Home / Blogs

Maintaining Security and Stability in the Internet Ecosystem

Ram Mohan

DDoS attacks, phishing scams and malware. We battle these dark forces every day — and every day they get more sophisticated. But what worries me isn't just keeping up with them, it is keeping up with the sheer volume of devices and data that these forces can enlist in an attack. That's why we as an industry need to come together and share best practices — at the ICANN community, at the IETF and elsewhere — so collectively we are ready for the future.

The challenge before us is growing every day. The Internet ecosystem is comprised of roughly 3.5 billion global Internet users, millions of businesses, civil society organizations and governments operating over 900 million websites using 334 million domains. With this growth, we are seeing major shifts in the how the Internet is used: It isn't just computers and smart phones anymore. Maintaining the security and stability of the internet means protecting more "things" — from smart watches to smart TVs to smart refrigerators — from more bots, scrapers, and spammers.

The domain industry must place a greater focus on creating trust through security and stability. At Afilias, I focus the company to not only manage and develop our systems to scale and meet technical demands and ensure 100% availability and uptime, but also to focus efforts on maintaining interoperability and to develop open standards for the industry.

How do we do this? Trustworthiness. In computing terms that means being able to rely on systems to be available and secure. While it sounds simple, it requires a combination of security, privacy and reliability to exist in all interactions with the registry system and DNS networks. It requires usage and storage practices to be well documented and audited to ensure that the organization does what it says. Trustworthiness is, in turn, dependent on several core principles:

  • Global reach: The ability of any system to be able to reach any other system supported, wherever the sender and the receiver are on the Internet. To ensure this, we make sure to run a global addressing and naming service infrastructure.
  • Interoperability: The primary factor in ensuring interoperability is an ironclad commitment to open standards. Afilias is a signatory to OpenStand, the modern paradigm for standards, shaped by adherence to five fundamental principles: due process, broad consensus, transparency, balance, and openness.
  • Accessibility: Providing access to Internet resources, regardless of device or software. Afilias best embodies this by allowing networks on IPv4 and IPv6 to equally access its systems without bottlenecks. Other examples abound.

These principles are essential to the security and stability of the ecosystem to meet the challenges of today, scale and grow in the future, and work harder to increase access for the billions of people yet to be connected. We believe — using the multi-stakeholder approach to Internet governance with broad participation from technical, business and civil society leaders — we can collaboratively develop a new model for the industry as a whole.

We will continue to do our part to harness secure, reliable, scalable and globally available technology and to encourage others to do the same. Our belief and vision is that sharing such best practices can help the global Internet community will share a strong and vibrant Internet. The DDoS attacks, phishing scams and malware are not going to stop but we will do our part to help and lead our community to be better prepared for the battle.

By Ram Mohan, Executive Vice President & CTO, Afilias. Mr. Mohan brings over 20 years of technology leadership experience to Afilias and the industry.

Related topics: Cyberattack, Cybercrime, Cybersecurity, DDoS, Malware

 
   

Don't miss a thing – get the Weekly Wrap delivered to your inbox.

Comments

It'd also help if there was pressure Todd Knarr  –  Oct 01, 2016 7:48 PM PDT

It'd also help if there was pressure on network operators, particularly edge-network operators like consumer ISPs, to implement ingress filtering on the downstream side (so customers can't send packets into the ISP's network with source addresses not within the customer's expected netblocks) and egress filtering on the upstream side (so packets can't exit their network unless their source address is in a netblock the ISP owns or that belongs to an ISP's customer). It's not a complete solution, but it'd cut down on a lot of the avenues for running DDoS attacks. One of the best defenses is to keep your opponent from launching an attack in the first place.

Sounds Logical Christopher Parente  –  Oct 05, 2016 6:31 AM PDT

Todd — that seems to make a lot of sense. Would this be a challenge for ISPs to deploy? Or is there no business case for ISPs to do this, so they don't.

For networks that carry mostly transit traffic Todd Knarr  –  Oct 05, 2016 6:49 AM PDT

For networks that carry mostly transit traffic it's hard to deploy, and the closer to the backbone you get the harder it is. But for edge networks like consumer ISPs who don't carry a lot of transit traffic from netblocks they don't directly own it's fairly straightforward. Back when I had little experience with iptables it only took me an hour or two to write a complete set of rules for it for my network (router handling 2 /24 netblocks). RFC 3704 covers the subject.

Primarily I think it doesn't happen because there's no business case. The originating ISPs aren't the entities being damaged by the DDoS attacks, and disconnecting or suspending customers who're originating DDoS traffic might cost them those customers since those customers are unlikely to believe their systems have been infected. For them any effort expended is a dead loss. The damaged entities at present have no recourse against the originating networks, so there's no natural way of imposing any costs on the originating networks. What it'd take is standard language in interconnect contracts requiring downstream ISPs to implement RFC 3704 on their networks or face disconnection if they were caught originating part of a DDoS attack, with a possible exception for pure-transit networks who took appropriate measures to enforce 3704 compliance on their own internal networks and all downstream customers.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

IP Addressing

Sponsored by Avenue4 LLC

DNS Security

Sponsored by Afilias

Mobile Internet

Sponsored by Afilias Mobile & Web Services

Cybersecurity

Sponsored by Verisign

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum