Site Map

Please note:

You are viewing archival ICANN material. Links and information may be outdated or incorrect. Visit ICANN's main website for current information.

ICANN Meetings in Wellington, New Zealand

SSAC Public Meeting

Tuesday, 28 March 2006

Note: The following is the output of the real-time captioning taken during the SSAC Public Meeting held on 28 March 2006 in Wellington, New Zealand. Although the captioning output is largely accurate, in some cases it is incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.

SSAC PUBLIC MEETING
TUESDAY, MARCH 28, 2006
9:30 A.M.

>>STEVE CROCKER: GOOD MORNING, EVERYBODY.
MY NAME IS STEVE CROCKER.
I'M THE CHAIR OF THE ICANN SECURITY AND STABILITY ADVISORY COMMITTEE.
WELCOME TO THE PUBLIC MEETING.
WE HAVE BEEN MAKING A PRACTICE FOR THE PAST FEW SESSIONS TO BRING THE WORK OF THE COMMITTEE INTO THE PUBLIC FORUM AND PRESENT THE CURRENT WORK THAT WE'VE BEEN DOING.
WE HAVE TWO PRESENTATIONS AFTER A VERY BRIEF INTRO, AND I APPRECIATE EVERYBODY COMING AT THIS EARLY HOUR.
WE'LL TAKE QUESTIONS AFTER EACH PRESENTATION, AS TIME IS AVAILABLE.
WE'RE CONSTRAINED TO FIT EXACTLY WITHIN THE HOUR HERE BECAUSE IMMEDIATELY FOLLOWING THIS SESSION IS A TWO-HOUR SESSION ON DOMAIN NAME SYSTEM SECURITY, WHICH INVOLVES MANY OF THE SAME PEOPLE, BUT IN A SOMEWHAT DIFFERENT SETTING.
THE AGENDA FOR TODAY IS, AS I SAID, A BRIEF INTRO BY ME.
WE WILL HAVE A PRESENTATION ON ALTERNATIVE TLD NAME SYSTEMS AND ROOTS, DAVE PISCITELLO, THE ICANN FELLOW, SITTING TO MY RIGHT, WILL DO THIS.
WE HAD SCHEDULED A PRESENTATION ON AMPLIFIED DDOS DENIAL OF SERVICE ATTACKS BY RODNEY JOFFE.
HE'S UNAVOIDABLY DETAINED.
WE'VE BEEN SCRAMBLING A LITTLE BIT TO HAVE THAT PRESENTATION, WHICH IS PREPARED AND WILL BE VERY INTERESTING.
I THINK DESPITE WHAT IT SAYS ON THIS SLIDE, DAVE WILL ALSO MAKE THAT PRESENTATION.
BRIEFLY, JUST TO REVIEW OUR COMMITTEE, WE PROVIDE SECURITY AND STABILITY EXPERTISE.
WE PROVIDE ADVICE TO -- IN A NUMBER OF DIRECTIONS, CERTAINLY TO THE BOARD AND TO THE STAFF.
ALSO TO THE SUPPORTING ORGANIZATIONS, AND, MOST IMPORTANTLY, WE THINK, TO THE COMMUNITY AT LARGE.
SO THAT IS, IN A SENSE, WE ARE SOMEWHAT INDEPENDENT AND SPEAK NOT SO MUCH OFFICIALLY FOR ICANN, BUT WITHIN THE ICANN ORBIT, IF YOU WILL.
ANOTHER VERY IMPORTANT ASPECT OF OUR OPERATION IS THAT WE ARE AN ADVISORY BODY.
WE'RE NOT A REGULATORY OR LEGISLATIVE OR ENFORCEMENT BODY OF ANY KIND.
THAT GIVES US A CONSIDERABLE LATITUDE TO SPEAK OUR MINDS, AND IT GIVES EVERYBODY ELSE CONSIDERABLE LATITUDE TO IGNORE US.
HERE'S THE LIST OF THE PEOPLE CURRENTLY ON THE COMMITTEE, A FAIRLY DISTINGUISHED CROWD, I WOULD SAY.
A FEATURE OF OUR GROUP OF PEOPLE IS THAT THEY'RE NOT ALL DRAWN FROM THE HARD-CORE ICANN COMMUNITY, IF YOU WILL.
WE HAVE PEOPLE FROM THE REGISTRAR COMMUNITY AND THE REGISTRY COMMUNITY, TO BE SURE.
WE ALSO HAVE PEOPLE FROM THE SECURITY RESEARCH COMMUNITY, FROM THE NETWORK OPERATORS COMMUNITY, FROM THE ADDRESS COMMUNITY.
AND ONE OF THE CONSEQUENCES IS THAT ONLY A SMALL FRACTION OF THE COMMITTEE WILL TEND TO SHOW UP AT AN ICANN MEETING, PER SE.
TODAY, WE HAVE THE PRIVILEGE OF HAVING, ON MY RIGHT, FAR RIGHT, RAM MOHAN, FROM AFILIAS; DAVE PISCITELLO, WHO'S THE ICANN FELLOW; I'M STEVE CROCKER; THIS IS BRUCE TONKIN, FROM MELBOURNE I.T, SUZANNE WOOLF FROM INTERNET SYSTEMS CONSORTIUM.
AND HIDING OUT ON THE FAR END THERE IS RAY PLZAK, FROM THE -- FROM ARIN, WHO SERVES ALSO AS THE VICE CHAIR OF OUR COMMITTEE.
MARK FELDMAN ON MY STAFF IS SITTING AROUND ON THE RIGHT, QUEUED UP TO DO SOME MAGIC IN THE NEXT SESSION.
IN ADDITION TO THE FORMAL MEMBERS OF THE COMMITTEE, WE HAVE SOME LIAISONS, INVITED GUESTS, DAVE, AS I MENTIONED, IS THE ICANN FELLOW.
THAT MEANS THAT WE BURDEN HIM WITH A GREAT DEAL OF THE WRITING WORK.
JIM GALVIN SERVES AS AN EXEC OFFICER, DOES QUITE A BIT OF THE AGENDA AND ORGANIZATIONAL WORK FOR US.
DANIEL KARRENBERG, STEFANO TRUMPY, LIAISON FROM THE GAC, AND PATRIK FALTSTROM FROM THE INTERNET ARCHITECTURE BOARD.
I'VE BEEN NOTIFIED THAT HIS TERM IS OVER, AND IN SHORT ORDER, WE WILL BE MAKING SOME CHANGES THERE.
BUT AS OF THIS MOMENT, HE HAS BEEN A VERY VALUED MEMBER OF THE -- OF OUR TEAM ON BEHALF OF THE IAB.
THAT IS THE END OF MY INTRO HERE.
AND NOW WHAT I WANT TO DO IS QUEUE UP THE -- I'M SORRY.
THAT'S NOT THE ONE I WANTED TO DO.
I APOLOGIZE.
I WANT TO DO THE OTHER ONE FIRST.
AND IN ORDER TO DO THAT -- WHERE IS THE -- IT'S HERE.
APOLOGIES FOR JUST A SECOND HERE.
FILE OPEN.
WE WILL HAVE THIS MOMENTARILY, AND WE WILL DO NO NAME, PRESUMABLY.
THERE WE GO.
ACTUALLY, JUST THAT.
YOU TALK.
I'LL -- HERE, TAKE THE --

