Moving DNSSEC Forward: Help for Registries, Registrars, ISPs/Hosting, Enterprises, and Name Owners
DNSSEC adoption has been slow, but is now picking up speed, thanks to organizations leading the way.
In October, 2009 the .TM registry signed with DNSSEC. In June, 2010 both .ORG and .EURid both announced the signing of their registries with DNSSEC. Before .TM other registries have also signed with DNSSEC, those being .SE, .BR, .BG, .CZ and .PR. Last week there were several press announcements of the Root zone, itself now being signed. While some registries have already signed, some have announced plans to sign and others are still trying to figure out their plan.
Either way, DNSSEC is here. How can we make DNSSEC adoption quicker and easier not only for the registry but for individual name owners? How can an organization get their zone signed? How can a simple domain owner get their domain name signed? How can registrars and ISPs help their customers adopt DNSSEC?
Security-DNS.net is a “DNSSEC Made Simple” tool designed to answer all of those questions. Provided by CommunityDNS, registries, organizations, individual domain name owners can submit their domain name or zone(s) and have a signed zone or name returned complete with their key and the respective DS record which may be handed to their registry. Registrars and ISPs may also use this tool to provide support for their customers, all free of charge. AND, they do not need to be a customer of CommunityDNS to benefit from this tool.
DNSSEC has understandably raised many questions for many on how implementation may impact not only their methods of operation but capacity. The signing process, however, is very simple and available to anyone wishing to sign with DNSSEC.
So, moving DNSSEC forward has been made much easier with Security-DNS.net (www.security-dns.net).
Filed under: .TM, Anycast, CDNS, Community DNS, CommunityDNS, DNS, DNSSec | Leave a Comment
Tags: CommunityDNS, DNS, DNSSec, CDNS, Security-DNS
(click image to enlarge)
Capacity and scalability are necessary in managing DNSSEC and D/DoS. Capacity, necessary for maintaining operations during D/DoS attacks, is also necessary for increased traffic due to DNSSEC deployment. Scalability is highly important, as DNSSEC is deployed not only will greater traffic levels will be encountered, greater demand will be placed on the DNS platform.
In the interest of understanding both capacity and scalability CommunityDNS conducted tests to assess the readiness of the two main DNS server platforms, BIND and NSD and how they would handle the added workload imposed on standard server hardware as well as expose any limitations. To be fair the same tests were conducted on CommunityDNS’ platform. Details of the study may be found here [PDF].
Tests applied to the BIND, NSD and CommunityDNS platforms consisted of high volumes of queries being applied to the three different DNS platforms, using four zone sizes in both unsigned and signed environments. The zone sizes represented were:
It should be noted that neither BIND nor NSD could handle the zone file of 57,873,014 names. It should also be noted that as testing began CommunityDNS’ platform had excess capacity whilst peaking at queries per second. The testing infrastructure was changed, moving to a complete GB platform in switches and routers and moved to CAT-6 cabling. Tests were rerun using the new network infrastructure, achieving greater results.
Capacity Processing: Results of the testing revealed:
Scalability: Examining scalability revealed that for zone file sizes from 7,691 to 19,405,229, scalability for unsigned zones were 2.4% degradation for CommunityDNS, -7.2% degradation for BIND and 12.1% degradation for NSD. When examining scalability for the same zone sizes in a signed environment there was a 3.6% degradation for CommunityDNS, 34.6% degradation for BIND and a 30.9% degradation for NSD.
(click image to enlarge)
(click image to enlarge)
So when looking at operational stability of DNS platforms during D/DoS attacks or with the migration to signed zones, both capacity and scalability are important to ensure operational resilience. Further details of the study may be found by clicking here.
Filed under: Anycast, BIND, CDNS, Capacity, Community DNS, CommunityDNS, DDoS, DNS, DNS Resilience, DNSSec, Denial of Service Attacks, Distributed Denial of Services, DoS, NSD, Uncategorized | Leave a Comment
Tags: CommunityDNS, DNS, DNSSec, DDoS, DoS, NSD, Community DNS, BIND, CDNS
Important due to increased traffic from DNSSEC implementation
During our work with the DNS Infrastructure Resilience Task Force research yielded 770 different DDoS attacks occurred around the globe on 6 June, 2009. On average research revealed the probability of 1,300 DDoS attacks happening every day, equaling roughly 3% of the Internet’s daily traffic. During the period of 7 December, 2009 to 4 January, 2010, out of 76,158,230,373 EU-based queries analyzed 3,384,914,589, or 4.4%, were believed to have been questionable. While it was believed only 1.6% of query packets through a Vienna-based node were questionable a node in Brussels showed a 14.3% rate of queries related to potential DDoS-based queries.
