Net coverage

ICANN 46 Starts This Week In Beijing - Remote Participation Is Possible

CircleID posts - Sat, 2013-04-06 18:27

The 46th meeting of the Internet Corporation for Assigned Names and Numbers (ICANN) takes place this week in Beijing, China, and will bring together leaders from all over the world to discuss and debate a wide range of issues related to domain names and the surrounding industry. One can expect that the new gTLDs, a topic frequently discussed here on CircleID, will naturally consume a great amount of the discussion at ICANN 46. The main site for the event can be found at:

http://beijing46.icann.org/

and the full schedule of events can be found at:

http://beijing46.icann.org/full-schedule

A great aspect of ICANN meetings is that most of the meetings have some mechanism for you to view the meeting remotely. If you go into any of the sessions on the schedule, you will see remote participation links — often for both high and low bandwidth connections. In my experience, many sessions are also recorded for later viewing.

Do keep in mind that all times are local to Beijing which is UTC+8 and may not work with your viewing schedule. For instance, there is a 12-hour difference from the eastern US where I live and as a result a session that starts Monday at 9am will be starting Sunday night at 9pm for people in the eastern US..

In the midst of all the more business-focused discussions around domain names and governance questions, there are also some excellent technical tracks. I will be in Beijing specifically for the excellent DNSSEC Workshop and related sessions, as well as attending the IPv6 workshop.

I'm looking forward to the ICANN 46 event — if you will be there, too, please do feel free to say hello. You can pretty much expect to find me in any sessions related to DNS security.

P.S. If you are interested in the views of my employer, the Internet Society, on the events happening at ICANN 46, a few of my colleagues prepared the "Internet Society's Rough Guide to ICANN 46's Hot Topics” that outlines what the organization will be watching and participating in over the next week.

Written by Dan York, Author and Speaker on Internet technologies

Follow CircleID on Twitter

More under: DNS, DNS Security, ICANN, Internet Governance, Top-Level Domains

Categories: Net coverage

Networks Announcing IPv6 Over Time: A Short Update

CircleID posts - Fri, 2013-04-05 13:29

We regularly check the status of IPv6 deployment in the RIPE NCC service region, and in other service regions as well. One way to measure IPv6 deployment is to look at the percentage of networks announcing IPv6 prefixes and follow the developments over time.

The RIPE NCC's IPv6-ASN graph shows the percentage of networks that announce one or more IPv6 prefixes in the global routing system. Having an IPv6 prefix visible in the global routing system is a required step for a network to actually start exchanging IPv6 traffic with other networks. The interactive graph allows you to specify the countries or service regions you are interested in, which can make for some interesting comparisons.

The graph below shows the percentage of networks announcing IPv6 prefixes in each Regional Internet Registry's (RIR) service region over the last few years.

It is interesting to see that the percentage of networks announcing IPv6 address space in the APNIC and the RIPE NCC service regions continues to increase steadily. Both of these RIRs have reached IPv4 exhaustion (in 2011 and 2012 respectively) and are currently allocating from their last /8 block of addresses.

It is also encouraging to see that the percentage of IPv6-enabled networks in the ARIN service region, which is projected to be the third RIR to reach its last /8 of IPv4 addresses, is also increasing. On the other hand, the percentage of IPv6-enabled networks in the Lacnic and the AFRINIC service regions appears to have stopped growing. For the Lacnic service region this number even fell a little over the last few months. Despite the absolute number of IPv6 announcing networks growing from 388 to 399 since the beginning of 2013, this growth was outpaced by the total growth of networks in the service region that are visible in the global routing system, which resulted in a total percentage decrease from 15.5% to 15.0% for this period. Even though this might not be a surprise, it's reassuring to see that in regions where IPv4 exhaustion has occurred, there is a steady growth in the percentage of networks announcing IPv6 address space.

If you find other interesting comparisons between countries or regions, please comment below! You can find more information and statistics on RIPE Labs.

Note that this article is based on work done by Emile Aben, System Architect at the RIPE NCC.

Written by Mirjam Kuehne

Follow CircleID on Twitter

More under: IP Addressing, IPv6

Categories: Net coverage

Ignore The Chicken Littles: Let's Give New Web Domains a Try

CircleID posts - Fri, 2013-04-05 13:07

As part of the new domain initiative launched by the Internet Corporation for Assigned Names and Numbers, established businesses and speculators have filed applications for a wide range of top-level domains — from .amazon to .garden. While some applications would make new web domains open to any qualified applicants, others propose a "single registrant" model that would allow only one company to use the new top-level domain.

Before the experiment has gotten off the ground, some critics have expressed concern about applications to operate domains referring to a "generic" product or service, like .car, .book, or .app. News reports indicate that Microsoft and other Google competitors have filed complaints about Google's applications, while authors' organizations have raised questions about some of Amazon's applications. These complaints assert that giving these applicants the right to operate these new domains would provide an unfair competitive advantage.

ICANN shouldn't worry, however. The sky isn't falling.

Granting Google, Amazon or any other company "single registrant" gTLDs does not threaten the competitive online ecosystem.

First, the "competitive advantage" (or value) any company can achieve from these gTLDs is uncertain. Previous TLD offerings like ".biz," ".mobi," or ".info" failed to draw large numbers of websites despite extensive promotional efforts. In fact, repurposed country code TLDs — including .ly (Libya), .me (Montenegro) and .co (Colombia) — earned their popularity unexpectedly.

To put a finer point on it — most alternative domains have flopped. Because of the highly uncertain value of new gTLDs, many of the concerns levied against bidding companies like Google and Amazon, which have applied to manage dozens of gTLDs, are completely speculative. Companies are bidding because they think there might be opportunities in new domains — but history suggests they will have an uphill battle. There is no evidence to suggest a genuine likelihood of harm to Internet users or the online ecosystem.

Second, the existence of alternative web domains will not disturb the fundamental openness of the Internet. Amazon's use of the .book domain to market the latest bestsellers would in no way block any other bookseller from using a different domain to do the same. In fact, the use of .book does not seem to provide a company any kind of competitive advantage against its business rivals.

