In October, 2009 the .TM registry signed with DNSSEC.   In June, 2010 both .ORG and .EURid both announced the signing of their registries with DNSSEC.  Before .TM other registries have also signed with DNSSEC, those being .SE, .BR, .BG, .CZ and .PR.  Last week there were several press announcements of the Root zone, itself now being signed.  While some registries have already signed, some have announced plans to sign and others are still trying to figure out their plan.

Either way, DNSSEC is here.  How can we make DNSSEC adoption quicker and easier not only for the registry but for individual name owners?   How can an organization get their zone signed?  How can a simple domain owner get their domain name signed?  How can registrars and ISPs help their customers adopt DNSSEC?

Security-DNS.net is a “DNSSEC Made Simple” tool designed to answer all of those questions.  Provided by CommunityDNS, registries, organizations, individual domain name owners can submit their domain name or zone(s) and have a signed zone or name returned complete with their key and the respective DS record which may be handed to their registry.  Registrars and ISPs may also use this tool to provide support for their customers, all free of charge.  AND, they do not need to be a customer of CommunityDNS to benefit from this tool.

DNSSEC has understandably raised many questions for many on how implementation may impact not only their methods of operation but capacity.   The signing process, however, is very simple and available to anyone wishing to sign with DNSSEC.

So, moving DNSSEC forward has been made much easier with Security-DNS.net (www.security-dns.net).

(click image to enlarge)

Capacity and scalability are necessary in managing DNSSEC and D/DoS. Capacity, necessary for maintaining operations during D/DoS attacks, is also necessary for increased traffic due to DNSSEC deployment. Scalability is highly important, as DNSSEC is deployed not only will greater traffic levels will be encountered, greater demand will be placed on the DNS platform.

In the interest of understanding both capacity and scalability CommunityDNS conducted tests to assess the readiness of the two main DNS server platforms, BIND and NSD and how they would handle the added workload imposed on standard server hardware as well as expose any limitations. To be fair the same tests were conducted on CommunityDNS’ platform.  Details of the study may be found here [PDF].

Tests applied to the BIND, NSD and CommunityDNS platforms consisted of high volumes of queries being applied to the three different DNS platforms, using four zone sizes in both unsigned and signed environments. The zone sizes represented were:

It should be noted that neither BIND nor NSD could handle the zone file of 57,873,014 names. It should also be noted that as testing began CommunityDNS’ platform had excess capacity whilst peaking at queries per second. The testing infrastructure was changed, moving to a complete GB platform in switches and routers and moved to CAT-6 cabling. Tests were rerun using the new network infrastructure, achieving greater results.

Capacity Processing: Results of the testing revealed:

(click image to enlarge)

Scalability: Examining scalability revealed that for zone file sizes from 7,691 to 19,405,229, scalability for unsigned zones were 2.4% degradation for CommunityDNS, -7.2% degradation for BIND and 12.1% degradation for NSD. When examining scalability for the same zone sizes in a signed environment there was a 3.6% degradation for CommunityDNS, 34.6% degradation for BIND and a 30.9% degradation for NSD.

(click image to enlarge)

(click image to enlarge)

So when looking at operational stability of DNS platforms during D/DoS attacks or with the migration to signed zones, both capacity and scalability are important to ensure operational resilience.  Further details of the study may be found by clicking here.

During our work with the DNS Infrastructure Resilience Task Force research yielded 770 different DDoS attacks occurred around the globe on 6 June, 2009.  On average research revealed the probability of 1,300 DDoS attacks happening every day, equaling roughly 3% of the Internet’s daily traffic.  During the period of 7 December, 2009 to 4 January, 2010, out of 76,158,230,373 EU-based queries analyzed 3,384,914,589, or 4.4%, were believed to have been questionable.  While it was believed only 1.6% of query packets through a Vienna-based node were questionable a node in Brussels showed a 14.3% rate of queries related to potential DDoS-based queries.

While humans are aware of and operate within the three dimensions identified through scientific discovery we often do not think about the fourth, or subsequent dimensions we don’t see.  When it comes to DNS resilience we think of hardware, bandwidth and peering.  What appears absent in the typical discussion is capacity afforded by individual DNS platform providers.  Is “DNS platform capacity” the fourth dimension of DNS?

High-end server hardware, bandwidth and peering only go so far in ensuring resilience.  Platform capacity provides the extra dimension necessary to ensure legitimate queries are always answered.

Statistics gathered from 7 December, 2009 to 4 January, 2010 (click image to enlarge image)

NSD 3.2.1 at 5,000 queries per second in a signed zone of 1 million names dropped 22% of UDP traffic.

Similarly, on a zone of 1 million names at 5,000 queries per second in a signed zone of 1 million names BIND 9.6.0 P1 will fail to answer 81% of the inbound DNS queries.  It should be reported that BIND, version 10 should address some of the speed inefficiencies as identified through this study.

