis of the recipients’ websites, domain name systems (DNS), outbound emails, and public records were also analyzed for recent data breach incidents and Federal Trade Commission (FTC) settlements.  Key sectors audited include the Internet Retailer 500, FDIC 100, top 50 news, social media and government sites, as well as OTA members.

Thirty percent of the companies reviewed made the Honor Roll, with 22 percent making it consecutively for the last two years, including Verisign. To review the full 2014 Online Trust Honor Roll report, download a free copy at: 2014 Online Trust Honor Roll.

Your .com Is Waiting

Blog Moderator | Jun 06, 2014

Thinking of growing your business online? Look no further than .com. It is the most universally recognized, and gold standard, in domain names, which is why 97 percent of the top 100 brands, and 93 percent of Fortune Global 100 companies house their company websites on .com.

With more than 113 million .com domain names registered globally, you may have been misinformed that .com is full. Let’s take a look at the facts, based on an analysis of .com domain name registrations in 2013:

  • 36 million times a day, a .com domain availability check is successful
  • Even after decades of continuing growth, there are still millions upon millions of .coms available
  • Over 95 percent of five-character .com combinations are available 
  • More than 99 percent of six-character .com combinations are available
Read more

Introducing the Verisign Quarterly DDoS Trends Report

Sean Leach | Jun 05, 2014

Today, I am very pleased to announce that Verisign is making its inaugural quarterly distributed denial of service (DDoS) trends report available. As the registry for .com and .net and a leading DDoS protection services provider, we have a unique view into online attack trends that enables us to collect attack statistics and behavioral trends that help inform the future outlook for Internet cyber security.

In our observations, working with customers and industry partners, we have seen DDoS attacks continue to grow in size and frequency over the last few years. Further, attackers have expanded their reach from traditionally enterprise and nation-state targets to include companies of all types and sizes. As attackers evolve their sophisticated techniques and attack vectors, companies that don’t have the major bandwidth or expertise to combat these attacks are at a major disadvantage.

To help raise awareness of the growing threat of DDoS attacks, Verisign has aggregated data derived from mitigations enacted on behalf of, and in cooperation with, the Verisign DDoS Protection Services global customer base from Jan. 1 – March 31, 2014 in its inaugural Q12014 DDoS Trends Report. Below are some highlights of what we saw:

  • Verisign saw an 83-percent increase in average attack size over the previous quarter (Q4 2013) and an approximate 6-percent increase over the same quarter last year (Q1 2013).
  • Attackers launched massive amplification attacks using Network-Time Protocol (NTP) reflector and DNS amplification techniques against customer targets and infrastructure providers. The most common volumetric attack size ranged from 50-75 gigabits per second (Gbps). Many of these large-scale NTP attacks were targeted at major banks and financial services companies.
  • Approximately 30 percent of attacks against Verisign clients were targeted specifically at the application layer (the SSL layer in particular), requiring Verisign to employ advanced mitigation techniques.
  • Attackers are targeting a much broader set of vertical industries than just the financial services sector. Media and entertainment represented the most frequently attacked vertical in Q1 with a 33-percent increase as compared to 2013, followed by the IT Services/Cloud/SaaS sector.
Read more