Slashdot Mirror

← Back to Stories (view on slashdot.org)

ICANN Warns of 'Ongoing and Significant' Attacks Against Internet's DNS Infrastructure (techcrunch.com)

Posted by msmash on from the closer-look dept.

The internet's address book keeper has warned of an "ongoing and significant risk" to key parts of the domain name system infrastructure, following months of increased attacks. From a report: The Internet Corporation for Assigned Names and Numbers, or ICANN, issued the notice late Friday, saying DNS, which converts numerical internet addresses to domain names, has been the victim of "multifaceted attacks utilizing different methodologies." It follows similar warnings from security companies and the federal government in the wake of attacks believe to be orchestrated by nation state hackers.

[...] ICANN's chief technology officer David Conrad told the AFP news agency that the hackers are "going after the Internet infrastructure itself." The internet organization's solution is calling on domain owners to deploy DNSSEC, a more secure version of DNS that's more difficult to manipulate. DNSSEC cryptographically signs data to make it more difficult -- though not impossible -- to spoof.

11 of 94 comments (clear)

  1. Convert which way? by shabble · · Score: 5, Insightful

    DNS, which converts numerical internet addresses to domain names

    I thought it was more conventionally used the other way...

    --
    http://harridanic.com
    1. Re:Convert which way? by Anonymous Coward · · Score: 1

      Right. Converting an IP address to a domain name is typically considered "Reverse" DNS.

    2. Re:Convert which way? by DigiShaman · · Score: 1

      Well technically a, PTR (reverse DNS) does exist.

      --
      Life is not for the lazy.
  2. Pah! by devlp0 · · Score: 3, Funny

    You should see my hosts file!

    --
    >/dev/null 2>&1
  3. Bet half the attacks are coming from Djibouti. by brucekeller · · Score: 2

    That place is always up to shenanigans.

  4. DNSSEC = vector for epic DDOS amplification by WaffleMonster · · Score: 5, Interesting

    This advice is ridiculous, dangerous and irresponsible. DRC should know better.

    Global deployment of DNSSEC without first addressing underlying transport issues (DNS over UDP without DNS cookies (RFC7873)) is guaranteed to have disastrous impacts on the availability of DNS itself and the Internet generally.

    1. Re: DNSSEC = vector for epic DDOS amplification by nullchar · · Score: 1

      The primary article on Techcrunch said

      DNSSEC adoption is currently at about 20 percent.

      Except that is totally wrong:
      Only 4% of domains are signed across all TLDs: http://rick.eng.br/dnssecstat/
      And for .com, it's less than 1%

      1M signed (https://scoreboard.verisignlabs.com/) 140M .com (http://research.domaintools.com/statistics/tld-counts/) = 0.7%

  5. insecure base by bigtreeman · · Score: 1

    For years I've been saying the base hardware and protocols of the internet are insecure and no amount of security piled on top will save it.
    Rebuild the internet (Internet II) from the hardware up, this time do it right, don't just patch it.

    --
    Go well
    1. Re:insecure base by Obfuscant · · Score: 1

      Rebuild the internet (Internet II) from the hardware up, this time do it right, don't just patch it.

      Internet 2 already exists.

      The most likely result of a rebuilt Internet III with full security is that you won't be able to use it because your access will lessen security. It will be the lesser-used cousin to Internet I, just as Usenet II is the lesser-used cousin of Usenet.

  6. I'll take "Reasons This Won't Work" for 500 please by Narcocide · · Score: 1

    Yawn. You lost me at blockchain. That's not gonna secure shit, but it will waste enough spare computing resources to cure cancer twice.

  7. Re:Internet ... 3.0? by Narcocide · · Score: 1

    Yea, too bad ipv6 is so insecure that you could march a singing army through it unnoticed.