Despite linguistic confusion, there is no relation between an exclusive right to a domain and a "monopoly" over a specific economic market. Users can easily navigate to any site based on its quality, whatever its domain name. Sites that grow popular do so because of how well they meet their users' needs, not because of their domain name.

Moreover, users today often rely on search engines to get where they want to go, rather than typing URLs out. There is even a term for such searches: "navigational searches." Terms relating to Facebook including "Facebook.com" or "Facebook login," for example, represented 5.62% of all searches conducted online in the United States, according to the information analytics firm Experian. If Facebook is on .com, .facebook, or .socialnetwork, people will be able to find it.

Finally, many of the worries about Google's control over certain gTLDs have already been addressed. Google changed its applications for the .search, .app, .blog, and .cloud gTLDs so that the domains would be open to qualified sites, not just Google products. Others of its applications, including .map and .fly, were already drafted to be open for qualified sites. This means that if MapQuest wants to use mapquest.map, Wordpress wants to use wordpress.blog, or Yahoo! wants to operate yahoo.search, all will be free to do so.

Google's competitors also contend that Google has the incentive to tweak its search algorithm to favor any site on a Google domain. Google has already pledged not to do this. Further, Google has little financial incentive to make its results less relevant to users, because some users would switch to other search engines.

If ICANN's experiment is successful, it has the potential to generate tremendous value for companies and offer users a better online experience. Existing companies will be able develop domains centered on their brands to draw more customers and enhance their business performance. Operators crafting new business models for these domains may also improve how users interact on the web. As ICANN's At Large Advisory Committee observed, "there may be innovative business models that might allow a closed TLD to be in the public interest."

While the benefits remain uncertain, the harms are clearly exaggerated and should find a home at a new domain called .premature.

Written by Marvin Ammori, Fellow at the New America Foundation, Lawyer at The Ammori Group

Follow CircleID on Twitter

More under: Domain Names, ICANN, Internet Governance, Policy & Regulation, Top-Level Domains

Categories: Net coverage

Just How Big is China's Cable and TV market?

CircleID posts - Fri, 2013-04-05 01:35

The numbers are big. Official figures quoted at the recent 21st annual China Content and Broadcasting Network (CCBN) conference indicate that China has 400 million TV households, of which 210 million subscribe to cable TV (CATV). Of these cable subscribers, 140 million receive digital service while the rest are still on analog systems. This means that the country's CATV network is still largely a one-way network, limiting the growth of on-demand and interactive services. Compared to broadband offered by the dominant telecom operators — China Telecom and China Unicom — the country's CATV high-speed Internet service is tiny at a mere 5.64 million subscribers in total.

Theoretically, China's unique CATV industry is organized in a four-layer hierarchical structure. First, there's the nationwide network. Secondly, each of the country's thirty-odd provinces runs its own CATV network. Then each municipality owns a cable network, and finally, each county below the municipality level runs its own network. In reality, this structure is not always so fixed, as some government levels merely perform administrative functions while others actually own a physical network of services. Even so, there are still thousands of CATV operators in China and almost all of them are owned or partly owned by some level of government.

The country is currently undergoing a major effort to consolidate CATV networks. The first step is to consolidate all networks up to the provincial level, so that each province will run a connected cable network by merging and unifying the networks within its provincial territory. The aim of this is to provide a foundation of operational scale and reach. Leading the effort is the State Administration of Radio, Film, and Television (SARFT), the government regulator that sets state policies and regulations for these industries. Each CATV operator is owned by the respective administrative branch of SARFT, so in essence, the regulator is the operator.

This consolidation is part of China's Next Generation Broadband (NGB) initiative. It involves an upgrade of the country's CATV systems to two-way transmission and the deployment of a distributed conditional access system to deliver high-definition TV, 3D TV, Ultra HDTV, and multimedia. The NGB will enable China to move towards an all-digital, all-IP world. By the end of this year, the aim is to turn 50% of all networks above the municipal level into all digital and IP services, and by 2015, for 80% of all networks to feature two-way services. China's CATV industry is also expected to grow from the current 28 high-definition channels and one 3D channel to at least 100 HD channels and 10 3D channels by 2015.

There is still a proliferation of Ethernet over cable (EoC) but DOCSIS has gained ground recently through what is known as "C-DOCSIS". This localized version of DOCSIS architecture pushes the traditional CMTS further to the edge of a Converged Media Converter (CMC) to deliver bandwidth to some 300 homes more cost-effectively than a CMTS.

All in all, the country is gearing up for delivering the 4As: anywhere, anytime, any device, and any content. Multi-screen access to content is a priority. Although the market is big, it can be confusing for equipment vendors and revenues can be elusive. Layers of bureaucracies, shifting priorities and timelines, and intricate distribution channels have contributed to market inefficiencies that hinder the growth of this industry. Cable in China is caught between the need to provide a commercial service and adhere to its function as a governmental branch that has to carry out state goals and priorities.

Written by Will Yan, Senior VP, Worldwide Sales at Incognito Software

Follow CircleID on Twitter

More under: Broadband, IPTV

Categories: Net coverage

Hints and Solution for the Protection of Wine Geographical Indications in the ICANN New gTLD Program

CircleID posts - Wed, 2013-04-03 21:51

This article is a copy of a letter sent today, 3 of April 2013, to the attention of Mr Fadi Chehadé, CEO of ICANN and other members of the ICANN board. Protecting wine Geographical Indications in the new gTLD program is a problem. This letter is also an article providing hints for the protection of Wine Geographical Indications in the ICANN new gTLD program.

* * *

Dear Mr Fadi Chehadé, CEO of ICANN,

As a person involved - since 2008 - in the wine domain names that have just been introduced by the ICANN new gTLD program, I have been very happy to point out that there were 4 new gTLD applications posted on Reveal Day, June the 13th 2012: 3 applications for the .wine Top-Level Domain (in English) and one for .vin (in French).

Even if these applications are standard ones, it shows there is definitely a Wine community on the Internet.

Project dotVinum was set-up to open the discussion, inform about, promote wine domain name extensions to the public in multiple languages (.wine, .vino and .vin) and launch wine Registries. The aim of the project remains what it always has been: offer wine domain names, protect the wine industry and users publishing wine related content on their web site, protect brands and wine Geographical Indications.

A few things the board, the Independent Objector and the ICANN Ombudsman should remember prior to reading more about this article:

  • The OIV (International Organisation of Vine and Wine) posted 4 public comments regarding Geographical indication in the wine sector as well as many other organizations: 38 public comments for .WINE and 9 for .VIN;
  • In November 2013 a GAC early Warning was issued by the French Government on .VIN regarding the implementation of an objection procedure to safeguard the protection of geographical indications;
  • A GAC Early Warning was also issued by The Government of Luxembourg for .VIN; In March the 12, President of the European Federation of Origin Wines sent a letter to the ICANN board with object: "ICANN initiatives for the attribution of new generic top-level Internet domains - PDO and PGI wines' concerns".
  • Today, 3 of April 2013, I send ICANN this letter.

1) Geographical Indications and Appellations of Origin are easy to protect: stick to the official databases

Wine is specific regarding the question of protection because protecting the wine community is not only a matter of protecting brands and Country and Territory Names as specified in "Specification 5" from the Applicant Guidebook. Avoiding a third party to register a "monbazillac.wine", a "toro.wine", a "champagne.wine", a "cachi.wine", or a "bentoncounty.wine" is also a matter of protecting a culture: the culture of Wine.

Part of this culture was given names: "Geographical Indications (GIs)" and "Appellations of Origin (AO)".

Following ICANN's rules and sticking to Specification 5 of the new gTLD applicant guidebook "only" is far from enough to protect the wine Industry: I am happy that a domain name like california.wine is protected in multiple languages — thanks to this specification — but what about napavalley.wine (USA), valedosvinhedos.wine (BRAZIL) and...champagne.wine (FRANCE)?

There is NO strong mechanism offered to protect GIs et AOs in the Applicant Guidebook as well as any of the four proposed wine applications. This is not acceptable.

The Trademark Clearinghouse and the Sunrise Periods offer a possibility to participate for interested parties who want to register a domain name, but what about the rest of all members of the wine Communities who do not know, who do not use domain names, who do not want to participate but want to be protected?

Sunrise periods are open during a certain period of time but this is not enough for an entire industry to know it can register a domain name. This is not a protection mechanism… It is just an option.

The only solution left then for all this "wine population" who could not participate, who did not want to participate, who could not afford to participate or who forgot to participate will be to recover its infringed domain names and infringed Wine GIs through a URS procedure? Again, this is not acceptable.

Geographical Indications and Appellations of Origin official Databases DO exist. There are 2 official databases worldwide which list them:

  1. The database of the OIV (Organisation Internationale de la Vigne et du Vin) which is composed of 44 member states.
  2. The database of the European Commission, also called E-BACCHUS which consists of the Register of designations of origin and geographical indications protected in the EU in accordance with Council Regulation (EC). The database also lists non-EU countries' geographical indications and names of origin protected in the EU in accordance with bilateral agreements on trade in wine concluded between the EU and the non-EU countries' concerned.

Another complete and up-to-date database of French wine GIs only is available at the French INAO.

2) How to allow any listed institution or competent authority representing a wine GI to have access to its corresponding domain name?

Not only Geographical Indications and Appellations of Origins Registrants should be allowed to register their domain name ANYTIME THEY WANT and whatever how long the Sunrise or Landrush Periods are, but they should also be allowed to recover their domain name anytime they want to when another Registry (such as .HORSE for example) allows another Registrant to register a conflicting domain name.

SPECIFICATION 5 of the New gTLD applicant guidebook offers the best solution to block and reserve names at the second level to protect Wine Geographical Indications. The E-BACCHUS database has a list of 3013 Geographical Indications (see figures) which should be blocked for Registration and then allowed to be unlocked on request by the corresponding representative of a wine Geographical Indication.
Each blocked name should include its plural version(s) with and without hyphen when they exists.

ICANN should also include a mechanism to:

  1. Request authority on a domain name if the Registrant can demonstrate he represents a wine Geographical Indication.
  2. Revoke the domain name if no answer was given by the actual Registrant in a certain period of time (20 days for example). If Registrant cannot demonstrate he truly represents a wine GI, then a procedure should be offered at the ICANN or Registry level.

Standard or Community?
All wine new gTLD applications that have been submitted are Standard ones. This was expected but:

  • There are strong institutions in the Wine industry worldwide which could have endorsed these as Community applications;
  • There are recognized International wine organizations: the OIV is one of them.

The question here is not to understand why none of them is represented in any WINE application, the real question here is why ICANN has offered any commercial organization to apply for a .wine Top-Level Domain without the consent of, at least, one recognized wine institution?

The final question regarding .WINE applications is not to say whether ICANN offered a correct way to apply through its multiple versions of its applicant guidebook, the final question here is how to ensure that wine Registrants, AOs and GIs are offered a way to register their domain name without having to face what comes after: cybersquatting and domaining? These factors have been a reality for the past 25 years: check bordeaux.pro as a matter of example.

Being allowed to acquire the highly profitable monopoly to own a registry license may seem easy according to the ICANN Applicant Guidebook but "wine" or "vin" are not just letters added on to the other: they represent people, companies, culture, knowledge, datas: they are not the same as giving the monopoly to a .XYZ which will be "open to all". Not to forget that the winning applicant is then granted to be the only one to allow selling wine domain names worldwide! Once the winning application is delegated, there is no way back: there is no possibility to change the rules.

WINE applications submitted to ICANN

I checked all .WINE applications and they all follow the ICANN rules offered in the "Applicant Guidebook", but none goes farther enough into protecting the wine Community. For the subject of Wine, it does no matter whether they are "Standard" applications or "Community" ones:

  • No applicant offers a protection mechanism to protect wines with a protected designation of origin (PDO). Let us take an example: anybody will be able to register morava.wine (Czech Republic);
  • Based on this example, the solutions offered by applicants put this "strictly wine" domain name in danger because if "Morava" is a Trademark in another country, it legitimates its owner to acquire the domain name BEFORE the Czech Protected Designation of Origin during the Sunrise Periods! This is a serious issue for the protection of the wine Community;
  • I do not see any protection mechanism for a word like "Champagne". Yes, Champagne is a wine… In the French region of Champagne, there is an institution called "Le Comité interprofessionnel du vin de Champagne". It defines itself as "the trade organisation established by statute to administer the common interests of everyone within the Champagne industry". I myself see no other candidate for a domain name like champagne.wine or champagne.vin, even champagnes.wine but according to the operating rules described in wine new gTLD applications, I understand that anyone could ask for "champagne.wine". Champagne is an example here; there are many similar wine institutions of these kind worldwide.
  • Premiums (and Protected) domain names are used in most applications. They allow offering a domain name at a specific price which can then be auctioned if it receives a competing bid. It is unclear whether a word like "Champagne" (or any other "wine word" representing a geographical indication, appellations of origin, or institution) could be made available for sale during an auction. This is a serious issue for the wine Community. Since Premium domains names are allowed, the minimum would be to list them so wine Geographical Indications are not part of them!

Dear members of the board, the ICANN new gTLD program is not ready but there is still time to protect the wine community. Once you have launched, it is the entire Wine industry which will be exposed to infringements: Geographical Indications can benefit from a good protection only if they are protected at the source in the list of reserved names from the Specification 5 of your applicant guidebook.

NB: I am sorry for any mistakes in this letter, English is not my native language.

Written by Jean Guillon, New generic Top-Level Domain specialist

Follow CircleID on Twitter

More under: Domain Names, ICANN, Internet Governance, Policy & Regulation, Top-Level Domains

Categories: Net coverage

Open DNS Resolvers - Coming to an IP Address Near You!

CircleID posts - Wed, 2013-04-03 00:43

Three vectors were exploited in the recent DDoS attack against Spamhaus:

1) Amplification of DNS queries through the use of DNSSEC signed data

2) Spoofed source addresses due to lack of ingress filtering (BCP-38) on originating networks

3) Utilisation of multiple open DNS resolvers

While 1) is unavoidable simply due to the additional data that DNSSEC produces, and 2) "should" be practised as part of any provider's network configuration, it is 3) that requires "you and I" ensure that systems are adequately configured.

The fact is open DNS resolvers are nothing new and the open resolver project is tracking approximately 27 million open DNS resolvers. What I find interesting is that their database can be queried for an IP range to see how many open resolvers are listed.

Out of curiosity, I entered the /24 prefix that my personal IP address resides on, 81.174.169.0/24. This range belongs to Plusnet, a popular ISP located within the UK. I was quite surprised that a list of 9 IP addresses came back, I wasn't really expecting any, and fortunately, none of them were mine!

Out of further curiosity, I started using dig to fire off a DNS query for "www.bbc.co.uk" to each of the IP's. Most of them timed out, but as I worked down the list, sure enough, one of them returned an answer. I ran a port scan but couldn't detect any well known open ports other than DNS. So within a few minutes, I had found an open resolver being run on an IP address within the same /24 as my own. This ISP has hundreds of thousands, if not millions of customers, so if extrapolated, there could be thousands of open resolvers present via this one ISP. (Having said that, this list of open resolvers vs AS numbers only lists 7 open resolvers against Plusnet, so maybe I was just (un)lucky...) I would like to think my ISP has implemented BCP-38, but what if they haven't? And how many other ISPs out there haven't?

I have no idea whether CPE routers are providing this open resolver capability or whether people are genuinely running a poorly configured DNS server. The Measurement Factory perform regular surveys for open resolvers and network providers can get them to email a list of open resolvers. They have a useful page here.

I guess it's unfair to place the blame solely at sysadmins when the default setting for BIND up until 9.4 was to allow queries from anyone, and I am sure there are many *nix/*BSD distros that shipped with BIND versions <9.4 (RHEL 5 anyone?) — although you could argue "Why haven't they upgraded?" as we are talking pretty old code here. No, I think more culpable are the network operators who route spoofed traffic out from their network; it is inexcusable that they have not implemented BCP-38 (also known as RFC2827).

However, looking at that list of open resolvers vs ASNs again, the top offender is Brazil, followed by a big block in Asia-Pac, HINET is Taiwan, then Chile, Korea etc. To go to each of these providers, figure out which local networks are the offenders, and communicate all this in a meaningful, constructive way to the end customers, well, it's a gargantuan task!

Unfortunately I do not see a simple solution to this problem, and I fear that with the publicity the Spamhaus attack generated, we will ultimately see more of these kinds of attacks.

If you are curious like me, why not check your local ISP range and see if you can find any open resolvers? You never know what you might find! I'll buy a pint for the person who can find the most… at a date/time/location of my choosing… provided it's in the UK… in the South somewhere… near Reading or Basingstoke! ;-)

Written by Paul Roberts, CEO, Calleva Networks

Follow CircleID on Twitter

More under: Cyberattack, DDoS, DNS, DNS Security, Security

Categories: Net coverage

Don't Blame Open Recursives For DDoS Attacks and Why You Should Implement BCP38

CircleID posts - Wed, 2013-04-03 00:00

There has been plenty of buzz and chatter on the Internet recently concerning a very large DDoS attack against CloudFlare, with coverage on their blog, the New York Times, and the BBC, among many others.

While attacks of this nature are certainly nothing new, the scale of this attack was surprising, reported to hit 120Gbps. For a sense of scale, your average cable modem is only about 20Mbps, or about 0.016% of that bandwidth.

So how does one generate an attack of that size? The technique that appears to have been used is called DNS Amplification. The attacker will typically use a network of infected hosts, known as a botnet, to send DNS queries to servers, faking the source address to be that of their target. When the servers reply to these queries, they send the reply to that false address.

Since the response packet is bigger than the query packet, the DNS server is helping out in the attack by increasing the amount of bandwidth being used. This is not a new technique, and has been around since at least the late 1990s.