>>DAVE PISCITELLO: GOOD MORNING.
SO SSAC HAS BEEN LOOKING AT ALTERNATIVE TOP-LEVEL DOMAIN NAME SYSTEM OPERATORS AND ROOT SERVICE OPERATORS FOR SOME TIME.
AND WE HAVE -- ONE OF THE THINGS WE'VE TRIED TO DO IS UNDERSTAND THE FULL BREADTH OF THE SPACE OF PEOPLE WHO ARE INVOLVED IN PROVIDING ALTERNATIVES TO REGISTRIES THAT HAVE AGREEMENTS WITH ICANN AND THE AUTHORITATIVE ROOT NAME SERVICE.
IT'S A FAIRLY BROAD SPACE, AND ONE OF THE GOALS OF THE SSAC WAS TO ATTEMPT TO PROVIDE SOME SORT OF CLASSIFICATION TO HELP PEOPLE UNDERSTAND NOT ONLY WHO WAS OFFERING SUCH SERVICES, BUT WHAT THE MOTIVATIONS WERE.
SO OVER A PERIOD OF SEVERAL MONTHS, WE SCANNED THE INTERNET, LOOKED FOR, YOU KNOW, SERVICE PROVIDERS, LOOKED FOR REGISTRY OPERATORS, AND TRIED TO UNDERSTAND THEIR MODEL, DOWNLOAD THEIR ZONE FILE, LOOK AT HOW THEIR SERVICE WORKED, WHAT KIND OF ADDITIONAL SOFTWARE THEY MAY HAVE NEEDED.
AND, YOU KNOW, THEN TRIED TO GET A GOOD SENSE OF, IF ALL THESE PLAYERS WERE IN THIS SAME SPACE, IF THEY WERE ALL PRESENT ALONGSIDE THE AUTHORITATIVE ROOT AND ALONGSIDE THE REGISTRIES THAT HAVE AGREEMENTS WITH ICANN, WHAT WOULD THE WORLD LOOK LIKE?
SO JUST TO BEGIN WITH A LITTLE BIT OF TERMINOLOGY THAT WE USE IN OUR REPORT, WHICH SHOULD BE ISSUED AND AVAILABLE AT THE ICANN WEB SITE EITHER LATER THIS WEEK OR THE BEGINNING OF NEXT, WHEN I TALK ABOUT ALTERNATIVE TLD NAME SYSTEM OPERATORS, I'M REALLY SPEAKING ABOUT ORGANIZATIONS THAT ARE ESSENTIALLY REGISTRIES.
THEY HAVE NAMES THAT ARE REGISTERED IN TOP-LEVEL DOMAIN LABELS THAT THEY CREATE THAT ARE OUTSIDE THE DELEGATION PROCESS SANCTIONED BY ICANN.
WHEN I SPEAK OF ALTERNATIVE ROOT SERVICE OPERATORS, THESE ARE ORGANIZATIONS THAT, YOU KNOW, OPERATE ROOT SERVICES, RESOLVE TLD LABELS OUTSIDE THE AUTHORITATIVE ROOT.
AND THEN WHEN I TALK ABOUT ROOT ZONE AUTHORITIES, I'M TALKING ABOUT ORGANIZATIONS OTHER THAN IANA THAT PUBLISH A ROOT ZONE.
ALL OF THESE, IN SOME PUBLICATIONS OR OTHER, ESPECIALLY IN THE PRESS, ARE KIND OF COLLECTIVELY REFERRED TO AS ALT ROOTS OR ALTERNATIVE ROOTS.
SO OUR CLASSIFICATION HAS FIVE CATEGORIES: PRIVATE, EXPERIMENTAL, COMMERCIAL, PROTEST, AND POLITICALLY MOTIVATED.
WHEN WE TALK OF PRIVATE TLD NAME SYSTEMS, WE'RE REALLY TALKING ABOUT NAME SYSTEMS THAT WORK OR OPERATE WITHIN A CLOSED COMMUNITY.
OFTEN, THEY ARE INTRAORGANIZATIONAL, BUT SOMETIMES THEY SPAN COLLABORATIVE BUSINESS ARRANGEMENTS.
MANY ARE INSTITUTIONAL, QUITE A FEW ARE ENTERPRISE.
WHAT THEY DO IS THEY SUPPORT A NAME SCHEMA THAT HAS A CONTEXT WITHIN THE ORGANIZATION.
SO IF YOU TOOK A COMPANY AND THAT COMPANY CHOSE TO HAVE AN ENTIRELY DIFFERENT NAME SYSTEM WITHIN THEIR ORGANIZATION THAN THE ONE THAT THEY USED UNDER A DOT COM OR A DOT NET OR A DOT ORG PUBLICLY, THAT'S THE KIND OF NAME SCHEMA THAT WE'RE DISCUSSING.
TYPICALLY, THE ORGANIZATIONS THAT RUN THESE ISOLATE THEM FROM THE AUTHORITATIVE DNS.
AND WE CONCLUDED THAT THESE REALLY DO NOT REPRESENT ANY SORT OF THREAT OR ANY SORT OF ISSUE TO HAVING A SINGLE AUTHORITATIVE NAME SYSTEM AND ROOT NAME SERVICE.
THE NEXT ARE EXPERIMENTAL TLD NAME SYSTEMS.
THESE, AGAIN, OPERATE WITHIN A CLOSED COMMUNITY, AND THEY OFTEN SUPPORT A NAME SCHEMA AND SERVICE FOR RESEARCH AND EXPERIMENTAL -- EXPERIMENTATION.
NEXT-GENERATION INTERNET PROTOCOL TEST BEDS, INTERNATIONAL LANGUAGE AND CHARACTER SET DEVELOPMENT AND TOP-LEVEL DOMAIN LABELS ARE TWO EXAMPLES OF HOW ONE MIGHT DEPLOY AN EXPERIMENTAL ROOT.
THEY'RE NOT BROADLY AVAILABLE, BUT THEY MAY BE RUN ON THE PUBLIC FABRIC SO THAT PEOPLE COULD EXPERIMENT WIDELY WITH THEM AND GET A GOOD SENSE OF HOW THE PARTICULAR TECHNOLOGY THAT THEY ARE EVALUATING OPERATES.
AGAIN, IF THEY'RE PROPERLY DEPLOYED, THEY ARE ISOLATED FROM THE AUTHORITATIVE ROOT AND REPRESENT NO ISSUE.
THE BROADER SPACE THAT WE LOOKED AT INVOLVES COMMERCIAL TLDS NAME SYSTEMS, ROOT NAME SERVICES.
OBVIOUSLY, THEY, LIKE MANY, MANY PEOPLE, BELIEVE THAT RUNNING REGISTRIES, ASSIGNING TLDS IS A POTENTIALLY LUCRATIVE BUSINESS, PROVIDING NAMES TO REGISTRARS UNDERNEATH THE TLDS THAT THEY OPERATE IS A LUCRATIVE BUSINESS.
AND, OFTEN, THEY CRITICIZE ICANN ACCREDITATION PROCESS AS A BUSINESS IMPEDIMENT OR OVERLY CONSTRAINING.
SOME OF THE PHILOSOPHIES THAT THESE COMPANIES, QUOTE, BREAK AWAY, UNQUOTE, FROM ICANN'S PROCESS IS THAT THEY BELIEVE THAT THERE SHOULD BE NO LIMIT ON THE CREATION OF TLDS, THEY BELIEVE THAT THE APPROVAL PROCESS SHOULD BE GREATLY SIMPLIFIED, IN MANY CASES, YOU WILL SEE THAT THEY QUOTE -- THEY'RE QUOTED AS SAYING IS SHOULD BE NO MORE DIFFICULT TO RUN A REGISTRY THAN IT IS TO APPLY FOR A CORPORATION IN THE UNITED STATES, IN THE STATE OF DELAWARE, FOR EXAMPLE, IN THE UNITED STATES IT'S RELATIVELY EASY TO PAY A FEW HUNDRED DOLLARS AND APPLY FOR WHAT'S CALLED A C CORPORATION.
AND THIS IS THE THRESHOLD THAT A LOT OF THESE COMPANIES BELIEVE IS THE ONLY REQUIRED THRESHOLD FOR OPERATION.
THEY BELIEVE THAT THE MARKET WILL DECIDE HOW MANY TLDS ARE NEEDED, AND THAT CAVEAT EMPTOR APPLIES, SO RATHER THAN WORRYING ABOUT WHETHER OR NOT THEY HAVE A SUSTAINABLE BUSINESS MODEL, THEY SIMPLY SAY, REGISTRANT BEWARE, IF YOU HAVE DOMAIN NAMES IN OUR REGISTRY AND WE GO BUST, YOU'RE JUST GOING TO HAVE TO DEAL WITH THAT.
THE NEXT CATEGORY IS PROTEST NAME SYSTEMS AND ROOT SERVICES.
IN SOME OF THESE, THEY ARE BASICALLY RESTRICTED MEMBERSHIP, OR THEY'RE ESTABLISHED TO FILTER OR CENSOR CONTENT, TO CREATE, PERHAPS, SAFE SPACES FOR PEOPLE WHO HAPPEN TO BE OF A PARTICULAR RELIGION, OF A PARTICULAR POLITICAL ORIENTATION, OR OF A PARTICULAR ACTIVISM.
SOME OF THEM BELIEVE IN DEMOCRATIC TLD LABEL REGISTRATION.
SO THE WAY THAT -- THE WAY THE TOP-LEVEL DOMAIN LABELS ARE SELECTED IS THAT SOMEONE SUBMITS THE NAME, IT GOES TO A PUBLIC VOTE OF ALL THE OTHER MEMBERS OF THE TLD ENVIRONMENT, AND IF EVERYONE VOTES THAT, YES, WE WILL -- WE THINK THIS IS OKAY, THEN IT JUST SIMPLY GETS ADDED TO THE ROOT.
OF MORE INTEREST THAN THE PREVIOUS FOUR ARE POLITICALLY MOTIVATED TLD NAME SYSTEMS AND ROOTS.
NOW, THESE ARE DISTINGUISHED FROM THE PROTEST ROOTS, WHICH ARE SOMETIMES CALLED POLITICAL ROOTS, BY THE FACT THAT THEY ARE -- THEY MAY BE ESTABLISHED BY SOVEREIGN NATIONS OR BY MULTINATIONAL ALLIANCES.
THE PRESS TENDS TO CALL THESE BREAK-AWAY ROOTS.
THE REASONS FOR THESE INITIATIVES INCLUDE INTERNET GOVERNANCE.
SOME PEOPLE WHO ARE CREATING SUCH ROOTS MAY BE UNCOMFORTABLE WITH THE WAY THAT THE DOMAIN NAME ENVIRONMENT IS OPERATED BY ICANN.
SOME OF THEM HAVE A MATTER OF TRUST AND AN ISSUE WITH DEALING WITH THE UNITED STATES DEPARTMENT OF COMMERCE.
SOME OF THEM HAVE AN ISSUE WITH -- OF CONTROL.
THEY DON'T BELIEVE THAT A SOVEREIGN NATION SHOULD BE BEHOLDEN TO A CORPORATION IN THE UNITED STATES, FOR EXAMPLE.
SOME SIMPLY ARGUE THAT THE ONLY WAY THAT THEY'RE GOING TO SEE FAIR ALLOCATION OF COST AND SERVICES IN THEIR REGION OR IN THEIR COUNTRY IS TO TAKE IT OVER THEMSELVES.
AND THEN, OBVIOUSLY, ONE OF THE IMPORTANT TOPICS THAT CREATES ALTERNATIVE TLD NAME SYSTEM STRATEGIES IS THE SUPPORT FOR NATIONAL AND LOCAL CHARACTER SETS, OFTEN REFERRED TO AS IDN, BUT ALSO REFERRED TO AS MULTILINGUALISM.
SOME OF THE ISSUES THAT WE DESCRIBE AFTER WE PROVIDE OUR CLASSIFICATION ARE HOW REGISTRANTS AND HOW THE COMMUNITY AT LARGE WILL DEAL WITH THE ALTERNATIVE OPERATOR AND HOW THE ALTERNATIVE OPERATOR -- OPERATORS THEMSELVES ACTUALLY PERFORM.
SO THE QUESTIONS THAT WE ATTEMPTED TO LOOK AT OR RAISE WERE, HOW DO ALTERNATIVE OPERATORS RESOLVE DISPUTES?
WHAT KIND OF RESOLUTION PROCESSES DO THEY HAVE?
HOW DO THEY DEMONSTRATE ITS SOLVENCY -- THEIR SOLVENCY TO REGISTRANTS?
OBVIOUSLY, THE INVESTMENT IN A DOMAIN NAME TODAY CAN BE A VERY, VERY IMPORTANT ONE FOR ANYONE WHO IS SEEKING A BROAD AND EASILY REACHABLE PRESENCE.
AND SO IT'S NOT JUST BROAD AND EASILY REACHABLE, BUT PERSISTENT.
AND IF YOU CANNOT DEMONSTRATE YOUR SOLVENCY, THERE'S AN ISSUE OF WHAT DO YOU DO IF THAT NAME GOES AWAY.
ANOTHER ISSUE THAT WE DISCOVERED WHEN WE WERE LOOKING AT A NUMBER OF THESE ROOTS IN COMBINATION IS, HOW DO YOU ASSURE UNIQUENESS OF THE TLD LABELS.
THERE ARE, IN FACT, INSTANCES WHERE WE ALREADY HAVE COMPETING ROOTS THAT SUPPORT THE SAME TLD LABEL.
HOW DO YOU ASSURE UNIVERSAL RESOLVABILITY?
