Cyber attacks on the DNS: ICANN urges to deploy the DNSSEC protocol
In recent weeks, several authorities have reported an upsurge of coordinated malicious acts against the Internet Domain Name System (“DNS”) infrastructure, the backbone of the Internet. Ongoing attacks raise concerns about their persistence, magnitude, and the concomitant use of several methods.
On January 10, 2019, based on reports issued by companies specializing in cybersecurity, the National Cybersecurity and Communications Integration Center (NCCIC), which is a branch of the Cybersecurity and Infrastructure Security Agency (CISA), reported that attacks against the DNS were in progress. On Tuesday 22 January, CISA, established in 2015, issued its first emergency directive, Emergency Directive 19-01. To counter or mitigate the effects of malicious acts, this directive requires US federal agencies to adopt, without delay, a series of measures to respond to a worldwide campaign of diversion of the DNS: audit DNS records; change DNS account passwords; add multi-factor authentication to DNS accounts; monitor certificate transparency logs. CISA also requests all federal agencies to submit incident reports.
Originally, the DNS ignored insidious security issues that might arise. This results in vulnerabilities, intrinsic to the DNS, which favor attacks of different types. It is legitimate to fear, in particular, the following types of attacks:
- “Man in the Middle”;
- cache poisoning; or
- Distributed Denial of Service (DDoS).
As a result, domain name holders may experience traffic diversions, fraudulent domain name hijacking, or phishing. As for Internet users, they are also exposed to criminal interference because they run the risk of being redirected to fraudulent sites, often built to steal their data (passwords, e-mail addresses, bank identifiers, etc.). ), for example by distributing malware.
The current threat is such that, on February 15, 2019, the Internet Corporation for Assigned Names and Numbers (ICANN) urged all stakeholders (registries, registrars and others) to be extremely vigilant. ICANN is the sprawling international institution whose mission is to maintain the security, stability, and interoperability of the Internet. In other words, ICANN is the governing body of the DNS. At the top of the list of urgent security precautions, ICANN is urging registries and registrars to fully deploy the Domain Name System Security Extensions (DNSSEC) technology. As for the most concerned stakeholders, domain name owners, they are strongly advised to migrate to registrars of domain names that offer the DNSSEC protocol. For ICANN, these measures must be taken immediately.
The DNSSEC protocol, which has been standardized by the Internet Engineering Task Force (IETF), makes it possible to overcome, to a large extent but not 100%, the vulnerabilities of the DNS. The DNSSEC technology consists of a validation process (called “DNSSEC Signed”) at the root level (managed by ICANN), the top-level domain or TLD (managed by the registry) and the domain name (managed by the registrar). In the end, this process generates an authentication chain. The resulting chain of trust greatly improves data security and, correspondingly, significantly reduces the risk of malicious acts. A registry or registrar is said to be signed when it has been enhanced with the DNSSEC technology. Large-scale adoption of the DNSSEC protocol can significantly improve the robustness of the DNS.
However, the deployment of DNSSEC remains relatively low, despite the considerable and ongoing efforts of the ICANN Security and Stability Advisory Committee (SSAC), the Registry Internet Safety Group (RISG), the Computer Emergency Response Teams (CERTs) and the Internet Society Deploy360, as many bodies that promote it, including through awareness campaigns and training.
At the level of second level domains (SLD), everyone agrees that it is very difficult to obtain statistics that reliably establish the percentage of domain names signed with the DNSSEC protocol (see ISOC, State of DNSSEC Deployment 2016, Dec. 2016, p. 17). It must be remembered that not all registrars offer DNSSEC. To date, the SSAC recommends not to disclose the names of registrars that do not provide DNSSEC on a systematic basis. However, the SSAC does not exclude this possibility for the future:
“We do not, at this time, recommending registrars’ names be published or not” (ICANN, Advisory on the ICANN Security and Stability Advisory Committee, SAC074, Nov. 3, 2015, Recommendation 1, p. 4).
