ICANN Warns of 'Ongoing and Significant' Attacks Against Internet's DNS Infrastructure (techcrunch.com) 94
The internet's address book keeper has warned of an "ongoing and significant risk" to key parts of the domain name system infrastructure, following months of increased attacks. From a report: The Internet Corporation for Assigned Names and Numbers, or ICANN, issued the notice late Friday, saying DNS, which converts numerical internet addresses to domain names, has been the victim of "multifaceted attacks utilizing different methodologies." It follows similar warnings from security companies and the federal government in the wake of attacks believe to be orchestrated by nation state hackers.
[...] ICANN's chief technology officer David Conrad told the AFP news agency that the hackers are "going after the Internet infrastructure itself." The internet organization's solution is calling on domain owners to deploy DNSSEC, a more secure version of DNS that's more difficult to manipulate. DNSSEC cryptographically signs data to make it more difficult -- though not impossible -- to spoof.
[...] ICANN's chief technology officer David Conrad told the AFP news agency that the hackers are "going after the Internet infrastructure itself." The internet organization's solution is calling on domain owners to deploy DNSSEC, a more secure version of DNS that's more difficult to manipulate. DNSSEC cryptographically signs data to make it more difficult -- though not impossible -- to spoof.
Convert which way? (Score:5, Insightful)
I thought it was more conventionally used the other way...
Re: (Score:1)
Right. Converting an IP address to a domain name is typically considered "Reverse" DNS.
Re: (Score:2)
Pah! (Score:3, Funny)
Bet half the attacks are coming from Djibouti. (Score:2)
DNSSEC = vector for epic DDOS amplification (Score:5, Interesting)
This advice is ridiculous, dangerous and irresponsible. DRC should know better.
Global deployment of DNSSEC without first addressing underlying transport issues (DNS over UDP without DNS cookies (RFC7873)) is guaranteed to have disastrous impacts on the availability of DNS itself and the Internet generally.
Re: (Score:1)
The primary article on Techcrunch said
DNSSEC adoption is currently at about 20 percent.
Except that is totally wrong: .com, it's less than 1%
Only 4% of domains are signed across all TLDs: http://rick.eng.br/dnssecstat/ [rick.eng.br]
And for
1M signed (https://scoreboard.verisignlabs.com/) 140M .com (http://research.domaintools.com/statistics/tld-counts/) = 0.7%
Re: (Score:1)
Yea, too bad ipv6 is so insecure that you could march a singing army through it unnoticed.
I'll take "Reasons This Won't Work" for 500 please (Score:1)
Yawn. You lost me at blockchain. That's not gonna secure shit, but it will waste enough spare computing resources to cure cancer twice.
insecure base (Score:2)
For years I've been saying the base hardware and protocols of the internet are insecure and no amount of security piled on top will save it.
Rebuild the internet (Internet II) from the hardware up, this time do it right, don't just patch it.
Re: (Score:2)
Rebuild the internet (Internet II) from the hardware up, this time do it right, don't just patch it.
Internet 2 [internet2.edu] already exists.
The most likely result of a rebuilt Internet III with full security is that you won't be able to use it because your access will lessen security. It will be the lesser-used cousin to Internet I, just as Usenet II is the lesser-used cousin of Usenet.