SSAC Advisory on DDoS Attacks Leveraging DNS Infrastructure (R-1)
| Date Issued | Document | Reference ID | Current Phase |
|---|---|---|---|
| SSAC Advisory on DDoS Attacks Leveraging DNS Infrastructure (R-1) | SAC065 | CLOSED |
Description:
ICANN should help facilitate an Internet-wide community effort to reduce the number of open resolvers and networks that allow network spoofing.
STATUS UPDATES
| Date | Phase | Type | Status Updates |
|---|---|---|---|
| Closed | Phase Change | This Advice Item is now Closed |
| Phase 5 | Board Update | Resolved (2021.05.12.09), the Board finds that ICANN org acted upon SAC065's Recommendation 1. The Board considers SAC065 to be completed. See full resolution at https://www.icann.org/resources/board-material/resolutions-2021-05-12-en#1.f |
| Phase 5 | Phase Update | Matt Larson sent a letter to Rod Rasmussen advising that SAC065 is complete (https://www.icann.org/en/system/files/correspondence/larson-to-rasmussen-13jan21-en.pdf). SAC065 Recommendation 1 Notes: SAC065's Recommendation 1 called for ICANN to "help facilitate an Internet-wide community effort to reduce the number of open resolvers and networks that allow network spoofing." ICANN org has long been supportive of community efforts underway to raise visibility of open resolvers, such as those efforts by the Shadowserver Foundation and the Open Resolver Project. Regarding explicit efforts to reduce the number of open resolvers, the org has investigated the viability of such a project and determined it would need considerable resource requirements and even then the results would be unlikely to make a material difference. In preparation for the root KSK roll in 2018, ICANN org attempted to reach operators of recursive resolvers believed to be unready for the KSK roll. Determining a resolver's operator and then contacting them proved to be extremely difficult and often unsuccessful. We believe it would be similarly difficult to identify and contact operators of open resolvers. With respect to facilitating an Internet-wide community effort to reduce the number of networks that allow network spoofing, this activity may be viewed as outside of ICANN's limited technical remit. The org notes that the Internet Society continues to make great strides with their Mutually Agreed Norms for Routing Security (MANRS) in encouraging network operators to reduce the impact of network spoofing. |
| Phase 5 | Phase Change | Now in Phase 5: Close |
| Phase 4 | AP Feedback | The SSAC agrees SAC065 Recommendation 1 is ready to move to Phase 5 | Close Request. |
| Phase 4 | Phase Update | OCTO believes this item can be closed. There are already significant community efforts underway to raise visibility of open resolvers, such as https://dnsscan.shadowserver.org and http://openresolverproject.org. Regarding explicit efforts to reduce their number, the org has investigated the viability of such a project. We looked at the size of various publicly-maintained lists of open resolvers and their properties to help determine how to reach operators of those resolvers. During 2018, ICANN made a significant effort to reach out to operators of resolvers that were thought to be using only KSK2010 in order to prepare for the key rollover, but discovered that contacting individual resolver operators to alert them of possible problems was extremely difficult and largely unsuccessful. Given the large number of open resolvers and the effort it would take to get even a few of them to use access control, the org believes further efforts in this area would be extremely resource intensive and unlikely to make a material difference. With respect to facilitating an Internet-wide community effort to reduce the number of networks that allow network spoofing, we note that the Internet Society continues to make great strides with their Mutually Agreed Norms for Routing Security (MANRS) initiative. |
| Phase 4 | Phase Change | Now in Phase 4: Implement |
| Phase 3 | Phase Update | The ICANN organization understands that SAC065 R-1 means that ICANN should help to facilitate an Internet-wide community effort to reduce the number of open resolvers and networks that allow network spoofing. This initiative, which should involve measurement efforts and outreach, should be supported by ICANN with appropriate staffing and funding to promote the recommendations made in SAC065 Recommendations 2-5. On 24 June 2017, the ICANN Board accepted this advice and directed the ICANN organization to implement per the ICANN organization's recommendation (https://www.icann.org/resources/board-material/resolutions-2017-06-24-en#2.b). |
| Phase 3 | Board Update | Resolved (2017.06.24.19), the Board adopts the SSAC recommendations outlined in the document titled "Implementation Recommendations for SSAC Advice Documents SAC062, SAC063, SAC064, SAC065, SAC070, and SAC073 (08 June 2017) [PDF, 433 KB]", and directs the CEO to implement the advice as described in the document. SAC065 Recommendation 1 proposed solution: Upon the creation of an Internet-wide community effort, ICANN anticipates providing measurement and outreach support and allocating appropriate staffing and funding. See full resolution at https://www.icann.org/resources/board-material/resolutions-2017-06-24-en#2.b |
| Phase 3 | Phase Update | ICANN received SSAC's approval of understanding and is in the process of evaluating the advice. Our understanding of SAC065 R-1 is that ICANN should help to facilitate an Internet-wide community effort to reduce the number of open resolvers and networks that allow network spoofing. This initiative, which should involve measurement efforts and outreach, should be supported by ICANN with appropriate staffing and funding to promote the recommendations made in SAC065 Recommendations 2-5. |
| Phase 3 | Phase Change | Now in Phase 3: Evaluate & Consider |
| Phase 2 | Board Update | Board consideration of the advice is still required. Status provided in 19 October 2016 letter from ICANN Board Chair to SSAC Chair (https://www.icann.org/en/system/files/correspondence/crocker-to-faltstrom-19oct16-en.pdf). There is outstanding work on this advice item, and it will be addressed through the BAR pilot process. | |
| Phase 2 | AP Feedback | SSAC confirmed the understanding |
| Phase 2 | Board Understanding | Our understanding of SAC065 R-1 is that ICANN should help to facilitate an Internet-wide community effort to reduce the number of open resolvers and networks that allow network spoofing. This initiative, which should involve measurement efforts and outreach, should be supported by ICANN with appropriate staffing and funding to promote the recommendations made in SAC065 Recommendations 2-5. |
| Phase 1 | Phase Update | SSAC published SAC065: SSAC Advisory on DDoS Attacks Leveraging DNS Infrastructure: https://www.icann.org/en/system/files/files/sac-065-en.pdf. |
