Historical Resolution Tracking Feature » SSAC Advisory on DNS "Search List" Processing and DDos Attacks Leveraging DNS Infrastructure

Important note: The explanatory text provided through this database (including the summary, implementation actions, identification of related resolutions, and additional information) is an interpretation or an explanation that has no official authority and does not represent the purpose behind the Board actions, nor does any explanations or interpretations modify or override the Resolutions themselves. Resolutions can only be modified through further act of the ICANN Board.

SSAC Advisory on DNS "Search List" Processing and DDos Attacks Leveraging DNS Infrastructure


Resolution of the ICANN Board
Topic: 
Board acknowledgement of the receipt of SAC064: SSAC Advisory on Search List Processing, and SAC065: SSAC Advisory on DDoS Attacks Leveraging DNS Infrastructure.
Summary: 

SAC 064 - highlights some of the DNS "search list" processing behavior
SAC 065 - ICANN and operators of Internet infrastructure and manufacturers to take action to address the unresolved critical design and deployment issues that have enabled increasingly large and severe Distributed Denial of Service (DDoS) attacks using the DNS.

Category: 
ICANN Structures
Internet Protocols
Meeting Date: 
Mon, 17 Nov 2014
Resolution Number: 
2014.11.17.03 – 2014.11.17.05
Resolution Text: 

Whereas, in February 2014, the ICANN Security and Stability Advisory Committee (SSAC) published SAC064 [PDF, 931 KB]: SSAC Advisory on DNS "Search List" Processing and SAC065 [PDF, 423 KB]: SSAC Advisory on DDoS Attacks Leveraging DNS Infrastructure.

Whereas, in SAC 064, the advice highlights some of the DNS "search list" processing behavior presents security and privacy issues to end systems, lead to performance problems for the Internet, and might cause collision with names provisioned under the newly delegated top-level domains.

Whereas, in SAC 065, the advice recommends ICANN and operators of Internet infrastructure and manufacturers to take action to address the unresolved critical design and deployment issues that have enabled increasingly large and severe Distributed Denial of Service (DDoS) attacks using the DNS.

Whereas, while in some instances SAC 064 and SAC 065 call for actions not under ICANN's control and actors not necessarily within ICANN's usual community, they are meant to address the overall responsibilities of the multi-stakeholder community and encourage ICANN to take action where it is relevant to do so.

Whereas, ensuring the stable and secure operation of the Internet's system of unique identifiers is part of ICANN's mission; preserving and enhancing the operational stability, reliability, security, and global interoperability of the Internet part of ICANN's core value; and ensuring the introduction of new gTLDs in a secure and stable manner is a strategic priority for ICANN.

Resolved (2014.11.17.03), the Board acknowledges the receipt of SAC064: SSAC Advisory on Search List Processing, and SAC065: SSAC Advisory on DDoS Attacks Leveraging DNS Infrastructure.

Resolved (2014.11.17.04), the Board directs the President and CEO, or his designee(s), to evaluate the advice provided in SAC064 and SAC 065.

Resolved (2014.11.17.05), in the instances where it is recommended that the advice be accepted, the Board directs the President and CEO, or his designee(s), to evaluate the feasibility and cost of implementing the advice, and provide an implementation plan with timelines and high-level milestones for review by the Board, no later than 120 days from the adoption of this resolution.

Rationale for Resolution: 

On 13 February 2014, the SSAC published an advisory concerning the security and stability implications of DNS "search list" processing – SAC 064. The SSAC advice examines how current operating systems and applications process search lists. It outlines issues related to current search list behavior, and proposes both a strawman to improve search list processing in the long term and mitigation options for ICANN and the Internet community to consider in the short term. The purpose of these proposals is to help introduce new generic Top Level Domains (gTLDs) in a secure and stable manner with minimum disruptions to currently deployed systems.

On 24 February 2014, the SSAC published an advisory concerning large-scale abuse that leverages DNS infrastructure - SAC 065. The SSAC advice examines how current operating systems and applications process search lists. The advice explores several unresolved critical design and deployment issues that have enabled increasingly large and severe Distributed Denial of Service (DDoS) attacks using the DNS. While DDoS attacks can exploit multiple characteristics of network infrastructure and operations, the prevalence and criticality of the DNS means that securing it is both challenging and urgent. These unresolved DNS issues and related DDoS attacks pose a real and present danger to the security and stability of the Internet.

The Board's consideration of recommendations from Supporting Organizations and Advisory Committees in general, and for SAC064 and SAC 065 in specific, needs to be informed by an analysis of both the substance of the advice as well as the feasibility and cost of implementing such advice that is deemed acceptable.

There are no foreseen fiscal impacts associated with the adoption of this resolution, which is the first step in initiating the analysis of implementation of the SSAC advice. The fiscal impacts will be analyzed as a result of this Board action for future consideration. The adoption of this resolution is not an Organizational Administrative Action requiring public comment.