What has changed is how effective this attack is, mostly due to the introduction of DNSSEC records. For example, a DNS query for isc.org/ANY with DNSSEC is only 78 bytes, but the reply is 3,586 bytes — so big it gets fragmented and spread across three packets. This makes it very easy to use a little bit of bandwidth to make a huge attack, and since your compromised hosts don't need to send out a lot of data, it's less likely they'll be detected and shut down.

Open Recursives Are Not the (Only) Problem

A lot of these attacks make use of recursive resolvers to perform this amplification. These are the servers that are typically run by your ISP or by services such as Dyn's Internet Guide, OpenDNS, or Google's Public DNS.

It is intended that the end user will query these servers, they'll take care of finding the answer, caching it, and returning it to the user. In the case of an ISP's resolvers, these are usually locked down so only the ISP's customers can use it. It has long been considered a security risk to operate a resolver that will respond to just anyone (an "open" resolver) without taking special care to consider the consequences.

There has been a lot of renewed interest in finding and shutting down unintentional open resolvers, through things like the Open DNS Resolver Project. This is a good thing, but it only addresses part of the problem. These attacks do not need to use open resolvers; they can use the authoritative servers directly to do their amplification. The authoritative servers are the systems that ultimately serve the answers in DNS.

These are the sorts of systems operated by DynECT Managed DNS and Standard DNS. And since these servers must be open in order to function, it's much more difficult to secure them against abuse and the attackers are using them.

Dyn observed this activity back in December 2011, and it has only gotten worse since then. Other authoritative operators have seen the same behavior, typically DNS queries for "ANY" records on zones that have been DNSSEC signed. We have our own in-house tools for mitigating these attacks, but there has been public work to counter the problem, such as the Response Rate Limiting patches to the BIND nameserver software.

But these are really only temporary fixes in an arms race between DNS operators and the people who want to abuse their systems.

The Real Problem and its Solution

At its core, the problem that enables these attacks to work is source address spoofing. This is when a packet is sent from a computer using a source address that isn't actually on that computer, but instead belongs to some other system — usually not even on the same network, such as a home PC on a cable modem, sending traffic that appears to be from a popular website. This has been seen as a security problem for a long time, and yet there are still plenty of networks that allow it to happen.

The solution has also been around for a while, known as BCP38. This document, part of a series of Best Common Practices, describes a very simple concept of not allowing packets to pass through a router from hosts that shouldn't be sending from those addresses. It was published nearly 13 years ago, and is often brought up in tech circles as a solution to a number of problems, but there is still a lack of implementation on the Internet at large.

It boils down to a very simple logic, described in section 4:

IF packet's source address from within [its assigned space]
THEN forward as appropriate

IF packet's source address is anything else
THEN deny packet

There has been a renewed effort recently to push the adoption of this practice, with a boost from this recent DDoS attack on CloudFlare, with some new websites popping up, such as BCP38.info, and a lot of discussion in public forums. This is something that really needs to be done for the security of the Internet as a whole.

So, if you're a network operator, please consider implementing BCP38. If you're buying internet service, ask your provider about BCP38. The rest of the Internet will thank you.

Written by Chip Marshall, Network and Security Analyst

Follow CircleID on Twitter

More under: Cyberattack, DDoS, DNS, DNS Security, Security

Categories: Net coverage

NCUC Workshop: One World, One Internet? New gTLDs &amp; Competition in a Changing Global Environment

CircleID news briefs - Tue, 2013-04-02 23:12

The Noncommercial Users Constituency (NCUC) has organized and is holding a policy workshop, One World, One Internet? New gTLDs & Competition in a Changing Global Environment, next week in Beijing at ICANN-46. The program, which brings together top Western and Chinese experts, will explore pressures for integration versus fragmentation of the Internet and implications for ICANN, as well as different competition and regulation perspectives as they relate to new gTLDs.

Panelists include:

Tarek Kamel, Senior Advisor to President for Governmental Engagement, ICANN
Markus Kummer, Vice President of Public Policy, The Internet Society
William J. Drake, NCUC, and International Fellow and Lecturer, University of Zurich
Yongge Sun, Director, The Internet Society of China
He Baohong, MIIT China Academy of Telecommunication Research
Leonid Todorov, Deputy Director for Government and International Relations, Russian Registry for TLDs

When & Where:

The workshop will be held on Wednesday April 10, 2013 from 13:00 to 15:00 (Beijing time) in Function Room 8AB of the Beijing International Hotel. The workshop is open to everyone and is free to attend. However, for planning purposes, it is requested that you please register. Interpretation and remote participation facilities will be provided by ICANN, more details on this on ICANN's website.

More Details on the workshop provided by NCUC.

Follow CircleID on Twitter

More under: ICANN, Internet Governance, Policy & Regulation, Top-Level Domains

Categories: Net coverage

NCUC Workshop: One World, One Internet? New gTLDs &amp; Competition in a Changing Global Environment

CircleID posts - Tue, 2013-04-02 23:12

The Noncommercial Users Constituency (NCUC) has organized and is holding a policy workshop, One World, One Internet? New gTLDs & Competition in a Changing Global Environment, next week in Beijing at ICANN-46. The program, which brings together top Western and Chinese experts, will explore pressures for integration versus fragmentation of the Internet and implications for ICANN, as well as different competition and regulation perspectives as they relate to new gTLDs.

Panelists include:

Tarek Kamel, Senior Advisor to President for Governmental Engagement, ICANN
Markus Kummer, Vice President of Public Policy, The Internet Society
William J. Drake, NCUC, and International Fellow and Lecturer, University of Zurich
Yongge Sun, Director, The Internet Society of China
He Baohong, MIIT China Academy of Telecommunication Research
Leonid Todorov, Deputy Director for Government and International Relations, Russian Registry for TLDs

When & Where:

The workshop will be held on Wednesday April 10, 2013 from 13:00 to 15:00 (Beijing time) in Function Room 8AB of the Beijing International Hotel. The workshop is open to everyone and is free to attend. However, for planning purposes, it is requested that you please register. Interpretation and remote participation facilities will be provided by ICANN, more details on this on ICANN's website.