BY UNIVERSAL RESOLVABILITY, WHAT I MEAN IS WHEN I GO TO RESOLVE A DOMAIN NAME TO AN I.P. ADDRESS, I WOULD LIKE TO BE CERTAIN THAT THAT DOMAIN NAME WILL ALWAYS RESOLVE TO THE I.P. ADDRESS NO MATTER WHERE YOU ASK IN THE GLOBAL INTERNET.
HOW DO I ASSURE THE AVAILABILITY OF THE ROOT NAME SERVICE?
THERE ARE BILLIONS AND BILLIONS OF DOLLARS INVESTED IN, YOU KNOW, THE INFRASTRUCTURE OF THE INTERNET, AND A FAIR PORTION OF THAT ARE INVESTED IN THE SUPPORT OF ROOT NAME SERVICES.
AND THEY ARE VERY, VERY ROBUST, VERY, VERY HIGHLY AVAILABLE AND REDUNDANT, IN ANY-CASTED ENVIRONMENTS.
ARE THE ALTERNATIVE OPERATORS PREPARED TO CREATE THAT RICH AND ROBUST AN ENVIRONMENT FOR THEIR CUSTOMERS?
HOW DO YOU ENSURE NONINTERFERENCE WITH COMPETING OPERATORS AND HOW DO YOU ENSURE NONINTERFERENCE WITH REGISTRIES OPERATING UNDER AGREEMENTS WITH ICANN IS ANOTHER ISSUE.
THEN, FINALLY, TO WHOM IS THE ALTERNATIVE OPERATOR ACCOUNTABLE?
IF THIS IS A PURELY FOR-PROFIT PLAY, ARE THEY ONLY ACCOUNTABLE TO THE STAKEHOLDERS AND NOT TO THEIR CONSTITUENCIES?
ARE THEY ACCOUNTABLE TO OTHER GOVERNMENTS?
WHO DO THEY ACTUALLY, YOU KNOW, CLAIM TO BE SOVEREIGN OVER?
SO THERE ARE A LOT OF ISSUES IN THIS REGARD.
SOME OF THE OTHER QUESTIONS THAT WE -- THAT WE INVESTIGATE, PARTICULARLY AROUND THE NOTION OF UNIVERSAL SERVICE, ARE, YOU KNOW, WHAT IS THE IMPLICATION OF A POLITICALLY MOTIVATED TLD NAME SYSTEM?
IS IT TO ENHANCE COMMERCIAL AND ECONOMIC INTEREST?
IF THAT IS THE CASE, IS IT TO DO SO AT THE EXPENSE OF OTHER NATIONS?
IS IT TO CONTROL USER BEHAVIOR AND ACCESS TO CONTENT OR AS TO SUBSTITUTE OR CENSOR CONTENT?
IS IT TO REQUIRE THAT, YOU KNOW -- DO ALL THESE SOVEREIGN NATIONS, ONCE THEY PUT AN ALTERNATIVE TLD NAME SYSTEM AND ROOT IN PLACE, REQUIRE THAT THE ISPS IN THEIR NATION USE THAT NAME -- THEIR OWN NAME SERVERS OR THE COUNTRY'S NAME SERVERS?
AND WHAT IMPLICATIONS DOES THAT HAVE, AGAIN, ON UNIVERSAL RESOLVABILITY?
ANOTHER IS, WHO COORDINATES THE CHARACTER SETS FOR GTLDS?
SO, IN PRACTICE, ONE OF THE THINGS THAT WE DISCOVERED BY SENDING PEOPLE OFF WHO ACTUALLY HAD VARIOUS, YOU KNOW, SKILLS AND CAPABILITIES NOT ONLY IN INSTALLING SOFTWARE AND IN EXAMINING THE WAY THAT NAMES WERE RESOLVED WHEN WE USED ALTERNATIVE ROOTS, BUT ALSO WERE MULTILINGUAL THEMSELVES AND COULD GO TO IDN-CAPABLE ROOTS FOR RESOLUTION OF TLDS THAT WERE NOT REPRESENTED IN THE TRADITIONAL LETTER/DIGIT, HYPHEN ASCII SUBSET, IS THAT THE UNIVERSAL RESOLVABILITY IN ALL CASES IS PRETTY MUCH GENERALLY LOST.
THE GENERAL CASE IS THAT A USER CANNOT BE GUARANTEED THAT HE WILL RESOLVE A TLD FROM THE AUTHORITATIVE DNS AND MULTIPLE ALTERNATIVE ROOT OPERATORS.
SO IN MOST DEPLOYMENTS TODAY, IF YOU ARE CONFIGURING YOUR END POINT DEVICE, YOUR COMPUTER AND BROWSER, TO ACCESS ONE ALTERNATIVE TLD, CHANCES ARE YOU WON'T BE ABLE TO ACCESS ANOTHER ALTERNATIVE TLD.
YOU MAY BE ABLE TO ACCESS THE AUTHORITATIVE ROOT PLUS ONE.
BUT IN ALL THE CASES THAT WE ATTEMPTED, YOU WEREN'T ABLE TO ACCESS MULTIPLE COMPETING ROOTS.
AND ONE OF THE REASONS WHY IS BECAUSE THEY ALL NEED YOU TO POINT TO SOME ROOT -- SOME NAME SERVER OR ROOT SERVER THAT CAN RESOLVE THEIR DOMAIN NAMES IN ADDITION TO THE AUTHORITATIVE -- OR THE TLDS IN THE AUTHORITATIVE ROOT.
EITHER RECONFIGURATION WAS REQUIRED OF TCP/IP SETTINGS, EITHER THE HOST FILES HAD TO BE MODIFIED, OR SOME SOFTWARE OR BROWSER HELPER OBJECT OR PLUG-IN TO INTERNET EXPLORER IS REQUIRED.
AND IF YOU SIT DOWN AND YOU DID KIND OF A PERMUTATION OF HOW YOU ACTUALLY MANAGED TO GET ALL THESE THINGS, YOU WOULD BE REBOOTING QUITE A BIT AND REINSTALLING SOFTWARE AND RELOCATING SERVERS CONSTANTLY.
SO THIS, TO US, IS A FAIRLY SIGNIFICANT PROBLEM.
WE ALSO THOUGHT THAT THERE WERE SOME FAIRLY SIGNIFICANT REGISTRANT ISSUES.
IF YOU ARE A REGISTRANT AND YOU REGISTER A DOMAIN NAME UNDER AN ALTERNATIVE TLD, ONE OF THE THINGS THAT YOU ARE CONCEDING IS THE FACT THAT OVER 972 MILLION END USERS AREN'T FAMILIAR WITH AN ALTERNATIVE TLD.
IT'S NOT A REACH TO SAY THAT A SIGNIFICANT PORTION OF THE USERS IN THE UNITED STATES ARE ONLY FAMILIAR WITH COM, NET, AND ORG.
I THINK GROWING IN OTHER COUNTRIES, THAT SAME -- WHO HAVE THE SAME SORT OF STRUCTURE UNDERNEATH THEIR CCTLD, AS IN CO.UK, YOU'RE GOING TO SEE THE SAME ISSUE.
THEY'RE FAMILIAR WITH THOSE TLDS, THOSE ARE THE ONES THEY KNOW HOW TO RESOLVE.
AND THEY'RE NOT GOING TO GO OUT OF THEIR WAY TO INSTALL CLIENT SOFTWARE TO RESOLVE SOME OTHER NAME.
AND IF YOU THINK ABOUT THE LEVEL OF SOPHISTICATION OF THE VAST NUMBER OF THESE USERS, THEY MAY NOT BE ABLE TO CONFIGURE OR RECOVER FROM A BAD CONFIGURATION.
IN OTHER WORDS PART OR PART OF THE PROBLEM IS THAT IF NO ONE KNOWS YOU EXIST, NO ONE KNOWS THAT YOU HAVE REGISTERED A DOMAIN NAME IN THE TLD OR EVEN IF THEY KNOW, THEY CAN'T GET TO YOU, ARE YOU, AS A REGISTRANT, CONCEDING A $2 TRILLION E-COMMERCE AND B2B MARKET.
ARE YOU CONCEDING TOURISM AS A NATION TO COMPETITORS WHOSE NAMES ARE RESOLVABLE TO AN AUTHORITATIVE ROOT.
AND LASTLY, IF YOU ARE A FORTUNE 100 COMPANY OR 1000 COMPANY AND YOU ARE TRYING TO PROVIDE GLOBAL MOBILITY AND YOUR ARE OFFERING SECURE REMOTE ACCESS, USING VPN TECHNOLOGY, WHETHER IPSEC OR SSL AND YOU ARE SEEKING TO RESOLVE NAMES, ARE YOU ABSOLUTELY CERTAIN YOU CAN PROVIDE MOBILITY TO YOUR EMPLOYEES NO MATTER WHERE THEY ROAM WHEN YOU'RE USING AN ALTERNATIVE -- OR A NAME FROM AN ALTERNATIVE TLD LABEL?
SO THESE ARE VERY, VERY LONG AND WORDY FINDINGS.
AND I WANT TO SORT OF SUMMARIZE THESE SO THAT I CAN MOVE ON TO THE NEXT PRESENTATION AND QUESTIONS.
WE FIND LITTLE EVIDENCE THAT THE ALTERNATIVE NAME SYSTEMS, ESPECIALLY THE COMMERCIAL ONES, WILL HAVE A FAIRLY SIGNIFICANT MARKET.
IT WAS VERY HARD FOR US TO FIND A LARGE NUMBER OF NAMES UNDERNEATH THE TLDS OF THE ROOT ZONES THAT WE ACTUALLY MANAGED TO ACQUIRE FROM THE OPERATORS.
WE ALSO CONCLUDED THAT USING ALTERNATIVE TLD NAME SYSTEMS MAY CREATE BARRIERS TO REGISTRANTS.
NOW, WE MENTIONED THEM JUST A MOMENT AGO.
THE ONE PLACE WHERE THERE IS A MUCH LARGER POTENTIAL FOR FRAGMENTATION IS WHEN COUNTRIES CHOOSE TO DEPLOY MULTILINGUAL TOP-LEVEL LABELS IN ADVANCE OF A CONSENSUS-BUILT PROCESS THAT CONCLUDES -- THAT CONCLUSIVELY DECIDES HOW INTERNATIONALIZED DOMAIN NAMES ARE INJECTED INTO THE ROOT ZONE FILE.
SO, YOU KNOW, WE REALLY BELIEVE THAT THAT -- THAT TAKING THAT LEAP IS A VERY, VERY DANGEROUS ONE, ESPECIALLY IF THERE'S NO KNOWN OR UNDERSTOOD MIGRATION PATH TO COME BACK INTO THE FOLD, SO TO SPEAK.
AT A TECHNICAL LEVEL, ONE OF THE THINGS THAT WE NOTE IS THAT THERE ARE MULTIPLE WAYS OF INJECTING MULTILINGUALISM INTO THE TOP-LEVEL DOMAINS.
AND ICANN HAS A TIME LINE FOR DOING THIS.
AND WE SUPPORT THAT TIME LINE.
WE ENCOURAGE THE INVESTIGATION AND THE ANALYSIS THROUGH TEST BED AND TECHNICAL EVALUATION OF THE TWO ALTERNATIVES, DNAMES AND IDNA, AT THE TOP LEVEL.
WE ALSO ACKNOWLEDGE AND BELIEVE -- ICANN CERTAINLY ACKNOWLEDGES THAT IT IS NECESSARY TO INCREASE THE NUMBER OF TLDS TO BOTH ACCOMMODATE MULTILINGUALISM AND TO PROVIDE CONTINUED COMMERCIAL INTEREST AND GROWTH.
WE DON'T FIND ANY REASON WHY THE ROOT NAME SERVER OPERATIONS CAN'T ACCOMMODATE A SUBSTANTIAL INCREASE IN THE NUMBER OF TLDS.
THE PLACE THAT WE BELIEVE IS A CAUSE FOR FURTHER ANALYSIS IS THE ADMINISTRATION AND THE -- INVOLVED IN INCORPORATING THE TLDS INTO THE ROOT ZONE, PROVIDING THE CONSTANT MAINTENANCE AND CONSTANT ADMINISTRATION OF THOSE LABELS IN THE ROOT ZONE PROPER.
I THINK I'VE ACTUALLY SUMMARIZED THE TWO RECOMMENDATIONS, YOU KNOW, ESPECIALLY BECAUSE WE BELIEVE THAT IDNS ARE A CRITICAL COMPONENT AND PROBABLY THE MOST CREDIBLE FRAGMENTATION THREAT.
ICANN SHOULDN'T MOVE AS QUICKLY AS POSSIBLE IN RESOLVING WHETHER THE DNAME EQUIVALENCE MAPPINGS OR THE USE OF IDNA ENCODINGS IN TLD LABELS IS A PREFERRED METHOD, AND THEN WE SHOULD ADOPT THE PREFERRED METHOD.
IN ADDITION, ONE OF THE THINGS THAT WE HOPE IS THAT ALL CCTLDS WILL PARTICIPATE IN THE EXPERIMENTAL TEST BEDS, THEY WILL GIVE THEIR PERSPECTIVES ON THE TWO ALTERNATIVES, AND THAT THEY PARTICIPATE IN THE PROCESS AS OPPOSED TO BREAK AWAY SO THAT WE CAN MAKE A QUICK RESOLUTION AND MOVE FORWARD QUICKLY AND PUT THE ISSUE OF IDNS TO BED.
SO THAT'S THE END OF THAT PRESENTATION.
IF THERE ARE ANY QUESTIONS, I OR MY COLLEAGUES WILL BE HAPPY TO ANSWER THEM.