While humans are aware of and operate within the three dimensions identified through scientific discovery we often do not think about the fourth, or subsequent dimensions we don’t see. When it comes to DNS resilience we think of hardware, bandwidth and peering. What appears absent in the typical discussion is capacity afforded by individual DNS platform providers. Is “DNS platform capacity” the fourth dimension of DNS?
High-end server hardware, bandwidth and peering only go so far in ensuring resilience. Platform capacity provides the extra dimension necessary to ensure legitimate queries are always answered.
Filed under: Capacity, Community DNS, CommunityDNS, DDoS, DNS, DNSSec, DoS | Leave a Comment
Tags: Community DNS, CommunityDNS, DDoS, DNS, DNS Resilience, DNSSec
Signing the First Root – “L”
Last September a study was conducted regarding the signing of the L-Root. The study, “Root Zone Augmentation and Impact Analysis” examined the impact the signing of the root would have on BIND and NSD platforms.
NSD 3.2.1 at 5,000 queries per second in a signed zone of 1 million names dropped 22% of UDP traffic.
Similarly, on a zone of 1 million names at 5,000 queries per second in a signed zone of 1 million names BIND 9.6.0 P1 will fail to answer 81% of the inbound DNS queries. It should be reported that BIND, version 10 should address some of the speed inefficiencies as identified through this study.
Outside of the specific study regarding the impact on signing the L-Root, the other authoritative high performance name server platform is from CommunityDNS. Similar testing found CommunityDNS’ platform at 50,000 queries per second on a zone size of 1million DNSSEC signed names will fail to answer 4.5% of inbound queries. Much of the loss attributed to normal UDP congestion.
On the 27th of January the L-Root was signed. According to the “DURZ Data Analysis” report the following traffic behavior was noticed after the signing of the L-Root.
With all of the root servers now signed, operational questions remain, such as:
- How will site owners manage their keys?
- How will registrars manage their keys?
- Will domain name owners be able to transfer their keys directly to the registry?
- Is there a rollback plan?
- Have operators provisioned for the additional bandwidth requirements associated with DNSSEC?
Filed under: Community DNS, CommunityDNS, DNS, DNSSec | Leave a Comment
Tags: Community DNS, CommunityDNS, DNS, DNSSec
2009 was both a busy and a good year for CommunityDNS. The following provides a good look at CommunityDNS’s achievements in 2009 and that we look forward to 2010.
While 2009 was definitely a good year for CommunityDNS 2010 is shaping up to be even stronger!
2010 promises to be a dynamic year for our community; the community who strives to provide a resilient Internet for all of those who rely on a stable and functioning ‘Net. Not only do we see DNSSEC playing a more visible role in 2010 we also see a whole new dynamic being introduced to the ‘Net through the introduction of IDNs. Yes, this will be a big year for us all. It is up to all of us to do what we can to be responsible in delivering an Internet that people, organisations, countries and economies have come to rely on.
Filed under: Anycast, Business Continuity, Business resilience, Cybersecurity, DNS, DNS Resolution, IDN, IPv6, Security, ccTLD | Leave a Comment
Tags: CommunityDNS, DNS, Anycast, DNSSec, Security, Business resilience, ccTLD, Cybersecurity, Community DNS, IDNs, Resilience
Provided by CommunityDNS, the information in this post consists of news items in the security-based Internet community.
Eight charged in $9.5m payment processor hack
Charged with stealing more than $9 million dollars in 12 hours by hacking into RBS WorldPay, the Atlanta-based bank card processor, 8 men could face over 50 years in prison. In addition to the 50 years in federal prison the four leaders face two additional years and a fine up to $3.5 million dollars for aggravated identity theaft.
The men were from Russia, Moldova and Estonia.
Of the eight four were leaders of the gang while the other four charged with the crime were cashiers.
Click here for more information.
Malware cleans out jailbroken iPhones
Last weekend some iPhones were hacked, their wallpaper replaced with the image of ‘80s pop star Rick Astley. The worm used to create this hack, the “ikee” worm is now being used for more malicious activities.
The ikee worm only signals its presence by modifying a device’s wallpaper. Without changing the wallpaper the worm can continue going about its work unnoticed. The worm can copy a users e-mail, contacts, SMSs, photos, calendars, videos, music files and any data collected by iPhone apps.
Click here for more information.
