- Category: ICANN Structures
- Topic: SSAC Report on DDoS Attacks
- Board meeting date: 31 March 2006
- Resolution number: 06.15, 06.16, 06.17
- URL for Board minutes/resolution: http://www.icann.org/en/minutes/minutes-31mar06.htm
- Status: Completed
Summary
Board urges interested parties to consider broad adoption of BCP 38, RFC 2827 on Network Ingress Filtering, and SAC004 on Securing The Edge, in order to reduce threats posed by DNS DDoS attacks and similar DDoS attacks.
Text
Hagen Hultzsch introduced a resolution, seconded by Veni Markovski:
Whereas, on 30 March 2006, ICANN's Security and Stability Advisory Committee (SSAC) submitted a security advisory on DNS Distributed Denial of Service (DDoS) Attacks. The advisory was the subject of a valuable workshop presented by the SSAC at these meetings in Wellington.
Whereas, the SSAC Advisory describes recent incidents, identifies the impacts, and recommends countermeasures that TLD name server operators can implement for immediate and long-term relief from the harmful effects of these attacks.
Resolved (06.15), the ICANN Board hereby accepts the Report, and thanks SSAC Chair Steve Crocker, SSAC Fellow Dave Piscitello, the members of SSAC, and all other contributors for their efforts in the creation of the Advisory.
Resolved (06.16), the ICANN Board directs staff to forward the Report to Internet service providers and operators, to ICANN's advisory committees and supporting organizations, and to other interested parties for their consideration.
Resolved (06.17), the ICANN Board urges interested parties to consider a strategy to encourage the broad adoption of BCP 38, RFC 2827, Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing and SSAC004, Securing The Edge to reduce or mitigate entirely not only the threats posed by DNS DDoS attacks, but other, similar DDoS attacks as well.
Following discussion, a vote was taken on the resolution, which the Board adopted by a 15-0 vote.
Implementation Actions
- Forward SSAC report to Internet service providers and operators, to ICANN's advisory committees and supporting organizations, and to other interested parties for their consideration.
- Responsible entity: ICANN Staff
- Due date: December 2006
- Completion date: December 2006
- Raise public's general awareness of DDoS and of the need to take measures to mitigate DDoS attacks.
- Responsible entity: ICANN policy department, SSAC Fellow
- Due date: December 2006
- Completion date: December 2006
Other Related Resolutions
- Other resolutions TBD.
Additional Information
- For SSAC DDoS Attacks on TLD and Root Name System Operators report, see: http://www.icann.org/en/committees/security/dns-ddos-advisory-31mar06.pdf.
- For BCP 38, RFC 2827 Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing, see: http://www.ietf.org/rfc/rfc2827.txt.
- For SAC004, Securing The Edge, see: http://www.icann.org/en/committees/security/sac004.pdf.
- For more information on the SSAC, see: http:www.icann.org/en/committees/security/.
- Articles concerning DDoS attacks are available at: http://www.enisa.europa.eu/publications/eqr/issues/eqr-q2-2006-vol.-2-no.-2 and http://www.corecom.com/external/livesecurity/dnsamplification.htm.
- Article concerning the need to take measures such as egress filtering to mitigate DDoS attacks, available at: http://securityskeptic.typepad.com/the-security-skeptic/firewall-best-practices-egress-traffic-filtering.html.
- The resolution does not address funding for the items identified therein.
Explanatory text does not modify or override Resolutions. See Board Resolutions Page for more information.