More Details on the workshop provided by NCUC.

Follow CircleID on Twitter

More under: ICANN, Internet Governance, Policy & Regulation, Top-Level Domains

Categories: Net coverage

What Is the Potential Business Impact of New gTLDs On Existing TLDs?

CircleID posts - Tue, 2013-04-02 16:46

How will the business of existing top-level domains (TLDs) be impacted by the new gTLDs? Someone asked me this simple question and I was very surprised to see that my online searches couldn't easily find many detailed articles or research related to that point. I found a great number of articles about the potential impact of new gTLDs on regular businesses/brands and any number of articles about how great the new gTLDs will be for companies in the domain name industry, but found surprisingly little research or analysis into how the new gTLDs would impact the business of existing TLDs. I found a few examples of analysis at a ccTLD level (such as a report from NIC.AT), but not much looking at the domain name industry overall. Maybe I was just using the wrong search terms, but my searches yielded little with any detailed view.

So I ask you all here… what research or analysis is out there on this topic? Any suggestions and links left in the comments would be greatly appreciated. Thanks.

Written by Dan York, Author and Speaker on Internet technologies

Follow CircleID on Twitter

More under: Domain Names, Top-Level Domains

Categories: Net coverage

Observations in and Around the UN Broadband Commission

CircleID posts - Tue, 2013-04-02 06:57

Towards gender equality

The 7th meeting of the UN Broadband Commission in Mexico City was again a good combination of announcements about new plans, results of previously undertaken activities, and views on the future of broadband. Very noticeable was the enthusiasm and acknowledgement of the impact of ICT, and of broadband in particular.

In September 2012 the Commission launched its working group on gender equality. Research undertaken by the various members of the workgroup provided somewhat similar results:

  • Globally there is a 21% gender gap in relation to access to mobile phones, although in South-East Asia this gap is 37%.
  • 40% of women in developing economies find a job due to ownership of a mobile phone.
  • The global gap for internet access is 25%, while in the sub-Saharan countries this is 45%.
  • There are most likely thousands of gender equality pilots. Of these pilots, those that are now delivering results need to move on to the implementation stage.
  • Only 29% of the 119 national broadband plans around the world include policies for gender equality.
  • Empowering young people to adopt ICT will give them the ability to teach their parents, and the reverse of this will also apply.
  • A full half-day of the two-day meeting of the Commission was dedicated to gender equality in broadband. The following day the full Commission endorsed the goal set by the working group calling for global equality in broadband access by 2020. Women are key in household and community development, and gender equality will add between US$13 and US$18 billion to economic GDP (Intel. 2013).

7th Broadband Commission for Digital Development Meeting – Mexico City, Mexico, 16-17 March 2013.
Photo: ITU (Click to Enlarge)The Commission also specifically mentioned that gender equality should not be, or become, a separate single issue. It is not another 'ism'. It should automatically be included in all aspects of ICT, broadband and policies in general. At the moment, technology is not gender-neutral.

An unexpected good news story came from Iraq. In 2011 only 20% of women in that country had access to a mobile phone. Thanks to a new mobile package specifically designed for women by mobile operator Asiacell (part of the Qtel Group) 40% of Asiacell's subscriber base are now women, and an additional 1.8 million of them will have access to a mobile phone by the end of 2014. The package specifically addresses the cultural aspects of womanhood in an Arab country — for example, female sales assistants, access to an all-female call centre, blocking of calls and SMS from certain people — and the way women use mobile — e.g., reduced tariffs for longer calls. It is to be hoped that the ideas and success of this initiative will spread.

The issue of violence against women was highlighted. Worldwide there are most likely hundreds of millions of women who suffer abuse, and this was highlighted with shocking examples from the Syrian refugee camps in Jordan, where girls as young as 12 years will be forced to sell themselves in order to survive. Radio and TV programs are used by the Jordanian government to try and empower these girls, but ICT, and mobile phones in particular, can be used to break through this cycle of abuse.

One million ICT-empowered community workers

In January 2013 the One Million Community Workers program, aimed at providing one million smartphones to community workers — predominantly in the sub-Saharan countries, which has the largest group of least developed countries in the world — was officially launched and adopted by the African Union. Nine countries have already signed up to the program, with another six in the pipeline and more to follow. Both the smartphone vendor community and the mobile operators — MTN in particular — have given their support to this program. This is critical as rural mobile coverage will have to be extended in these countries and low-cost smartphones need to be made available (Huawei announced that by the end of the year there will be a US$50 smartphone).

In relation to healthcare, the UN Foundation (UNF) mentioned that there is huge shift in providing healthcare rather than bringing people to it. Through m-health, healthcare will increasingly be delivered to the people. The UNF recently also launched a report on standards and interoperability in e-health.

New projects of the Commission

New projects that received support from the Commission included:

A commitment to promote digital accessibility for the one billion people with disabilities worldwide, similar to the gender equality goal stimulating the development of policies that will lead to equality in relation to ICT access. Between 30%-50% of people with disabilities do not have access to the internet. In all developing economies, people with disabilities, together with older-aged people, form by far the largest unconnected segment.

Youssou N'Dour – New AfricaCommissioner Youssou N'Dour, the famous African musician and Minister of Tourism of Senegal, received support for his project 'New Africa 2014'. I would like to recommend this very moving video clip to you. His aim is to encourage the use of ICT and broadband by the youth of Africa, through his music. Several Commissioners will attend and speak at his concert in Dakar, Nigeria.

The Commission also launched a new Task Force on the post-2015 development agenda and the future Sustainable Development Goals (SDGs) — or as some prefer to call them Continuous Development Goals. The initiative aims to leverage the huge installed base of mobile handsets to bring new services to communities globally, particularly in the world's poorest countries. ITU's m-Powering Initiative, seeks to act as a catalyst to achieve sustainability, harnessing the power of state-of-the-art ICTs and smart solutions to meet new Sustainable Development Goals.