Confiker Computer Virus Going Strong
The Confiker virus continues going strong with the worm continuing its spread across PCs. As noted by one security provider the worm could be eradicated if everyone used best security practices.
Click here for more information.
iPhone worms other smartphone malware in researchers’ sights
Trying to fit an operating system that can handle multiple features in a very small device, malware prevention software tends to be overlooked. As smartphones grow in popularity worms are already being devised for the smartphones and iPhones.
Through a grant researchers will analyze how malware detection and eradication can be handled within cell network providers.
Click here for more information.
The blog will return the week of the 20th. During the blog’s absence CommunityDNS will be attending the Internet Governance Conference in Egypt.
Filed under: Anycast, Communications Infrastructure, Community DNS, CommunityDNS, Conficker, Cyber defense, Cybercrime, Cybersecurity, DNS, DNS Resolution, Ikee, Infrastructure, Mobile Networks, Resolution Service, SMS, Security, USB, Virus, Worm, malware | Leave a Comment
Tags: Anycast, Business Continuity, Business resilience, Communications Infrastructure, Community DNS, CommunityDNS, Confiker, DNS, DNS Resolution, Global resolution, Hackers, Ikee, Internet, iPhones, malware, RBS WorldPay, Resolution Service, Security, Worm
Provided by CommunityDNS, the information in this post consists of news items in the security-based Internet community.
Security firm chokes sprawling spam botnet
The efforts of a research firm took down a botnet responsible for 33% of the world’s spam.
The attack was multipronged. First the security firm reported abuses to ISPs regarding certain IP addresses. Secondly, the firm worked with registrars to deactivate registered names. Third, the firm registered backup domains that were not used, and fourth, the botnet was able to generate random domains based on a specific algorithm. The firm understood the algorithm and registered names possibly generated by this algorithm.
The effect was a botnet that had no where to turn. Now the individual bots have been orphaned and the security firm is working with the ISPs to notify the computer owners whose computers were once members of the botnet.
Click here for more information.
MassMutual Warns of Data Breach
Employee and customer data for MassMutual could have been compromised. Data handled by a third party provider was breached.
Click here for more information.
Majority of Web Apps Have Severe Vulnerabilities
A recent report indicates that close to 9 out of 10 web applications could lead to information exposure due to flaws as 87% of the Web applications analyzed had serious vulnerabilities.
60% of Internet-based attacks targeted Web applications. 90% of web vulnerabilities rested with commercial Web applications while 8% rested with browser-run applications.
25% of the attacks were SQL Injection-based with 17% of the attacks being attributed to Cross Site Scripting
Click here for more information.
No Rush to Adopt Domain Names Written in Chinese in China
While ICANN has opened the gates for IDNs to begin in certain countries, China being one of them, it appears there is no great rush to acquire the Chinese equivalent of the currently used Latin character set.
In many cases Chinese organizations have reduced the number of characters to make it easier for Chinese to type in the URL. For example “Tenchnt” is known as “qq.com” for its users. Another company has used “163.com” as the URL for its brand name as companies often associate numbers with their brands.
In one case where someone has already grabbed the Chinese equivalent to one company’s name, the head of the company would like to purchase the name, but feels having it owned by another party would not create any harm to their existing brand.
While the Chinese character sets will aid Internet usage for the older population, the majority of China’s Internet population is already used to the current method of using the Internet.
Click here for more information.
Filed under: Anycast, Bot, Botnet, China, Community DNS, CommunityDNS, Cross-Scripting, Cross-Site Scripting, Cybercrime, Cybergang, Cybersecurity, DNS, DNS Resolution, Global resolution, IDN, Privacy, Registrar, Resolution Service, SQL Injection, Security, Spam | Leave a Comment
Tags: CommunityDNS, DNS, Anycast, DNS Resolution, Resolution Service, Global resolution, Security, Business resilience, Business Continuity, Internet, Spam, Vulnerabilities, Bot, Botnet, China, Domain Names, Community DNS, Data Breach, IDNs, MassMutual, Web Apps
Provided by CommunityDNS, the information in this post consists of news items in the security-based Internet community.
Bot herders hide master control channel in Google cloud
Google’s “AppEngine” application was used by cybercriminals to act as the master control channel, feeding commands to large networks of infected computers.
Also, it was found that the Koobface botnet was using Google Reader to spam malicious links to social networking sites; one of which being Facebook.
Click here for more information.
Gumblar Botnet Resurges
Known as one of the largest botnets that grew dramatically this year, Gumblar has reappeared.
