SAC065: SSAC Advisory on DDoS Attacks Leveraging DNS Infrastructure

1. Why is the Board addressing the issue?

On 18 February 2014, ICANN received SAC065: Security and Stability Advisory Committee (SSAC) Advisory on DDoS Attacks Leveraging DNS Infrastructure.

On 24 June 2017, the Board adopted the advice in SAC065 and directed the CEO to implement the advice as described in the document:

"SAC065 is an advisory on DDoS attacks leveraging DNS infrastructure and Recommendation 1 indicates that ICANN should help facilitate an Internet-wide community effort to reduce the number of open resolvers and networks that allow network spoofing. Upon the creation of such a community effort, ICANN should provide measurement and outreach support with appropriate allocation of staff and funding."

This Board Paper demonstrates ICANN org's completion of work on SAC065's recommendations. As a result, the Board is now directing that the remaining items related to SAC065 being tracked in the ICANN org Action Request Registry may be closed, at the recommendation of the Board Technical Committee (BTC).

2. What is the proposal being considered?

The Board is considering a recommendation from the BTC that the ICANN Board direct that the remaining items related to SAC065 being tracked in the ICANN org Action Request Registry may be closed.

3. Which stakeholders or others were consulted?

The SSAC agreed that ICANN org has fulfilled its role in implementing the Recommendations of this Advisory.

4. What concerns or issues were raised by the community?

None.

5. What significant materials did the Board review?

In determining that the remaining items related to SAC065 being tracked in the ICANN org Action Request Registry may be closed, the Board considered the recommendation of the BTC and the rationale from ICANN org demonstrating that work on these remaining items is now complete.

BACKGROUND

Only Recommendation 1 advised actions for ICANN org, while Recommendations 2 through 6 were addressed to other parties in the community (network operators, DNS operators, and manufacturers and/or configurators of customer premise networking equipment):

Recommendation 1: ICANN should help facilitate an Internet-wide community effort to reduce the number of open resolvers and networks that allow network spoofing. This effort should involve measurement efforts and outreach and cooperation in relevant technical fora involving network operators worldwide, but will not have an operational component. ICANN should support this effort with adequate staffing and funding.

The Recommendation outlined data that ICANN org should collect in order to create reports for all kinds of network server operators and manufacturers to whom Recommendations 2 thru 6 were addressed.

b. Coordinate with the Internet community to popularize and support recommendations 2-5. This coordination should include exploration of whether operational requirements regarding open resolvers and the prevention of network spoofing can be incorporated into regulatory compliance frameworks and certification regimes.

Since then, ICANN org has been supportive of community efforts underway to raise visibility of open resolvers, such as https://dnsscan.shadowserver.org and http://openresolverproject.org. In particular, ICANN org has funded the Shadowserver Foundation.

Regarding explicit efforts to reduce the number of open resolvers, ICANN org has investigated the viability of such a project. The effort is daunting, if not impossible, given the large number of open resolvers (tens of millions) and the difficulty in determining and then reaching operators. As an example of this difficulty, in 2018 the Office of the Chief Technical Officer (OCTO) made a significant effort to reach out to operators of resolvers that were thought to be using only KSK-2010 in order to prepare for the key rollover. ICANN org discovered that contacting individual resolver operators to alert them of possible problems was extremely difficult and largely unsuccessful. Given the large number of open resolvers (tens of millions) and the anticipated effort it would take to get even a significant fraction of operators of those resolvers to enable appropriate resolution service access controls, ICANN org believes further efforts in this area would be extremely resource intensive and unlikely to make a material difference.

With respect to facilitating an Internet-wide community effort to reduce the number of networks that allow network spoofing, this activity may be viewed as outside of ICANN's limited technical remit. ICANN org notes that the Internet Society continues to make great strides with their Mutually Agreed Norms for Routing Security (MANRS) in encouraging network operators to reduce the impact of network spoofing.

Based on the work discussed above, on 12 February 2020, SSAC agreed that actions related to SAC065 Recommendation 1 should be considered complete.

6. Are there positive or negative community impacts?

This Board resolution confirms that the Advisory's recommendations were completed by ICANN org and does not assess the impacts of the implementation of the recommendations.

7. Are there fiscal impacts or ramifications on ICANN (strategic plan, operating plan, budget); the community; and/or the public?

No fiscal impacts or ramifications on ICANN, the community, or the public are expected as a result of closing these remaining SAC062 items.

8. Are there any security, stability or resiliency issues relating to the DNS?

No security, stability, or resiliency issues relating to the DNS are expected as a result of closing these remaining SAC065 items.

9. Is this decision in the public interest and within ICANN's mission?

Yes. Confirming the completion of the implementation of an Advisory provides an accountability mechanism for ICANN's work, which is in the public interest and within ICANN's mission.

10. Is this either a defined policy process within ICANN's Supporting Organizations or ICANN's Organizational Administrative Function decision requiring public comment or not requiring public comment?

This action does not require public comment.