The Commission's working group on Youth will lead a Global Youth Summit on technology issues, to be held in Costa Rica in November at the invitation of President Laura Chinchilla. Interesting research presented at the meeting by Alcatel-Lucent indicated that in countries with high youth unemployment (Spain, Bangladesh, India, Ghana) 30% of young people indicated a willingness to become an entrepreneur by using their mobile phone and ICT skills.

As young people are quickly becoming tech-savvy it is critical to launch 'train-the-trainer' projects — train community workers, etc. The recently announced educational reforms in Mexico are a good example of a positive direction, as they include a much larger role for ICT in education.

The future of broadband

Last but not least, the future…

While promoting the development of national broadband access and affordability policies continues to be the key goal for the Commission, the focus is starting to shift towards 'broadband as a catalyst for social and economic transformation'. According to Ericsson, 6.5 billion people will be connected to the internet by 2018, and by that time 95% of the global population will have access to mobile technology, with the majority having access to a smartphone.

Several Commissioners were very pleased that access is well and truly underway in many developing countries, and noted that policy development now needs to encompass the demand side (services and applications). While progress has been made in bridging the digital divide, there is now a growing policy gap. This exists particularly in relation to government policies towards the development of e-health, e-education, e-government and e-commerce. There is increased awareness among governments and politicians that their citizens have a right to information, but the problem is that most of that information is not yet available. There is an urgent need to ensure that the supply side in relation to the broadband revolution is addressed as well.

This was demonstrated by an example from India, where the government is presented with one million questions per day. A reply often takes 90 days or more, and, depending upon who answers it, the same question can supply different answers. Imagine the costs that can be taken out of the economy if e-government was widely available.

To illustrate the transformative impact of broadband, Ericsson reports that villages in the Amazon that have a mobile base station saw their GDP increase by 300%. This is done through a completely private project known as Amazon Connect.

On the other hand, the American government has calculated that not being connected to the internet creates an extra cost to the economy of $70,000 per year per family. Internet access allows families and the government to remove costs from their social and economic expenditure.

Another interesting observation is that there has been much faster growth in technology than there has been in the generation of government policies. Governments need to be made aware of the rapidly increasing gap between technology and policy. While this is an international problem — western governments are also struggling with such policies — the gap is growing most quickly in the least developed economies, and the Commission is committed to placing its full network of Commissioners behind the notion of assisting these countries in policy development. The key here is to lower the costs and give these countries complete solutions.

Written by Paul Budde, Managing Director of Paul Budde Communication

Follow CircleID on Twitter

More under: Access Providers, Broadband, Mobile, Telecom

Categories: Net coverage

INET Denver: IPv4 Exhaustion and the Path to IPv6

CircleID news briefs - Mon, 2013-04-01 21:45

INET Denver is April 17, 2013 — register today to reserve your spot!

You won't want to miss this unique opportunity to join IPv6 networking professionals from across North America, who will attend to learn the latest on IPv4 exhaustion and how to transition to IPv6. The INET Denver agenda will bring together top experts in the networking field to discuss the latest on IPv4 exhaustion in our market, and the TCO of IPv6.

The line up of speakers includes industry experts like:

John Curran, President & CEO, ARIN
Owen DeLong, IPv6 Evangelist, Hurricane Electric
Lee Howard, Director of Network Technology, Time Warner Cable
Dr. Patrick Ryan, Public Policy & Government Relations Counsel, Google

When:

April 17, 2013
Registration: 12:00 - 1:00 PM
INET Denver: 1:00 - 6:00 PM
Refreshments: 6:00 - 7:30 PM

Where:

Grand Hyatt Denver
1750 Welton Street
Denver, CO 80202

Additional Details:

http://www.internetsociety.org/events/inet-denver

Registration:

http://www.internetsociety.org/form/inet

The INET Denver will co-locate with the 2013 North American IPv6 Summit. Take part in this unique opportunity to learn from top experts in the networking field discussing the latest on IPv4 exhaustion in our market and the TCO of IPv6.

Don't delay and register today!

Follow CircleID on Twitter

More under: IP Addressing, IPv6

Categories: Net coverage

INET Denver: IPv4 Exhaustion and the Path to IPv6

CircleID posts - Mon, 2013-04-01 21:45

INET Denver is April 17, 2013 — register today to reserve your spot!

You won't want to miss this unique opportunity to join IPv6 networking professionals from across North America, who will attend to learn the latest on IPv4 exhaustion and how to transition to IPv6. The INET Denver agenda will bring together top experts in the networking field to discuss the latest on IPv4 exhaustion in our market, and the TCO of IPv6.

The line up of speakers includes industry experts like:

John Curran, President & CEO, ARIN
Owen DeLong, IPv6 Evangelist, Hurricane Electric
Lee Howard, Director of Network Technology, Time Warner Cable
Dr. Patrick Ryan, Public Policy & Government Relations Counsel, Google

When:

April 17, 2013
Registration: 12:00 - 1:00 PM
INET Denver: 1:00 - 6:00 PM
Refreshments: 6:00 - 7:30 PM

Where:

Grand Hyatt Denver
1750 Welton Street
Denver, CO 80202

Additional Details:

http://www.internetsociety.org/events/inet-denver

Registration:

http://www.internetsociety.org/form/inet

The INET Denver will co-locate with the 2013 North American IPv6 Summit. Take part in this unique opportunity to learn from top experts in the networking field discussing the latest on IPv4 exhaustion in our market and the TCO of IPv6.

Don't delay and register today!

Follow CircleID on Twitter

More under: IP Addressing, IPv6

Categories: Net coverage

Second Round of Initial Evaluations for New gTLDs

CircleID news briefs - Mon, 2013-04-01 20:31

Mary Iqbal writes to report that ICANN has released the second round of Initial Evaluation Results on March 29. ICANN is currently reviewing new gTLD applications at a rate of 30 applications per week and has plans to increase that to 100 per week. ICANN is targeting completing Initial Evaluation for all applicants by August 2013. To learn more, visit www.GetNewTLDs.com/news.