Gumblar works in two ways. The first is to load malware onto sites. When users visit the sites malware is downloaded onto their computers. The second way Gumblar works is to populate websites with I-frames pointing to websites containing the malware.
Click here for more information.
New Spamming Botnet On The Rise
Currently sending 2.5 billion spam messages globally a new Botnet, known as “Festi” has quickly jumped to the rank of 5% to 6% of all spam generated. The jump means more bots (or compromised computers) were added into its botnet with 60% located in Asia, 18% in Europe and 9% in North America.
Click here for more information.
Practical Analysis: The Fastest-Growing Security Threat
Having grown from a few thousand a day a year ago to more than 500,000 a day SQL Injection is the fastest-growing security threat. Through the use of automated tools cybercriminals are searching for which sites are vulnerable to SQL injection. Such attacks allow hackers to break into networks that can lead to the breach of sensitive data.
Click here for more information.
UK to push for law to retain all communications data
Citing the EU Data Retention Directive does not go far enough and to prevent serious crime and terrorism the British government is pushing for its ISPs to capture and hold data regarding instant messages, e-mail and other electronic communications. The data retained would also include data from third-party services. The data is to be retained by the respective ISPs and not in a centralized database.
Click here for more information.
Filed under: Anycast, Bot, Botnet, Community DNS, CommunityDNS, Cybercrime, Cybersecurity, DNS, DNS Resolution, Festi, Global resolution, Gumblar, ISP, Koobface, Privacy, Resolution Service, SQL Injection, Security, Spam, UK, malware | Leave a Comment
Tags: CommunityDNS, DNS, Anycast, DNS Resolution, Resolution Service, Global resolution, Security, Business resilience, Business Continuity, ISP, Internet, Spam, UK, Cyber crime, Bot, Botnet, Google, Gumblar, Koobface, Community DNS, SQL Injection, Cybercriminals, Festi, UK Government, Information Retention
Recent Entries
- Moving DNSSEC Forward: Help for Registries, Registrars, ISPs/Hosting, Enterprises, and Name Owners
- DNS Platforms: A Study in Capacity and Scalability
- “Platform Capacity” – the fourth dimension providing resilience
- Signing the First Root – “L”
- CommunityDNS Completes Study on DNS Resilience
- CommunityDNS looks back at 2009′s achievements and forward to 2010.
- Global Cyber News Bits, November 11, 2009 from CommunityDNS
- Global Cyber News Bits, November 10, 2009 from CommunityDNS
- Global Cyber News Bits, November 9, 2009 from CommunityDNS
- Global Cyber News Bits, November 6, 2009 from CommunityDNS
- Global Cyber News Bits, November 5, 2009 from CommunityDNS
Categories
- .MU (1)
- .TM (3)
- 3-Strikes (14)
- 9ball (1)
- ACTA (1)
- Adobe (8)
- Africa (9)
- Ameriprise (1)
- Anycast (148)
- Apple (6)
- ARIN (1)
- Australia (21)
- Austria (1)
- Bahama Botnet (1)
- Banking (15)
- BGP (1)
- BHO (1)
- BIND (1)
- Block list (19)
- Bobax (1)
- Bot (79)
- Botnet (81)
- Bozeman (1)
- Brazil (7)
- Broadband (31)
- Browser Helper Object (1)
- Business Continuity (17)
- Business resilience (19)
- Cache-poisoning (3)
- Canada (6)
- Canadian Pharmacy (2)
- Capacity (3)
- CAPTCHA (1)
- CCDCOE (2)
- ccTLD (10)
- CDNS (3)
- Centre for Secure Information Technologies (1)
- Chat (1)
- China (45)
- CIRA (1)
- Clampi (2)
- Communications Infrastructure (40)