>>STEVE CROCKER: SO WE DO HAVE A FEW MINUTES IF THERE ARE QUESTIONS ON THIS TOPIC BEFORE WE MOVE TO THE NEXT ONE.
WHAT'S THE PROCEDURE?
I THINK IT'S TO COME DOWN TO ONE OF THESE MICROPHONES OR TO THAT MICROPHONE OVER THERE.
AND I CAN SEE JUST A TREMENDOUS NUMBER OF PEOPLE SCURRYING TO COME IN.
DO WE HAVE THE FACILITIES FOR QUESTIONS FROM THE -- FROM THE WEB?
FROM THE NET?

>> NOT THAT I KNOW OF.

>>STEVE CROCKER: NO.
SO THIS SESSION'S BEING WEBCAST, BUT I DON'T THINK THAT WE HAVE THE INTERACTIVE CAPABILITY.
THANK YOU VERY MUCH.
SO WITH THAT, LET'S MOVE TO THE DENIAL OF SERVICE ATTACKS.
AND THIS PRESENTATION WAS ORIGINALLY SCHEDULED TO BE PRESENTED BY RODNEY JOFFE OF ULTRADNS, WHO WAS -- HE'S BEEN DETAINED.
BUT THE BULK OF THIS PRESENTATION IS, INDEED, HIS WORK.
I WANT TO ACKNOWLEDGE BOTH HIS EXPERTISE AND HIS CONTRIBUTION.
DAVE.