Follow CircleID on Twitter

More under: ICANN, Top-Level Domains

Categories: Net coverage

Second Round of Initial Evaluations for New gTLDs

CircleID posts - Mon, 2013-04-01 20:31

Mary Iqbal writes to report that ICANN has released the second round of Initial Evaluation Results on March 29. ICANN is currently reviewing new gTLD applications at a rate of 30 applications per week and has plans to increase that to 100 per week. ICANN is targeting completing Initial Evaluation for all applicants by August 2013. To learn more, visit www.GetNewTLDs.com/news.

Follow CircleID on Twitter

More under: ICANN, Top-Level Domains

Categories: Net coverage

ICANN Announces Blocking Usage Review Panel

CircleID posts - Mon, 2013-04-01 17:52

Culminating a year-long policy development process, ICANN today launched its new Blocking Usage Review Panel (BURP). The BURP provides long-needed oversight over services that block Internet traffic.

"While everyone understands that national laws such as the U.S. CAN SPAM define what traffic is or is not elegible to block, legal processes can be slow and cumbersome," said a spokeswoman. "Since the Internet is global and traffic often traverses multiple countries, the array of different laws cause uncertainty."

The BURP is designed to be quick and easy. No signup process is needed, since everyone who sends traffic to or from the Internet is covered automatically. When a complaint is filed, an evaluation panel is selected with a member from each constituency:

  • IP based blocklists including Spamhaus, UCEPROTECT, SORBS, and Spamcop
  • Major brand advertisers including Kraft, the AARP, and Vistaprint
  • Public interest groups such as the Electronic Frontier Foundation, Free Software Foundation, and Stophaus

The BURP panel will meet and promptly produce its decision, typically in no more than six to ten weeks. During that time, to prevent inadvertent damage, any blocking will be suspended.

"While it is possible that a small amount of spam or malware might slip through during the decision period, we're confident that the increased transparency far outweighs any minor inconvenience," noted ICANN.

Spamhaus president Steve Linford, contacted at their temporary headquarters in space subleased from Google in Chapel Hill NC commented:

"Spamhaus welcomes this increased level of detailed oversight. We expect the BURP to increase confidence among major stakeholders including marketers, the press, and developers of installable software."

ICANN disclosed that they have hired a well known specialist in e-mail marketing, who recently completed a multi-year assignment.

"We are fortunate to have been able to retain Mr. Alan Ralsky to oversee the new BURP. His broad industry experience uniquely qualifies him for the role," said ICANN, "and the timing couldn't be better."

Written by John Levine, Author, Consultant & Speaker

Follow CircleID on Twitter

More under: ICANN

Categories: Net coverage

U.S. CERT Issues Alert on DNS Amplification Attacks

CircleID news briefs - Sun, 2013-03-31 19:22

Neil Schwartzman writes to report that U.S. Cert issued Alert TA13-088A on Friday March 29, 2013. "It is a solid how-to guide to test for, and remediate DNS configurations that can be used for Distributed Denial of Service attacks."

From the Alert: "While the attacks are difficult to prevent, network operators can implement several possible mitigation strategies. The primary element in the attack that is the focus of an effective long-term solution is the detection and elimination of open recursive DNS resolvers. These systems are typically legitimate DNS servers that have been improperly configured to respond to recursive queries on behalf of any system, rather than restricting recursive responses only to requests from local or authorized clients. By identifying these systems, an organization or network operator can reduce the number of potential resources that the attacker can employ in an attack."

Follow CircleID on Twitter

More under: Cyberattack, DDoS, DNS, DNS Security, Security

Categories: Net coverage

U.S. CERT Issues Alert on DNS Amplification Attacks

CircleID posts - Sun, 2013-03-31 19:22

Neil Schwartzman writes to report that U.S. Cert issued Alert TA13-088A on Friday March 29, 2013. "It is a solid how-to guide to test for, and remediate DNS configurations that can be used for Distributed Denial of Service attacks."

From the Alert: "While the attacks are difficult to prevent, network operators can implement several possible mitigation strategies. The primary element in the attack that is the focus of an effective long-term solution is the detection and elimination of open recursive DNS resolvers. These systems are typically legitimate DNS servers that have been improperly configured to respond to recursive queries on behalf of any system, rather than restricting recursive responses only to requests from local or authorized clients. By identifying these systems, an organization or network operator can reduce the number of potential resources that the attacker can employ in an attack."

Follow CircleID on Twitter

More under: Cyberattack, DDoS, DNS, DNS Security, Security

Categories: Net coverage

A Closer Look at Recent Submarine Cable Failures

CircleID news briefs - Sat, 2013-03-30 05:29

In light of the recent submarine cable failures, Doug Madory from Renesys has a detailed report on what has happened to some of the providers in four countries along the route of the cable: Egypt, Saudi Arabia, Pakistan and India.

Madory writes: "It has been a rough few weeks for the global Internet, given numerous submarine cable failures and the largest DDOS attack ever reported. While we're hard-pressed to find evidence of the purported global Internet slowdown due to the DDOS attack, the dramatic impacts of yesterday's SMW4 submarine cable cut were profound. Recent reports that the cable break was the result of sabotage, makes the incident even more intriguing."

Read the full report here.

Follow CircleID on Twitter

More under: Access Providers, Broadband

Categories: Net coverage

A Closer Look at Recent Submarine Cable Failures

CircleID posts - Sat, 2013-03-30 05:29

In light of the recent submarine cable failures, Doug Madory from Renesys has a detailed report on what has happened to some of the providers in four countries along the route of the cable: Egypt, Saudi Arabia, Pakistan and India.

Madory writes: "It has been a rough few weeks for the global Internet, given numerous submarine cable failures and the largest DDOS attack ever reported. While we're hard-pressed to find evidence of the purported global Internet slowdown due to the DDOS attack, the dramatic impacts of yesterday's SMW4 submarine cable cut were profound. Recent reports that the cable break was the result of sabotage, makes the incident even more intriguing."

Read the full report here.

Follow CircleID on Twitter

More under: Access Providers, Broadband

Categories: Net coverage
Syndicate content