- Community DNS (129)
- CommunityDNS (151)
- Conficker (31)
- Confidence (9)
- Cooperative Cyber Defense Center of Excellence (2)
- Courts (15)
- Cross-Request Forgery (1)
- Cross-Scripting (4)
- Cross-Site Scripting (3)
- CSIT (1)
- Cutwail (3)
- Cyber defense (43)
- Cyber kidnapping (16)
- Cyber Spying (12)
- Cyber Terrorism (28)
- Cyber Warfare (45)
- Cybercrime (121)
- Cybergang (70)
- Cybersecurity (117)
- Cyberwar (41)
- Damballa (1)
- DDoS (50)
- Deep Packet Inspection (10)
- Denial of Service Attacks (46)
- Department of Commerce (9)
- Department of Energy (1)
- Disaster Mitigation (9)
- Disaster Recovery (10)
- Distributed Denial of Services (47)
- DNS (149)
- DNS Resilience (2)
- DNS Resolution (84)
- DNSSec (16)
- Donbit (1)
- Donbot (2)
- DoS (45)
- Downadup (2)
- Downloader.MDW (1)
- DPI (10)
- E-commerce (16)
- Egypt (2)
- ENISA (6)
- Estonia (1)
- ETNO (1)
- EU (12)
- EU Commission (29)
- EuroISPA (1)
- Europe (8)
- Facebook (21)
- FBI (2)
- FCC (10)
- Festi (1)
- FFsearcher (1)
- Fiber (18)
- Filter (20)
- Finland (2)
- Firefox (3)
- France (8)
- Frethog (1)
- FTC (2)
- GalvMed (1)
- Gamania (1)
- Gamina (1)
- Gammima (1)
- Georgia (5)
- Germany (9)
- GhostNet (1)
- Global resolution (23)
- GoDaddy (1)
- Google (8)
- Grum (2)
- GSMA (1)
- Gumblar (3)
- Hamweq (1)
- Hijacking (39)
- Hong Kong (4)
- Hosting providers (5)
- IANA (5)
- ICANN (21)
- IDN (5)
- IETF (5)
- IGF (1)
- Ikee (1)
- IM (1)
- India (6)
- Indonesia (1)
- Induc (1)
- Information-Sharing (1)
- Infrastructure (40)
- Instant Message (1)
- Internationalized Domain Names (3)
- iPhone (2)
- IPv4 (5)
- IPv6 (12)
- Iran (6)
- Iraq (1)
- IRCBrute (1)
- ISP (79)
- IT (12)
- IXC (3)
- Jalhav-C (1)
- Japan (7)
- JPA (9)
- JSRedir-R (2)
- Kenya (2)
- Koobface (7)
- Krap (1)
- Latvia (2)
- Legal (31)
- Maazben (1)
- Mac (7)
- Mac OS Snow Leopard (1)
- Mac OS X (2)
- Machiavelli (1)
- Malaysia (4)
- malware (80)
- Mariposa (1)
- Mauritius (1)
- MeBroot (1)
- Mega-D (1)
- Microsoft (9)
- Minnesota (1)
- Mobile Networks (20)
- Mobile Spam (10)
- Monkif (1)
- MPLS (2)
- NASA (1)
- Neeris (1)
- Net Neutrality (20)
- Netherlands (4)
- New Zealand (3)
- Nigeria (1)
- Nominet (1)
- North Korea (5)
- NSD (1)
- Organized Cybercrime (6)
- OSXPuper (1)
- Paul Twomey (2)
- Pentagon (3)
- Philippines (5)
- Phishing (69)
- Pinkren-A (1)
- piracy (19)
- Privacy (45)
- RBN (1)
- Real Host (1)
- Registrar (6)
- Registry (12)
- Renren (1)
- Resolution Service (30)
- Rod Beckstrom (1)
- RootKit (3)
- Russia (9)
- Russian Business Network (2)
- Rustock (2)
- Rwanda (1)
- Security (150)
- Sexy Space (1)
- SHA-1 (1)
- Singapore (6)
- Singapore Infocomm Technology Security Agency (1)
- Sinowal (1)
- SITSA (1)
- Smart Grid (2)
- SMS (13)
- Social Security (3)
- South Korea (10)
- Spam (47)
- SpamIT (1)
- SQL Injection (8)
- Storm (2)
- Sweden (8)
- Swizzor (1)
- SystemSecurity (1)
- Taiwan (4)
- Thailand (2)
- TidServ (1)
- TLD (7)
- Torpig (2)
- TR/Dldr.Agent.JKH (1)
- Trojan (15)
- Trojan.Fakavalert (1)
- Turkey (2)
- Twitter (20)
- Twomey (3)
- U.S. (29)
- UAE (1)
- UK (40)
- Ukraine (1)
- UltraDNS (1)
- Uncategorized (3)
- UPC (1)
- US Berkeley (1)
- US Government (63)
- US Military (12)
- USB (2)
- Vaklik (1)
- ValueClick (1)
- Vaserv (1)
- VeriSign (2)
- Vietnam (5)
- Virus (50)
- Vishing (4)
- Waledac (4)
- WordPress (2)
- World of Warcraft (1)
- Worm (41)
- WoW (1)
- Xarvester (1)
- XSS (3)
- Yahoo (1)
- Yemen (1)
- YouTube (6)
- Zbot (5)
- Zero-Day (9)
- Zeus (10)