In a key study published in 2017, a group of researchers led by Taejoong Chung came to the conclusion that “DNSSEC support [is] quite low among the most popular registrars” (T. Chung et al., 2017. Understanding the Role of Registrars in DNSSEC Deployment. In Proceedings of IMC ’17, London, United Kingdom, November 1–3, 2017, 14 pages, see para. Summary 5.3).
At IP Twins, security is our main concern.
To date, the 2013 Registrar Accreditation Agreement (“2013 RAA”) does not require registrars to systematically offer the DNSSEC protocol. At the very least, Article 3.20 requires registrars to notify ICANN of any security incidents. However, according to the annex entitled “Additional Registrar Operation Specification”, a Registrar must authorize its customers to use DNSSEC upon request.
At the TLD level, since 2012, ICANN has required all gTLD registries to incorporate the DNSSEC protocol. This requirement does not apply to gTLDs created prior to 2012, but apart from .AERO, there is no gTLD that is not secured by DNSSEC. In fact, it is the ccTLDs that are causing concern. Indeed, there are many ccTLDs registries that have not yet adopted the DNSSEC protocol. There are two main reasons for this delay: the complexity of the technology and its cost. According to ICANN, 1398 of the 1532 extensions are signed, with the result that 134 are not (nearly 50% of ccTDs), including the following ones:
TLD Country or Territory
BA Bosnia and Herzegovina
BF Burkina Faso
CV Cape Verde
CF Central African Republic
CI Cote d'Ivoire
CD Democratic Republic of the Congo
DM Dominican Republic
SV El Salvador
GQ Equatorial Guinea
VA Holy See (vatican City State)
IR Iran, Islamic Republic of
ایران Iran, Islamic Republic of
IM Isle of Man
MH Marshall Islands
KP North Korea
PS Palestine, State of
فلسطين Palestine, State of
PG Papua New Guinea
MD Republic of Moldova
SM San Marino
السعودية Saudi Arabia
SY Syrian Arab Republic
سورية Syrian Arab Republic
AE United Arab Emirates
امارات United Arab Emirates
VE Venezuela, Bolivarian Republic Of
VI Virgin Islands
source: ICANN.ORG — http://stats.research.icann.org/dns/tld_report/
It is noted that unsigned extensions are, with the exception of a few, ccTLDs of states with limited resources. The lack of implementation of the DNSSEC technology would therefore mainly result from a lack of financial resources. Nevertheless, programs are in progress, as evidenced by the map of the Internet Society Deploy360 (which is updated periodically):
Source: ISOC Deploy360 — https://www.internetsociety.org/deploy360/dnssec/maps/
However, it should be added that many ISPs use Google’s Public DNS Service (PDNS). Since Google PDNS supports DNSSEC validation, users de facto have access to DNSSEC validation (see ISOC, State of DNSSEC Deployment 2016, Dec. 2016, p. 8). This is particularly the case in some African countries.
Finally, one would not be able to complete this series of statistics without referring to data from the Asia Pacific Network Information Center (APNIC) that takes into consideration “the relative number of Internet users in each country who have been observed performing DNSSEC validation when resolving domain names” (Geoff Huston, “Some Internet Measurements”, labs.apnic.net, 24 Jul. 2014). According to the results obtained by the APNIC, there are less than 20% DNSSEC validations.
Source: APNIC.NET — https://stats.labs.apnic.net/dnssec
There remains the question of incitement. On this point, a study has shown that financial mechanisms, accompanied by technical assistance, can encourage registrars to sign domain names (T. Chung et al., 2017. Understanding the Role of Registrars in DNSSEC Deployment. In Proceedings of IMC ’17, London, United Kingdom, November 1–3, 2017, 14 pages, see para. Summary 6.3). At the global level, financial incentive mechanisms should be implemented at all levels of Internet governance.
All of these questions will likely be addressed at the next ICANN64 public meeting in Kobe, Japan, March 9-14, 2019. IP Twins will be there!