>>DAVE PISCITELLO: OKAY. SO LET'S BEGIN WITH A LITTLE BIT OF THE BACKGROUND. AND MY FAMILIARITY WITH THESE SLIDES BEGAN AT 8:00 THIS MORNING, SO IF I STUMBLE A BIT, PLEASE GIVE ME A LITTLE BIT OF A BREAK.
DURING THE JANUARY AND FEBRUARY TIME FRAME, AND TO MY UNDERSTANDING, CONTINUING IN MARCH IN SOME INCIDENTS, AUTHORITATIVE TLD NAME SERVERS WERE ATTACKED. THE ATTACK WAS A VARIANT AFTER WELL-KNOWN STYLE OF DISTRIBUTED DENIAL OF SERVICE WHICH USES AMPLIFICATION AND I WILL EXPLAIN A LITTLE BIT ABOUT THAT IN A DETAILED SLIDE IN A MOMENT.
ONE OF THE ATTACK VECTORS THAT THE ATTACK EMPLOYS IS OPEN RECURSIVE SERVERS, AND THERE WERE AN ESTIMATED 500,000 SUCH SERVERS THAT WERE INNOCENT PARTICIPANTS IN THE DENIAL OF SERVICE ATTACK. AND I WILL EXPLAIN AGAIN HOW THAT WORKS IN A MOMENT.
THE ATTACKS ARE BY VIRTUE OF USING AMPLITUDE, WHICH IS A METHOD OF INCREASING DATA VOLUME, WERE ABLE TO GENERATE BETWEEN TWO AND EIGHT GIGABITS OF TRAFFIC AT THE TARGETED AUTHORITATIVE NAME SERVERS, WHICH IS A FAIRLY SEVERE LOAD.
IT TURNS OUT THAT THE ATTACKS PRIMARILY SATURATED THE ACCESS CIRCUITS AND THE INFRASTRUCTURE THAT PROTECTS THE NAME SERVERS; THAT THE NAME SERVERS THEMSELVES WERE ABLE TO RESOLVE THE CORRECTLY FORMED QUERIES THAT WERE PASSED THROUGH, BUT THE TRAFFIC LOAD ON THE ACCESS CIRCUITS, ON THE FIREWALLS AND OTHER SECURITY MEASURES IN FRONT OF THE DNS SERVERS WAS PROHIBITIVE.
SO WE HAVE FAILURES OCCURRING IN NETWORKS IN THE PATH AS WELL AS IN THE TRANSIT PROVIDERS, BECAUSE SOME OF THIS TRAFFIC ACTUALLY OVERLOADED SOME OF THE TRANSIT LINKS BEFORE THEY GOT TO THE NAME SERVERS. AND WE HAD A DISRUPTION OF DNS SERVICES IN EACH INCIDENT.
I HONESTLY DO NOT KNOW WHAT RODNEY MEANT IN THE LAST POINT WHERE HE SAYS INCLUDED MANY TLDS WITHOUT ANY APPARENT MOTIVE IN MOST CASES. OBVIOUSLY, WE'RE STILL LOOKING AT AND INVESTIGATING THE PERPETRATOR -- INVESTIGATING TO TRY TO FIND THE PERPETRATORS OF SOME OF THESE ATTACKS AND TRY TO UNDERSTAND EXACTLY THEIR MOTIVE.
SO IN ORDER TO LAY OUT THE ANATOMY OF THIS ATTACK, I WOULD LIKE TO INTRODUCE THE PLAYERS. OKAY. IF YOU START WITH THE SKULL AND CROSS BONES LAPTOP THAT SAYS ATTACKER, THIS IS THE PERPETRATOR OF THE ATTACK. AND THE ATTACKER NEEDS SEVERAL COMPONENTS. FIRST, HE NEEDS AN ARMY TO CONDUCT THE ATTACK. AND THE ARMY CONSISTS OF SOFTWARE AGENTS THAT HAVE BEEN INSTALLED ON COMPROMISED COMPUTERS, TYPICALLY THROUGH THE USE OF AN E-MAIL BORN WORM, THE WORM INFECTS A COMPUTER. AS PART OF THE WORM'S BLENDED THREAT OF SOFTWARE INSTALLED IN ADDITION TO HIDING ITSELF AND WORMING ITSELF INTO THE OPERATING SYSTEM, IT WILL INSTALL AN AGENT THAT CAN COMMUNICATE BACK TO THE ATTACKER AND SAY, "I WAS SUCCESSFULLY ABLE TO INFECT THIS MACHINE AND YOU CAN USE ME FOR WHATEVER PURPOSE YOU LIKE."
SO WHERE DO YOU GET THE ZOMBIES? WELL, EVERYWHERE. AND WHEN YOU CAN BUILD UP A FORMIDABLE ENOUGH NUMBER OF THESE WE CALL IT A BOTNET.
THE OTHER PERPETRATORS, ALTHOUGH INNOCENT AND THAT'S WHY THEY DON'T HAVE SKULL AND CROSSBONES ON THEM, ARE THE OPEN RECURSIVE SERVERS. THESE ARE SERVERS THAT WILL PERFORM RECURSION ON A DNS QUERY ON BEHALF OF ANY HOST AS OPPOSED TO ON BEHALF OF A TRUSTED HOST, WHICH WOULD BE THE MORE SECURE METHOD OF OPERATION.
LASTLY, WHAT THE ATTACKER NEEDS IN ORDER TO PROVIDE AMPLITUDE IS A KNOWN LOCATION WHERE HE CAN PULL DOWN A RATHER EXTREMELY LARGE DNS MESSAGE, AND SO ONE THING -- ONE WAY THAT THE ATTACKER HAS BEEN OBSERVED TO DO THIS IS THAT HE WILL EITHER USE A DOMAIN NAME SERVER THAT HE IS RUNNING OR A DOMAIN NAME SERVER THAT HE HAS COMPROMISED AND HE WILL PUT A DNS TEXT RECORD OF BETWEEN 4,000 AND 4200 BYTES IN THE ZONE FILE OF THAT COMPROMISED SERVER.
AND THAT'S GOING TO SERVE AS A THE AMPLIFICATION OF HIS ATTACK. SO IF HE WERE TO SIMPLY GENERATE A DNS QUERY OF ABOUT 60 BYTES AND HE ONLY GOT A TYPICAL RESPONSE OF A COUPLE HUNDRED BYTES, HIS AMPLIFICATION FACTOR WOULD ONLY BE FIVE OR SIX TO ONE.
IF HE GOES WITH A 60 BYTE DNS QUERY AND HE CAN EXTRACT A 4200 BYTE RESPONSE, HE HAS AN AMPLIFICATION FACTOR OF IN EXCESS OF 70/1.
SO THAT'S 70 TO 1 AMPLIFICATION ALLOWS HIM TO SATURATE THE LINKS AT THE TARGET MUCH MORE QUICKLY.
SO THE FIRST STEP IS THAT THE ATTACKER DIRECTS HIS ZOMBIES TO BEGIN THE ATTACK. SO HE SENDS A MESSAGE AND SAYS ATTACK NOW.
THE NEXT STEP IS THAT THE ZOMBIES ALL BEGIN SENDING A DNS QUERY FOR THIS AMPLIFICATION RECORD, WHICH I HAVE CALLED FOO, IN THE DOMAIN BAR.TLD, I DIDN'T WANT TO PICK ON ANYONE. TO OPEN RECURSIVE SERVERS, AND HE SETS THE SOURCE ADDRESS TO 10.10.1.1. IF YOU NOTICE THAT THE TARGET NAME SERVER THAT WILL BE ON FIRE SHORTLY IN THE LOWER CORNER IS 10.10.1.1. THIS IS CALLED AN IP SPOOFING ATTACK. IT'S AN IMPERSONATION TECHNIQUE, AND THE GOAL IS TO HAVE ALL THE RESPONSES DIRECTED AT THE TARGET AS OPPOSED TO BEING RETURNED TO THE ZOMBIES IN THE BOTNET.
SO THE OPEN RECURSIVE SERVERS, SINCE THEY ARE VERY TRUSTWORTHY AND INNOCENT FOLKS, ARE SIMPLY FORWARDING OR PROCESSING AND RECURSIVELY PROCESSING THE REQUEST FOR THE RECORD FOO, SO THEY GO TO THE NAME SERVER AT BAR.TLD. BAR.TLD RESPONDS WITH THIS VERY, VERY BIG RECORD OF 4,000 PLUS BYTES, AND NOW THE OPEN RECURSIVE SERVERS SAY I HAVE TO RETURN THIS TO THE PARTY THAT QUERIED. WELL, EVERYONE QUERIED IT FROM 10.10.1.1. SO THE RESULT IS ALL THESE VERY LARGE PACKETS ARE BEING DIRECTED AT THE TARGETED NAME SERVER. SO THE TARGETED NAME SERVER IS IMPACTED IN SEVERAL WAYS. THE FIRST WAY IS HE IS RECEIVING AN ABNORMALLY LARGE NUMBER OF QUERIES. THE SECOND IS THAT THE QUERIES ARE OVER 4,000 BYTES AND MAXIMUM TRANSMIT UNIT ON THE LINKS THAT THE UDP MESSAGES ARE CARRYING THE DNS RESPONSE MESSAGES ARE RUNNING AT 1500 BYTES.
SO HE IS INFLICTING REASSEMBLY ON THE INFRASTRUCTURE, THE ROUTERS AND THE FIREWALLS, AT THE TARGET. SO THAT INCREASES THE CPU LOAD AND THE MEMORY LOAD ON THOSE DEVICES.
THIS IS A VERY, VERY EFFECTIVE ATTACK. SO WITHOUT GOING INTO ENORMOUS DETAIL ON SOME OF THE GRAPHS, AND THESE APPEAR IN THE REPORT THAT WE WILL BE RELEASING LATER IN THE WEEK, IF YOU LOOK AT THE, OBVIOUSLY, RED, YOU HAVE A VERTICAL ACCESS THAT HAS SIX TLD SERVER IPS AND RED SHOWS COMPLETE FAILURE, YELLOW INDICATES SLOW ANSWERS. SO IF YOU NOTICE THE 14 MINUTE TIME FRAME ALONG THE BOTTOM TIME LINE, THESE ATTACKS HAD A DURATION OF ABOUT 14 MINUTES AND THEY WERE VERY, VERY EFFECTIVE.
SO IF YOU ARE A LOVER OF STATISTICS, RODNEY HAS PROVIDED A WEALTH OF THEM HERE. 51,000 OPEN RECURSIVE SERVERS WERE INVOLVED. A 55 BYTE QUERY RESULTED IN A 42 BYTE RESPONSE. THAT HE THE AMPLIFICATION.
SIGNIFICANT LOAD ON THE ACCESS CIRCUIT IN THE INFRASTRUCTURE FRONTING THE TLD NAME SERVERS.
THE RECURSIVE SERVERS ACTUALLY DID NOT REALLY NOTICE THE LOAD, BECAUSE THEY WERE SIMPLY DOING WHAT THEY NORMALLY DO. THEY ARE FORWARDING AND DOING RECURSION. AND THE LOAD ON ALL THE RECURSIVE SERVERS, BECAUSE IT WAS SO ELEGANTLY DISTRIBUTED, WAS MINIMAL.
WHAT ELSE DO WE SEE HERE? SOME OF THE NETWORK SERVICE PROVIDERS HAD RELATIVELY CATASTROPHIC EXPERIENCES. THEIR INFRASTRUCTURE, TRANSIT INFRASTRUCTURE WAS SEVERELY IMPAIRED. AND IT LOOKED LIKE THE ATTACKER WAS VERY, VERY SUCCESSFUL IN THE FACT THAT ONLY ONE IN 100 REAL QUERIES WERE ANSWERED BECAUSE THE INFRASTRUCTURE IN FRONT OF THE NAME SERVERS WAS SO OVERLOADED.
SO SOME OF THE THINGS THAT SSAC HAS OBSERVED ALONG WITH CERT AND SANS AND SEVERAL OTHER SECURITY ORGANIZATIONS ALL AWARE OF THIS AND ALL TRYING TO PUT THINGS IN MOTION TO MAKE PEOPLE PAY ATTENTION TO NECESSARY COUNTERMEASURES AND LONG-TERM SOLUTIONS ARE THAT OPEN RECURSION CREATES AN ENORMOUS ATTACK VECTOR FOR THESE KINDS OF ATTACKS.
THE FACT THAT PEOPLE CAN CONTINUE TO SPOOF IP ADDRESSES CREATES AN UNBOUNDED VECTOR FOR ATTACKS.
SO THOSE TWO ARE REALLY, REALLY, IN OUR MIND, THE TWO MOST SERIOUS PROBLEMS THAT WE HAVE TO OVERCOME.
SO WE HAVE THREE RECOMMENDATIONS. THE FIRST RECOMMENDATION IS ONE THAT WE HAVE ALREADY ISSUED IN THE PAST IN SAC 004, SECURING THE EDGE, AND THE IAB ISSUED IN BCP 38 FOR EGRESS TRAFFIC FILTERING. AND I KNOW I HAVE WRITTEN AN ARTICLE ABOUT IT, STEVE HAS, THERE ARE DOZENS OF ARTICLES ABOUT PERFORMING SOURCE IP ADDRESS VALIDATION AT THE NETWORK EDGE. IF WE WERE TO DO THESE -- DO THIS, WE WOULD SIGNIFICANTLY ABATE THE ABILITY FOR PEOPLE TO NOT ONLY PERPETRATE DNS DDOS ATTACKS BUT DISTRIBUTED DENIAL OF SERVICE ATTACKS IN GENERAL.
WE ALSO BELIEVE ROOT AND TLD NAME SERVERS HAVE A RESPONSIBILITY TO SUSTAIN SERVICE. AND SUSTAINING THAT SERVICE INVOLVES COUNTERMEASURES THAT INCLUDE BLOCKING OPEN RECURSION IN ORDER TO KEEP SERVICE OPERATIVE FOR PEOPLE WHO ACTUALLY HAVE THEIR RECURSIVE SERVERS CONFIGURED CORRECTLY, THEN THEY OUGHT TO BE ABLE BE TO DO THAT.
WE DO BELIEVE THAT THEY ARE OBLIGED TO DOCUMENT THE COUNTERMEASURES THEY ARE GOING TO TAKE IN SUCH INSTANCES, AND THAT THEY SHOULD HAVE WAYS TO COMMUNICATE WITH SERVICE PROVIDERS, NAME SERVER OPERATORS, WHO UNWITTINGLY ARE PARTICIPANTS IN THESE ATTACKS SO THEY CAN SAY, LOOK, WE HAVE TURNED YOU OFF BECAUSE YOU ARE RUNNING OPEN RECURSION. IF YOU DISABLE THAT, WE WILL TURN YOU BACK ON.
AND THEN FINALLY, THE LAST IS THAT WE REALLY DO BELIEVE THAT THERE SHOULD BE A FAIRLY SIGNIFICANT INITIATIVE IN THE INTERNET TO GO OUT AND SHUT -- AND EDUCATE THE COMMUNITY TO THE PROBLEMS THAT OPEN RECURSION CAN CAUSE. AND IT'S NOT ONLY THIS, BUT IT'S ALSO CACHE POISONING AND OTHER ATTACKS ON THE DNS THAT ARE USING OPEN RECURSIVE SERVERS. SO ONE THING THAT COULD BE NICE IS TO SEE IF WE COULD GET PEOPLE TO SEE IF WE COULD START CONFIGURING THEIR NAME SERVERS MORE SECURELY, AND ELIMINATE THIS VECTOR.
THERE ARE A NUMBER OF DIFFERENT STUDIES THAT HAVE BEEN -- THAT ARE BEING CONDUCTED OVER THE INTERNET TO TRY TO I'VE THE ACTUAL NUMBER OF OPEN RECURSIVE SERVERS, AND THE NUMBERS RANGE FROM SEVERAL HUNDRED THOUSAND TO SEVERAL MILLION.
SO IT IS A VERY, VERY SERIOUS PROBLEM, AND WE NEED TO ADDRESS IT.
ANY QUESTIONS?

>>STEVE CROCKER: BEFORE WE TAKE QUESTIONS, A SLIGHT ERROR IN -- ON MY PART. SUZANNE, ARE YOU IN SHAPE FOR A COMMENT OR TWO? SUZANNE WOOLF FROM INTERNET SYSTEMS CONSORTIUM HAS A FEW COMMENTS, INTERNET SYSTEMS CONSORTIUM IS THE SUPPLIER OF THE BIND SOFTWARE.
YEAH, WE NEED THE PROJECTOR PLUG HERE.

>>SUZANNE WOOLF: WHEN STEVE AND I TALKED ABOUT THIS, I WASN'T ORIGINALLY ON THIS AGENDA, BUT WE THOUGHT IT WOULD BE USEFUL JUST TO HAVE A COUPLE OF COMMENTS ABOUT THE NATURE OF THIS PROBLEM AND THE NATURE OF GETTING IT FIXED FROM THE POINT OF VIEW OF ISC, MY EMPLOYER, BECAUSE WE SORT OF FEATURE PROMINENTLY IN ONE ASPECT OF THE PROBLEM.
IF YOU WILL EXCUSE ME JUST A MOMENT.
OKAY. ISC IS ACTUALLY WELL-KNOWN AMONG FOLKS INVOLVED WITH THE DNS, PARTLY BECAUSE WE'RE RESPONSIBLE FOR BIND AND PARTLY BECAUSE WE OPERATE A ROOT NAME SERVER. THAT COMBINATION OF DEVELOPMENT RESPONSIBILITY AND OPERATIONAL RESPONSIBILITY GIVES US A UNIQUE POINT OF VIEW ON SOME OF THESE ISSUES.
ONE OF THE KEY FEATURES THAT COMES OUT, AS WE SORT OF LOOK AT PROBLEMS LIKE THE ONE WE HAVE BEEN DISCUSSING HERE, WE ARE TALKING ABOUT A PROBLEM AND A SET OF VECTORS FOR TROUBLE THAT ARE DISTRIBUTED THROUGHOUT THE GLOBAL INTERNET.
ONE OF THE GREAT STRENGTHS OF THE INTERNET IS THAT IT RELIES ON SEPARATE ACTIVITIES OF HUNDREDS OF THOUSANDS OF SEPARATE NETWORKS AND OPERATORS, AND THIS COOPERATION IS ONE OF THE GREAT STRENGTHS OF THE INTERNET. IT USUALLY WORKS VERY, VERY WELL.
UNFORTUNATELY, THERE ARE SITUATIONS WHERE GETTING THAT LEVEL OF COOPERATION, GETTING TO THE CRITICAL MASS OF SEPARATE ENTITIES INVOLVED IN FIXING A SERIOUS PROBLEM CAN BE A CHALLENGE.
FOR INSTANCE, WITH RESPECT TO BIND AS A SOFTWARE PRODUCT, WE GET ASKED WHY WE HAVEN'T FIXED BIND, SINCE BIND IS SORT OF INADVERTENTLY IMPLICATED IN THIS PARTICULAR SET OF ISSUES.
IT'S BECAUSE BIND IS IMPLICATED LARGELY BECAUSE IT'S USED BY A GREAT MANY PEOPLE. IT'S THE MOST WIDELY USED SERVER IMPLEMENTATION IN THE PUBLIC INTERNET.
WHY HAVEN'T WE FIXED IT? THAT'S A LOT OF PEOPLE OUT THERE DOING A LOT OF DIFFERENT THINGS. ONE OF THE KEY FACTORS IS THAT OPEN RECURSION IS NOT A BUG. IT'S NOT A PROBLEM IN THE CODE THAT NEEDS TO BE FIXED.
IT'S A CONFIGURATION CHOICE, AND FOR MANY YEARS IT'S BEEN THE DEFAULT IN BIND BECAUSE IT WAS A USEFUL CONFIGURATION CHOICE.
IT'S EASY FOR ADMINISTRATORS, IT'S CONVENIENT FOR USERS. AND NOT HAVING IT IMPOSED AS A COST ON OPERATORS AND THEIR CUSTOMERS.
IT'S KIND OF A CLASSIC CASE OF IT'S VERY HARD TO CHANGE DEFAULT BEHAVIOR IN A VERY WIDELY KNOWN SOFTWARE PRODUCT.
UNFORTUNATELY, THE RECENT EVENTS SUCH AS THE ONES WE HAVE BEEN TALKING ABOUT MEAN WE HAVE TO CHANGE IT ANYWAY.
WE'RE KIND OF STUCK WITH IT. WE HAVE TO BE GOOD CITIZENS OF THE NET. WE HAVE TO MAKE SURE THAT OUR CUSTOMERS ARE NOT STUCK WITH THE RESPONSIBILITY.
MOST OF THE ADMINISTRATORS AND MOST OF THE SYSTEMS IMPLICATED IN THESE ATTACKS ARE PARTICIPATING ONLY INADVERTENTLY. AND WE HAVE A RESPONSIBILITY HERE TO MAKE SURE THAT WE REDUCE THE RISK TO OUR USERS THAT THEY WILL BE PART OF THIS PROBLEM WITHOUT THEIR KNOWLEDGE OR CONSENT.
SO WHAT KIND OF THINGS ARE WE DOING. CHANGE REALLY IS HARD, BUT THERE ARE A COUPLE OF THINGS WE NEED TO DO. WE CAN FIX IT GOING FORWARD. BIND 9.4.0, WHICH IS TO BE RELEASED IMMINENTLY, CHANGES THE DEFAULT. THIS IS CAUSING TROUBLE FOR OEMS WHO SHIP BIND AS PART OF THEIR OPERATING SYSTEM DISTRIBUTIONS AND PEOPLE WHO RUN NAME SERVERS. THEY ARE GOING TO CHANGE WHAT THEY DO.
BUT WE THINK IT'S TIME TO DO IT.
SO THAT RELEASE IS GOING OUT IMMINENTLY. WE MADE A LATE CHANGE IN THE SHIPPING DEFAULT. AND THERE WILL BE WIDE PUBLICITY FOR THE CHANGE.
THE OTHER THING THAT WE ARE DOING THAT FRANKLY IS AN EVEN BIGGER TASK IS ATTEMPTING TO EDUCATE THE FOLKS OUT THERE THAT ARE ALREADY USING BIND THAT RUN NAME SERVERS. WE HAVE SENT ADVISORIES TO OUR SUPPORT CUSTOMERS. THERE IS A MORE LENGTHY AND DETAILED TECHNICAL NOTE UNDER CONSTRUCTION FOR USERS OF BIND AT WHATEVER RELEASE LEVEL OR WHEREVER THEY HAPPEN TO BE. OUR PRESIDENT, PAUL VIXIE, HAS BEEN DOING A LOT OF PRESS, MAINSTREAM AND TECHNICAL MEDIA, ON THIS PROBLEM AND HOW PEOPLE ARE INADVERTENTLY BEING EXPLOITED AS PART OF IT AND WHAT CAN BE DONE ABOUT IT.
AND FRANKLY, WE HAVE TO ADMIT TO THE BAD NEWS. THE PREVIOUS PRESENTATION MADE IT CLEAR THAT THERE ARE TWO MAIN ENABLERS HERE IN THIS PARTICULAR KIND OF ATTACK. ONE IS THAT THERE ARE LOTS OF NETWORKS THAT ALLOW SPOOFED PACKETS TO LEAVE THEM. THAT'S NOT A DNS ISSUE. THAT'S NOT AN ISSUE OF A PARTICULAR PIECE OF SOFTWARE, BUT IT'S THE SAME KIND OF WIDESPREAD PROBLEM THAT WILL CAUSE ACTION BY A LOT OF PEOPLE TO FIX.
THERE ARE LOTS OF OPEN RECURSIVE NAME SERVERS. THERE ARE LOTS OF PEOPLE WHO HAVE CHOSEN THAT CONFIGURATION. THERE ARE LOTS OF PEOPLE WHO HAVE LEFT THAT CONFIGURATION BECAUSE IT'S EASY. AND IT'S GOING TO TAKE SIGNIFICANT EFFORT TO GET TO ALL OF THEM. AND IN THE MEANTIME, CHANGING THESE PARTICULAR BEHAVIORS, CHANGING THESE PARTICULAR CHARACTERISTICS OF THE INTERNET WON'T STOP DISTRIBUTED DENIAL OF SERVICE ATTACKS.
THERE ARE OTHER WAYS TO CAUSE TROUBLE. THERE ARE OTHER WAYS TO CREATE DDOS. THERE ARE OTHER FORMS OF LEVERAGE. THERE ARE ALWAYS GOING TO BE A LOT OF CLIENTS OUT THERE, THERE IS ALWAYS GOING TO BE DISTRIBUTED INFRASTRUCTURE. THERE ARE ALWAYS GOING TO BE WAYS TO INADVERTENTLY SUBVERT THE RESOURCES WE ALL DEPEND ON.
HOWEVER, CLOSING THESE HOLES, FIXING THESE SPECIFIC ISSUES WILL STOP A WHOLE CLASS OF ATTACKS.
SO WE HAVE TO DO THOSE THINGS AND SUPPORT CHANGING AND IMPROVING THE INFRASTRUCTURE SO WE CAN GO AHEAD AND TACKLE THE NEXT SET OF PROBLEMS.

