[council] SAC065: SSAC Advisory on DDoS Attacks using the DNS
Hello All, Attached is an advisory from SSAC on DDoS attacks: Specifically, the SSAC strongly recommends that: 1. ICANN should help facilitate an Internet-wide community effort to reduce the number of open resolvers and networks that allow network spoofing. This effort should involve measurement efforts and outreach. 2. All network operators should take immediate steps to prevent network address spoofing. 3. Recursive DNS server operators should take immediate steps to secure open recursive DNS servers. 4. Authoritative DNS server operators should support efforts to investigate authoritative response rate limiting. 5. DNS server operators should put in place operational processes to ensure that their DNS software is regularly updated and communicate with their software vendors to keep abreast of the latest developments. 6. Manufacturers and/or configurators of customer premise networking equipment, including home networking equipment, should take immediate steps to secure these devices and ensure that they are field upgradable when new software is available to fix security vulnerabilities, and aggressively replace the installed base of non-upgradeable devices with upgradeable devices. Regards, Bruce Tonkin Attachment:
SAC065 Board Cover Letter 18 February 2014.doc Attachment:
SAC065 SSAC Advisory on DDoS Attacks Leveraging DNS Infrastructure 18 February 2014.pdf |