Outside of the specific study regarding the impact on signing the L-Root, the other authoritative high performance name server platform is from CommunityDNS.  Similar testing found CommunityDNS’ platform at 50,000 queries per second on a zone size of 1million DNSSEC signed names will fail to answer 4.5% of inbound queries.  Much of the loss attributed to normal UDP congestion.

On the 27^th of January the L-Root was signed.  According to the “DURZ Data Analysis” report the following traffic behavior was noticed after the signing of the L-Root.

Increase in UDP packet size after signing the "L" Root.

An approximate 27 fold increase in TCP packets due to the signing of the "L" Root.

With all of the root servers now signed, operational questions remain, such as:

• How will site owners manage their keys?
• How will registrars manage their keys?
• Will domain name owners be able to transfer their keys directly to the registry?
• Is there a rollback plan?
• Have operators provisioned for the additional bandwidth requirements associated with DNSSEC?

Chosen by the DNS Infrastructure Resilience Task Force (DIR), CommunityDNS is pleased to finalize its part in the European Commission’s study regarding DNS resilience for the EU and its Member States.  Officially titled, “Initiative for the Development and Coordination of Technologies and Methodologies for Resilience of the DNS Infrastructure in and among European Union Member States” the study was commissionedand partially funded by the Prevention, Preparedness and Consequence Management of Terrorism and other Security Related Risks Programme; European Commission – Directorate-General Justice, Freedom and Security.

Along with a comprehensive examination as to the “why” and “how” DNS may be impacted the report also highlights the region’s online economy.  The report concludes with a comprehensive list of recommendations, such as incorporating platform diversity through proprietary and open source managed providers to ensure DNS resilience.

Included within the deliverable is a fully functional, highly-secure information-sharing platform geared to support secure information sharing regarding cyber incidents.  The audience for the information sharing platform are:

Organisations forming the EU’s Internet substructure

• ccTLDs and registries
• Registrars
• Hosting companies
• ISPs
• IXPs
• DNS service providers

Cyber crime-focused organizations

• CERTs
• The Cooperative Cyber Defense Centre of Excellence
• The European Electronic Crime Task Force
• Centre for Secure Information Technologies

Law enforcement (cyber crime-focused)

Key individuals representing organisations in the EU’s highly important ISAC, or infrastructure sectors.
The Information-Sharing platform serves as an information repository, an information aggregator, a DNS monitoring platform and a comprehensive alert system.  Cyber-security incidents are captured and recorded as they unfold, providing a platform whereby cyber disaster recovery plans may also be exercised.  “Trust”, “Security” and “Flexibility” form the Platform’s foundation as the Platform allows for the sharing of sensitive information based upon individual permission rights and classification levels.
Access to the report will be available once the EC has posted the link on their site. If you are an EU-based ccTLD you may contact CommunityDNS to receive your complimentary copy.

While 2009 was definitely a good year for CommunityDNS 2010 is shaping up to be even stronger!

2010 promises to be a dynamic year for our community; the community who strives to provide a resilient Internet for all of those who rely on a stable and functioning ‘Net.  Not only do we see DNSSEC playing a more visible role in 2010 we also see a whole new dynamic being introduced to the ‘Net through the introduction of IDNs.  Yes, this will be a big year for us all.  It is up to all of us to do what we can to be responsible in delivering an Internet that people, organisations, countries and economies have come to rely on.

Eight charged in $9.5m payment processor hack

Charged with stealing more than $9 million dollars in 12 hours by hacking into RBS WorldPay, the Atlanta-based bank card processor, 8 men could face over 50 years in prison. In addition to the 50 years in federal prison the four leaders face two additional years and a fine up to $3.5 million dollars for aggravated identity theaft.

The men were from Russia, Moldova and Estonia.

Of the eight four were leaders of the gang while the other four charged with the crime were cashiers.

Click here for more information.

Malware cleans out jailbroken iPhones

Last weekend some iPhones were hacked, their wallpaper replaced with the image of ‘80s pop star Rick Astley. The worm used to create this hack, the “ikee” worm is now being used for more malicious activities.

The ikee worm only signals its presence by modifying a device’s wallpaper. Without changing the wallpaper the worm can continue going about its work unnoticed. The worm can copy a users e-mail, contacts, SMSs, photos, calendars, videos, music files and any data collected by iPhone apps.

Click here for more information.

Confiker Computer Virus Going Strong

The Confiker virus continues going strong with the worm continuing its spread across PCs. As noted by one security provider the worm could be eradicated if everyone used best security practices.

Click here for more information.

iPhone worms other smartphone malware in researchers’ sights

Trying to fit an operating system that can handle multiple features in a very small device, malware prevention software tends to be overlooked. As smartphones grow in popularity worms are already being devised for the smartphones and iPhones.

Through a grant researchers will analyze how malware detection and eradication can be handled within cell network providers.

Click here for more information.

The blog will return the week of the 20th. During the blog’s absence CommunityDNS will be attending the Internet Governance Conference in Egypt.