>>STEVE CROCKER: LET ME EMPHASIZE THE POINT THAT SUZANNE IS MAKING. THIS CURRENT SET OF ATTACKS WHICH IS FOCUSED ON A SPECIFIC TOP-LEVEL DOMAIN NAME SERVERS AND WHICH USES A LARGE NUMBER OF OPEN RECURSIVE NAME SERVERS HAS THE CHARACTER OF BEING INTIMATELY RELATED TO DNS. BUT AS SUZANNE HAS SAID, THIS IS ACTUALLY JUST A SMALL PORTION OF THE MORE GENERAL PROBLEM OF DISTRIBUTED DENIAL OF SERVICE ATTACKS.
FROM A BROAD PERSPECTIVE OF SECURITY AND STABILITY ISSUES ON THE INTERNET, WITHIN THE ICANN AREA OF CONCERN AND CHARTER, ICANN IS FOCUSED ON THE DOMAIN NAME SYSTEM AND ON ADDRESSES.
DENIAL OF SERVICE ATTACKS ACTUALLY DO NOT HAVE A NATURAL SINGLE HOME OR VENUE FOR BEING ADDRESSED. AND THAT, I THINK, IS ONE OF THE THINGS THAT IS GOING TO MAKE THIS A PARTICULARLY DIFFICULT CLASS OF SECURITY ISSUES TO DEAL WITH OVER A PERIOD OF TIME.
SO ONE OF THE -- SO I THINK THERE IS A DOUBLE CHALLENGE. ONE IS THE TECHNICAL CHALLENGE OF WHAT KINDS OF RESPONSES, WHAT KINDS OF CHANGES IN ARCHITECTURE, WHAT KINDS OF CHANGES IN OPERATION AND SO FORTH MAKE SENSE, AND THE OTHER IS AN ORGANIZATIONAL CHALLENGE OF WHAT ORGANIZATIONS SHOULD BE INVOLVED AND IN WHICH WAYS.
AND I THINK THAT ICANN IS A PARTICIPANT, POTENTIAL PARTICIPANT, IN THOSE EFFORTS, BUT IT'S CERTAINLY NOT THE OWNER AND CERTAINLY DOES NOT HAVE THE POWER OR THE CHARTER TO DO ANYTHING ABOUT IT BY ITSELF.
AND AS I SAY, THE BAD NEWS IS, AND THERE ISN'T ANY OTHER PARTICULAR ORGANIZATION THAT IS IN CHARGE OF FIXING THESE THINGS. IT'S PARTLY AN INDUSTRY MATTER, IT'S PARTLY A TECHNICAL CHALLENGE, PARTLY AN OPERATIONAL CHALLENGE. AND WILL ALSO INVOLVE VARIOUS ORGANIZATIONAL EFFORTS.
I THINK THIS IS A TOPIC THAT IS GOING TO BECOME MORE IMPORTANT OVER TIME, NOT LESS. AND FROM OUR PERSPECTIVE ON THE SECURITY AND STABILITY ADVISORY COMMITTEE, I THINK WE WILL BE SPENDING SOME OF OUR TIME ON THE SUBJECT AS THINGS MOVE FORWARD.
SO WITH THAT, LET ME NOW OPEN THE FLOOR FOR QUESTIONS FOR THE NEXT FEW MINUTES, AND THEN WE WILL CLEAR OUT IN TIME FOR THE NEXT SESSION.

>>THOMAS NARTEN: OKAY, THOMAS NARTEN HERE. I HAVE A COUPLE OF QUESTIONS. LET ME START BY OBSERVING THAT AS YOU HAVE SAID, THERE'S A BIG PROBLEM WITH DISTRIBUTED DENIAL OF SERVICE IN GENERAL. AND THIS ONE HERE IS INTERESTING BECAUSE IT REALLY TARGETS THE DNS AND EXPLOITS THE DNS.
AND THE QUESTION I ACTUALLY HAVE IS COMPARED TO OTHER KNOWN AND EXPLOITED DDOS ATTACKS SO FAR, IS THIS ONE REALLY WORSE THAN WHAT WE HAVE SEEN OR DOES THIS HAPPEN TO BE ATTRACTING A LOT OF ATTENTION BECAUSE OF THE FACT IT EXPLOITS THE DNS AND TARGETS THE DNSO?

>>STEVE CROCKER: THE THING THAT MAKES THIS INTERESTING IN ADDITION TO THE FACT THAT IT EXPLOITS AND USES -- AND TARGETS DNS IS THE AMPLIFICATION FACTOR, WHICH I HAVE BEEN NOW READING A SERIES OF DIFFERENT MEASUREMENTS, AND THEY ARE ALL AROUND 70 TO ONE, GIVE OR TAKE.
SO THAT MEANS THAT YOU CAN EITHER HAVE A MUCH LARGER ATTACK WITH THE SAME SOURCES USED IN THE PAST OR YOU CAN ACCOMPLISH A SIGNIFICANTLY LARGE ATTACK WITH VERY FEW RESOURCES.
IT ALSO MAKES IT A BIT HARDER TO TRACE, BUT THEY WERE ALWAYS SORT OF HARD TO TRACE. SO THAT'S THE NEW WRINKLE, IF YOU WILL.

>>THOMAS NARTEN: AND I GUESS THE OTHER OBSERVATION RELATED TO THAT IS THIS DOESN'T NECESSARILY, IN TERMS OF THE TARGET, YOU CAN TARGET ANYONE. IT DOESN'T NECESSARILY HAVE TO BE A DNS.

>>STEVE CROCKER: ABSOLUTELY CORRECT.

>>THOMAS NARTEN: THAT'S THE TARGET FROM THE WAY IT'S STRUCTURED BUT YOU CAN TARGET ANY MACHINE THAT DOESN'T EVEN HAVE TO DO WITH THE DNS EVEN.

>>STEVE CROCKER: THAT'S CORRECT. AND A POINT, I THINK, THAT'S PROBABLY NOT IN EVERYONE'S CONSCIOUSNESS IS WHY WOULD YOU BOTHER TO TARGET A NAME SERVER. AND THE ANSWER TURNS OUT TO BE PRETTY NASTY.
THERE ARE COMMERCIAL BUSINESSES THAT ARE TIME DEPENDENT, PARTICULARLY GAMBLING ENTERPRISES WHERE IF YOU CAN DISRUPT THEIR BUSINESS AT THE RIGHT TIME, YOU CAN HAVE A VERY SEVERE FINANCIAL IMPACT.
AND ONE OF THE WAYS TO DISRUPT THEIR OPERATION IS TO DISRUPT THE RESOLUTION OF QUERIES TO THEIR SERVERS.
AND BY ATTACKING THE NAME SERVERS THAT ARE SERVING THOSE ENTERPRISES, YOU MAY BE ABLE TO DO AS MUCH DAMAGE AS IF YOU ATTACKED THE ENTERPRISE DIRECTLY.
SO THAT'S -- THAT'S WHY SOME OF THESE ATTACKS ARE TAKING PLACE. THERE IS OTHER REASONS, BUT THAT'S ONE OF THE ONES FOR WHICH IT'S MORE THAN JUST A JOYRIDE OR PRANK BY YOUNG HACKERS WHO SAY "ISN'T THIS COOL. ."
BILL.

>>BILL MANNING: BILL MANNING.
AN OBSERVATION OR TWO. PROBABLY YOU AREN'T AWARE OF THESE. THE DNS COMPONENT OF THIS ATTACK IS SYMPTOMATIC OF THE FUNDAMENTAL PROBLEM, WHICH IS IP ADDRESS SPOOFING, TO A LARGE DEGREE.
HAVING EXPERIENCED THIS ATTACK MYSELF, AND THEN DONE SOME LAB WORK ON IT, OPEN RECURSION IS NOT NECESSARY OR REQUIRED FOR THIS ATTACK TO WORK. THIS WILL WORK ON AUTHORITATIVE NAME SERVERS AS WELL.
AND SO SIMPLY -- AS YOU CREATE YOUR ADVISORY, NOTING THAT THIS IS A -- THAT THE ATTACK CAN BE USED WITH A RECURSIVE SERVER OR AN AUTHORITATIVE SERVER, IT DOESN'T MATTER. IT'S SYMPTOMATIC OF THE UNDERLYING PROBLEM OF SPOOFED IP PACKETS. I THINK THAT THAT WOULD BE A USEFUL SPIN TO PUT IN YOUR ADVISORY, IS THAT IT'S NOT A DNS-SPECIFIC ISSUE.

