ICANN eyes DNS security, solutions

Of all the Internet's security concerns, one of the least troublesome may be the physical security of its root name servers, the top servers in the Internet's traffic directing system. There are only 13 of them, a redundant system located in scattered locations around the world, any one of which could probably be reconfigured in a pinch on a "beefy laptop."

"The physical security of the computers is your least worry," said Lars-Johan Liman today at the annual meeting of the Internet Corporation for Assigned Names and Numbers (ICANN). Liman operates one of those root servers in Stockholm, Sweden.

But there were plenty of other things for people at the ICANN meeting to worry about, including distributed denial-of-service (DDOS) attacks aimed at the root servers and yet-undiscovered bugs in the software the runs the domain name system (DNS).

ICANN has turned most of its four-day agenda over to security concerns. It was a move sparked by terrorism, but one that has also garnered criticism.

Kenji Kosaka, a top Japanese telecommunications official and a member of that nation's House of Representatives who is considered its leading IT policy expert, admonished ICANN for coming late to the security party.

"I was unpleasantly surprised to learn that ICANN decided to hold a meeting focused on security of the Internet only after the tragic events of Sept. 11," said Kosaka. "As an Internet user, I had assumed that this theme and related issues had been fully resolved ages ago."

Kosaka said that Japan has taken steps to improve security of the root name server located in it country, including more physical security, and backups stored at a different locations.

Despite his criticisms, Kosaka nonetheless praised ICANN as "a first step toward a democratic form of global governance" of the Internet.

In response, an ICANN official said security isn't a new concern, and has been continuously addressed by the three-year-old group. Stuart Lynn, ICANN's CEO, said the intent of this year's session was "to get a sense about the direction we should take."

"ICANN is only responsible for a small piece of the total Internet security problem, but it's an important piece," said Steven Bellovin, an AT&T Corp. fellow. "But even within its space, ICANN can't solve the problems by itself." That will take help from a variety of groups, from technical standards organizations to corporate end users, he said.

Some of the vulnerabilities potentially affecting the domain name system include its heavy reliance on Berkeley Internet Name Domain (BIND) software, which is freely distributed by the Internet Software Consortium, a nonprofit Redwood City, Calif.-based group that develops open-source products.

BIND runs many of the domain servers, including primary or zone servers that handle addresses for .com and other top-level domains, and local name servers, such as those that might be used by Fortune 1000 companies.

"Virtually all the name server software is derived from one code base, BIND," which has since been rewritten to two code bases, said Bellovin. "That's not a lot. If there is fatal flaw in the two main implementations of BIND, we would lose all 13 name servers to just two bugs. That's not a comforting thought."

Another problem could be DDOS attacks, where thousands of computers are surreptitiously taken over and used to "flood" selected systems with what can be overwhelming amounts of data, effectively shutting them down. If someone where to launch a DDOS attack on the root name servers "is there enough [redundancy], is there enough bandwidth" to secure these systems, asked Bellovin.

He went on to argue that "most security holes are due to buggy software. All the cryptography in the world is not going to change the buggy software problem."

Vendors at the conference offered their own security solutions. Register.com Inc. in New York, for example, has created its own propriety DNS software. The company continues to deploy BIND as well as its own software because diversity improves security, said Jordyn Buchanan, who worked on the team that developed the system.

Join the newsletter!

Error: Please check your email address.

More about AT&TICANNInternet Corporation for Assigned Names and NumbersInternet Software Consortium

Show Comments