Security firm chokes sprawling spam botnet

The efforts of a research firm took down a botnet responsible for 33% of the world’s spam.

The attack was multipronged. First the security firm reported abuses to ISPs regarding certain IP addresses. Secondly, the firm worked with registrars to deactivate registered names. Third, the firm registered backup domains that were not used, and fourth, the botnet was able to generate random domains based on a specific algorithm. The firm understood the algorithm and registered names possibly generated by this algorithm.

The effect was a botnet that had no where to turn. Now the individual bots have been orphaned and the security firm is working with the ISPs to notify the computer owners whose computers were once members of the botnet.

Click here for more information.

MassMutual Warns of Data Breach

Employee and customer data for MassMutual could have been compromised. Data handled by a third party provider was breached.

Click here for more information.

Majority of Web Apps Have Severe Vulnerabilities

A recent report indicates that close to 9 out of 10 web applications could lead to information exposure due to flaws as 87% of the Web applications analyzed had serious vulnerabilities.

60% of Internet-based attacks targeted Web applications. 90% of web vulnerabilities rested with commercial Web applications while 8% rested with browser-run applications.

25% of the attacks were SQL Injection-based with 17% of the attacks being attributed to Cross Site Scripting

Click here for more information.

No Rush to Adopt Domain Names Written in Chinese in China

While ICANN has opened the gates for IDNs to begin in certain countries, China being one of them, it appears there is no great rush to acquire the Chinese equivalent of the currently used Latin character set.

In many cases Chinese organizations have reduced the number of characters to make it easier for Chinese to type in the URL. For example “Tenchnt” is known as “qq.com” for its users. Another company has used “163.com” as the URL for its brand name as companies often associate numbers with their brands.

In one case where someone has already grabbed the Chinese equivalent to one company’s name, the head of the company would like to purchase the name, but feels having it owned by another party would not create any harm to their existing brand.

While the Chinese character sets will aid Internet usage for the older population, the majority of China’s Internet population is already used to the current method of using the Internet.

Click here for more information.

Google’s “AppEngine” application was used by cybercriminals to act as the master control channel, feeding commands to large networks of infected computers.

Also, it was found that the Koobface botnet was using Google Reader to spam malicious links to social networking sites; one of which being Facebook.

Click here for more information.

Gumblar Botnet Resurges

Known as one of the largest botnets that grew dramatically this year, Gumblar has reappeared.

Gumblar works in two ways. The first is to load malware onto sites. When users visit the sites malware is downloaded onto their computers. The second way Gumblar works is to populate websites with I-frames pointing to websites containing the malware.

Click here for more information.

New Spamming Botnet On The Rise

Currently sending 2.5 billion spam messages globally a new Botnet, known as “Festi” has quickly jumped to the rank of 5% to 6% of all spam generated. The jump means more bots (or compromised computers) were added into its botnet with 60% located in Asia, 18% in Europe and 9% in North America.

Click here for more information.

Practical Analysis: The Fastest-Growing Security Threat

Having grown from a few thousand a day a year ago to more than 500,000 a day SQL Injection is the fastest-growing security threat. Through the use of automated tools cybercriminals are searching for which sites are vulnerable to SQL injection. Such attacks allow hackers to break into networks that can lead to the breach of sensitive data.

Click here for more information.

UK to push for law to retain all communications data

Citing the EU Data Retention Directive does not go far enough and to prevent serious crime and terrorism the British government is pushing for its ISPs to capture and hold data regarding instant messages, e-mail and other electronic communications. The data retained would also include data from third-party services. The data is to be retained by the respective ISPs and not in a centralized database.

Click here for more information.

Little-Known Hole Lets Attacker Hit Main Website Domain Vie Its Subdomains

Because of how browsers handle cookies hackers have the ability to attack a domain through a respective domain’s subdomain.

DNS maintains records on the main domain name. Organizations have control over this domain. However, a subdomain does not have authority to change to the top domain.

Click here for more information.

Broadband Goals Proposed in Minnesota

A Minnesotan task force looking to improve the state’s standing in broadband access from 24th to the top 5 has unveiled a plan that could be a model for a nationwide broadband plan.

The move from 24th to within the top 5 states could move the state to national and global leadership in economic growth and increased quality-of-life opportunities.

Studies illustrate that for every $1 spent towards broadband expansion yields at least $10 in economic growth.

Click here for more information.

Spain won’t disconnect illegal file sharers

Despite supporting the 3-Strikes laws of the UK and France, Spain chooses not to consider punitive measures for Internet users.

Click here for more information.

Mossad hacked Syrian laptop to steal nuke plant secrets

In a clear example of cyber intelligence espionage Israeli intelligence used cyber tactics of planting a Trojan onto a Syrian official’s laptop while the official stayed in a London hotel. Designed to bypass security defenses the Trojan obtained information, plans and pictures of a partially constructed nuclear facility.

Click here for more information.