SSAC Advisory on DDoS Attacks Leveraging DNS Infrastructure (R-3)
| Date Issued | Document | Reference ID | Current Phase |
|---|---|---|---|
| SSAC Advisory on DDoS Attacks Leveraging DNS Infrastructure (R-3) | SAC065 | CLOSED |
Description:
Recursive DNS server operators should take immediate steps to secure open recursive DNS servers. This involves:
a. Identify unmanaged open recursive DNS servers operating in the network and take immediate steps to restrict access to these servers in order to prevent abuse.
b. Follow SAC008 Recommendation 3 to (1) disable open recursion on name servers from external sources and (2) only accept DNS queries from trusted sources to assist in reducing amplification vectors for DNS DDoS attacks.
c. DNS Application Service Providers should take all reasonable steps to prevent abusive use of their open resolvers so that they are not targets of abuse. This would include continuous monitoring for anomalous behavior, limiting or blocking known abuse queries (e.g., ripe.net ANY); tracking likely target victim IPs (attacks reported or addresses of heavily targeted servers) and restricting or disallowing responses to those IPs; and sharing information with similar operators to coordinate efforts to quell such attacks.
STATUS UPDATES
| Date | Phase | Type | Status Updates |
|---|---|---|---|
| Closed | Phase Change | This Advice Item is now Closed |
| Phase 5 | Phase Update | This item is directed towards DNS server operators, not ICANN. ICANN acknowledges this advice, but does not believe there is any action required of ICANN at this time (other than support of promotion of this effort described in SAC065 R-1). | |
| Phase 5 | Phase Change | Now in Phase 5: Close |
| Phase 3 | Phase Change | Now in Phase 3: Evaluate & Consider |
| Phase 2 | Board Update | Status at beginning of ARR is Open - Prior to Board Consideration: Board consideration of the advice is still required. Status provided in 19 October 2016 letter from ICANN Board Chair to SSAC Chair (https://www.icann.org/en/system/files/correspondence/crocker-to-faltstrom-19oct16-en.pdf). There is outstanding work on this advice item, and it will be addressed through the BAR pilot process. |
| Phase 2 | Phase Update | Thank you for providing your feedback to ICANN staff's understanding of request of the advice received by the ICANN Board from the SSAC. We have updated the status of the advice Items based on the approved understanding statements. The attached document includes a list of advice items with these recent status updates, and below is a summary of the 12 items considered complete: SAC065: SSAC Advisory on DDoS Attacks Leveraging DNS Infrastructure – Recommendations 2, 3, 4, 5 and 6. |
| Phase 2 | AP Feedback | SSAC confirmed the understanding. |
| Phase 2 | Board Understanding | Our understanding of SAC065 R-3 is that it is directed towards DNS server operators, not ICANN. ICANN acknowledges this advice, but we do not believe that there is any action required of ICANN at this time (other than support of promotion of this effort described in SAC065 R-1). |
| Phase 1 | Phase Update | SSAC published SAC065: SSAC Advisory on DDoS Attacks Leveraging DNS Infrastructure: https://www.icann.org/en/system/files/files/sac-065-en.pdf. |