>>SUZANNE WOOLF: YEAH, IF I JUST COULD. SORT OF THE ANALOGY I SAW USED WAS THAT A LOT OF THE SPOOFED ATTACKS ARE A LOT LIKE HAVING SOMEBODY CALL THE NEIGHBORHOOD PIZZA PLACE AND HAVE 500 PIZZAS DELIVERED TO YOUR HOUSE. AND IF YOU SORT OF EXPAND THAT AND EXTRAPOLATE TO HAVING EVERY PIZZA PLACE IN TOWN SHOWING UP AT YOUR DOORSTEP, THE PROBLEM IS REALLY THAT SOMEBODY CAN CALL UP ON YOUR BEHALF AND IMPERSONATE YOU AND MAKE IT HAPPEN. NOT THAT IT'S PIZZA BEING DELIVERED. IT COULD BE BOXES OF PLASTIC PEANUTS AND IT WOULD BE NO BETTER. AND THERE ARE LOTS OF VARIANTS. AND THE KEY PROBLEM IS THAT THE SPOOFING IS POSSIBLE. THE ENERGY CAN BE REDIRECTED AGAINST THE TARGET OF CHOICE.

>>STEVE CROCKER: THERE'S SOME INTERESTING FOLLOW-UPS IN THERE BUT WE WANT TO TAKE A QUESTION HERE.

>>JIM REID: THANK. IT'S NOT A QUESTION, MORE OF A STATEMENT. JIM REID.
I THINK THE PROBLEM WE TALKED ABOUT HERE NEEDS TO BE DEALT WITH IN A NUMBER OF WAYS. SIMPLY SWITCHING OFF RECURSION OR DEALING WITH NAME SERVER CONFIGURATIONS IS NOT ENOUGH TO SOLVE THE PROBLEM IN MY OPINION.
I THINK WE HAVE TO LOOK AT OTHER ASPECTS OF THE SPOOFING ISSUES WITH SPECIFIC REGARD TO WHAT YOU DO WITH YOUR ROUTERS, ESPECIALLY WITH THE TRAFFIC YOU ACCEPT FROM THE OUTSIDE WORLD AND THE TRAFFIC YOU SEND TO THE OUTSIDE WORLD.
AND I THINK THAT'S AN AREA THAT NEEDS TO BE LOOKED AT.
SO IF YOU TAKE IT IN THE CONTEXT OF SOME OF THESE SPOOFING ATTACKS IS YOU SHOULD NOT BE ALLOWING RECURSIVE DNS QUERIES TO COME INTO YOUR NETWORK FROM OUTSIDE, THERE IS NO JUSTIFICATION FOR THAT WHATSOEVER SO YOU SHOULDN'T BE SERVICING THOSE PACKETS, THEY SHOULDN'T GET TO YOUR NAME SERVERS.
HOWEVER A POINT I WANT TO AMPLIFY IS ONE YOU MADE EARLIER, STEVE. THAT IS THE FORUM FOR GETTING THIS INFORMATION OUT BECAUSE IT SEEMS TO FALL BETWEEN A NUMBER OF DIFFERENT STILLS. THERE'S A POTENTIAL ROLE FOR ICANN IN THIS, A ROLE FOR IETF IN THIS, AND PERHAPS OTHER OPERATOR FORUMS SUCH AS NANOG OR OTHER MEETINGS WHERE THINGS COULD BE DONE. BUT THE PROBLEM MORE THAN ANYTHING ELSE IS THIS NEEDS TO BE DOCUMENTED AND WRITTEN DOWN SOMEWHERE SO NETWORK ENGINEERS CAN BE SHOWN SOMETHING THAT SAYS THIS IS AN EXAMPLE OF INDUSTRY-BASED PRACTICE. THIS IS WHAT WE SHOULD DO, AND THEY CAN THEN TURN AROUND AND GIVE THAT TO THE MANAGEMENT AND SORT OUT THE PROBLEM.

>>STEVE CROCKER: VERY WELL SAID.

>>SUZANNE WOOLF: JIM, THE DNS OPERATIONS WORKING GROUP OF THE IETF AGREED LAST WEEK TO TAKE ON SUCH A BEST-PRACTICES DOCUMENT AS A WORK ITEM.

>>JIM REID: ONE POINT I WANTED TO MAKE QUICKLY IS I SEE A LOT OF PARALLELS IN THIS AND THE PROBLEMS WE HAD WITH SPAM AND OPEN MAIL RELAYS MANY, MANY YEARS AGO. AND PERHAPS WE NEED TO LOOK AT SOME OF THE TECHNIQUES THAT WERE APPLIED IN THAT PARTICULAR PROBLEM TO TRY TO SOLVE THE ISSUE BY SWITCHING OFF OPEN MAIL RELAYS. AND MAYBE WE CAN HAVE SOME KIND OF SIMILAR EFFORT FOR DNS, ALTHOUGH IT'S A MUCH HARDER PROBLEM TO SOLVE.

>>STEVE CROCKER: INTERESTING POINTS. THERE ARE SOME SIMILARITIES BUT ALSO I THINK SOME SHARP DIFFERENCES.
WE HAVE TIME MAYBE FOR ONE LAST QUESTION. OH, THERE IS A WHOLE QUEUE OF YOU THERE. I AM TROUBLE WITH THE LIGHTS BUT I SEE SEVERAL PEOPLE.

>> I WANT TO MENTION THE PRINCIPLE OF MONO CULTURE AND IT SEEMS TO ME ONE OF THE THINGS THAT MAKES THESE ATTACKS SO HIGHLY LEVERAGED AND POSSIBLE IS PERHAPS NAME SERVERS ARE THE SAME, THE NAME SPACES ARE THE SAME, THE DNS SOFTWARE IS THE SAME. SO I'M WONDERING ON SEVERAL DIFFERENT DIMENSIONS IF THERE ISN'T A WAY TO AMELIORATE THESE ATTACKS BY HAVING SOMETHING OTHER THAN JUST BIND.
IT'S KIND OF A LONG QUESTION. LET ME FINISH UP QUICKLY.
THE FIRST ONE IS THE DIFFERENT THINGS BESIDES BIND. SECOND THING IS BACKUP SERVERS READY TO JUMP IN WHEN A SERVER IS DISABLED AT DIFFERENT POINTS IN THE ATTACK CHAIN.
AND THEN FINALLY, THIS IS A LITTLE CRAZY, IS THERE ANY WAY THAT HAVING ALTERNATE ROOTS ACTUALLY PROVIDES MORE ROBUSTNESS IN THE NETWORK BECAUSE THERE ARE DIFFERENT NAME SPACES AT WORK HERE THAT CAN BE USED?

>>STEVE CROCKER: LET ME TICK OFF QUICK RESPONSES TO EACH THOSE THINGS. THE NAME SERVERS ARE NOT MISBEHAVING IN AND OF THEMSELVES, SO IT'S NOT A QUESTION OF MONO CULTURE IN THE SENSE OF BEING PENETRATED. IF THERE IS A MONO CULTURE ISSUE, IT'S IN THE ZOMBIES THAT ARE BEING USED TO ATTACK, AND THAT COMES FROM ANOTHER PART OF THE WORLD, A LITTLE FARTHER NORTH.

>>DAVE PISCITELLO: (INAUDIBLE).

>>STEVE CROCKER: SO WE NOW HAVE ZOMBIES SHOWING UP ON LINUX BOXES. OH, JOY.
THE OTHER -- LET'S SEE. THE -- OH. ALTERNATE ROOTS THING. THERE IS ACTUALLY A TREMENDOUS AMOUNT OF ROBUSTNESS OF THE ROOTS OPERATORS, OF THE ROOT SERVERS, BECAUSE THERE ARE MORE THAN 100 COPIES OF THE ROOTS THROUGH ANYCAST AND IN FACT, SOME OF THE LARGE TOP-LEVEL DOMAINS ARE ALSO OPERATED THROUGH ANYCAST. SO I THINK IT'S NOT AN ALTERNATE ROOT APPROACH THAT GIVES YOU THE REPLICATION BUT, IN FACT, THE STANDARD GOOD PRACTICES BY THE VERY LARGE OPERATORS USING MULTIPLE COPIES OF THEIR SYSTEMS.
LET ME TRY -- I'M WATCHING THE TIME HERE. LET ME MOVE QUICKLY PAST.

>>MIKE O'CONNOR: I'M HOPING I'M THE LAST.
I WANTED TO END THIS ON A SOMEWHAT LIGHTER NOTE.
MY NAME IS MIKE O'CONNOR, AND I WANTED TO COMMEND THE PRESENTER FOR YOUR CARE IN DESCRIBING THE BAR.TLD DOMAIN.
I'M THE OWNER OF THE BAR.COM DOMAIN.
I'M ALSO FOO@BAR.COM .
I'VE CORRESPONDED WITH A NUMBER OF YOU OVER THE YEARS.
UNFORTUNATELY, I WAS OVERWHELMED BY SPAM IN 1995.
SO I JUST WANTED TO EXPRESS MY APPRECIATION FOR THE CARE WITH WHICH YOU PRESENTED THAT PART OF YOUR --

>>DAVE PISCITELLO: YOU'RE WELCOME.

>>STEVE CROCKER: OUR CONDOLENCES FOR FOO.BAR.
THANK YOU.
AS I SAY, WE'RE UP AGAINST A VERY SPECIFIC TIME LIMIT.
I SEE MY CLOCK HERE SAYS WE'VE RUN A MINUTE OVER ALREADY.
LET ME THANK YOU ALL.
FEEL FREE TO SEND QUESTIONS IN OR INTERACT WITH ANY OF US.
WE'LL HAVE THESE REPORTS ON THE NET WITHIN -- AS RAPIDLY AS WE CAN OVER THE NEXT FEW DAYS.
AND I'D LIKE TO TAKE THE VERY BRIEFEST BREAK, AND WE'LL SET UP FOR THE NEXT SESSION.
THANK YOU.
[ APPLAUSE ]

© Internet Corporation for Assigned Names and Numbers