Historical Resolution Tracking Feature » 2006-03-31 - SSAC Report on DNS Distributed Denial of Service (DDoS) Attacks on TLD and Root Name System Operators
Important note: The explanatory text provided through this database (including the summary, implementation actions, identification of related resolutions, and additional information) is an interpretation or an explanation that has no official authority and does not represent the purpose behind the Board actions, nor does any explanations or interpretations modify or override the Resolutions themselves. Resolutions can only be modified through further act of the ICANN Board.
2006-03-31 - SSAC Report on DNS Distributed Denial of Service (DDoS) Attacks on TLD and Root Name System Operators
Board urges interested parties to consider broad adoption of BCP 38, RFC 2827 on Network Ingress Filtering, and SAC004 on Securing The Edge, in order to reduce threats posed by DNS DDoS attacks and similar DDoS attacks.
- Forward SSAC report to Internet service providers and operators, to ICANN's advisory committees and supporting organizations, and to other interested parties for their consideration.
- Responsible entity: ICANN Staff
- Due date: December 2006
- Completion date: December 2006
- Raise public's general awareness of DDoS and of the need to take measures to mitigate DDoS attacks.
- Responsible entity: ICANN policy department, SSAC Fellow
- Due date: December 2006
- Completion date: December 2006
Hagen Hultzsch introduced a resolution, seconded by Veni Markovski:
Whereas, on 30 March 2006, ICANN's Security and Stability Advisory Committee (SSAC) submitted a security advisory on DNS Distributed Denial of Service (DDoS) Attacks. The advisory was the subject of a valuable workshop presented by the SSAC at these meetings in Wellington.
Whereas, the SSAC Advisory describes recent incidents, identifies the impacts, and recommends countermeasures that TLD name server operators can implement for immediate and long-term relief from the harmful effects of these attacks.
Resolved (06.15), the ICANN Board hereby accepts the Report, and thanks SSAC Chair Steve Crocker, SSAC Fellow Dave Piscitello, the members of SSAC, and all other contributors for their efforts in the creation of the Advisory.
Resolved (06.16), the ICANN Board directs staff to forward the Report to Internet service providers and operators, to ICANN's advisory committees and supporting organizations, and to other interested parties for their consideration.
Resolved (06.17), the ICANN Board urges interested parties to consider a strategy to encourage the broad adoption of BCP 38, RFC 2827, Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing and SSAC004, Securing The Edge to reduce or mitigate entirely not only the threats posed by DNS DDoS attacks, but other, similar DDoS attacks as well.
Following discussion, a vote was taken on the resolution, which the Board adopted by a 15-0 vote.
- For SSAC DDoS Attacks on TLD and Root Name System Operators report, see: http://www.icann.org/en/committees/security/dns-ddos-advisory-31mar06.pdf.
- For BCP 38, RFC 2827 Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing, see: http://www.ietf.org/rfc/rfc2827.txt.
- For SAC004, Securing The Edge, see: http://www.icann.org/en/committees/security/sac004.pdf.
- For more information on the SSAC, see: http:www.icann.org/en/committees/security/.
- Articles concerning DDoS attacks are available at: http://www.enisa.europa.eu/publications/eqr/issues/eqr-q2-2006-vol.-2-no.-2 and http://www.corecom.com/external/livesecurity/dnsamplification.htm.
- Article concerning the need to take measures such as egress filtering to mitigate DDoS attacks, available at: http://securityskeptic.typepad.com/the-security-skeptic/firewall-best-practices-egress-traffic-filtering.html.
- The resolution does not address funding for the items identified therein.