Internet Corporation for Assigned Names and Numbers

During the Public Forum session at the recent ICANN meeting in Beijing, community members asked the Board quite a few important questions and made some interesting comments.

In response, we have conferred with those ICANN staff members who have the greatest expertise in the areas of the inquiries, in order to give thorough and accurate responses. Those responses have now been posted and can be found at http://beijing46.icann.org/meetings/beijing2013/presentation-public-forum-responses-11apr13-en.pdf [PDF, 101 KB].

As always, we welcome your questions and comments during Public Forum sessions. Internally, we on the Board are wrestling with a dilemma – Should we do what we have been doing, specifically, take your questions in the Public Forum then respond later (as we did this time) OR should we answer your questions immediately, if possible, at the Public Forum?

We evolved to the current system simply in an effort to afford more people, both those in the room and remote participants, the opportunity to ask more questions. However, some have argued that they would rather hear fewer questions and get immediate responses from the Board.

We would be interested in what you think, please send your comments to public_forum@icann.org.

I’m looking forward to hearing more of your questions and comments during the next Public Forum at our Durban meeting.

{ 0 comments }

I am delighted to report that we have now posted a proposed final draft of the New gTLD Registry Agreement. Similar to the proposed 2013 Registrar Accreditation Agreement (RAA) that was posted for public comment on 22 April 2013, the ICANN community is now able to review and comment on this final draft before it is approved and adopted.

The proposed agreement is the result of several months of negotiations, formal community feedback, and meetings with various stakeholders and communities. Based on the community feedback during the ICANN 46 meeting in Beijing, ICANN and the Registry Agreement Negotiating Team maintained a consistent and swift pace to finalize the negotiations and bring the proposed terms into a final draft form, ready for community review and comment.

We have come a long way since February 2013 when we posted a proposed Revised New gTLD Registry Agreement for public comment. A new and highly spirited sense of mutual trust has catapulted us into a fresh atmosphere of collaboration, which in turn has led to a consistently more productive environment. The spirit of teamwork, productive dialogue and partnership that has underpinned this negotiation process is tremendously heartwarming, as it has allowed us to bring to fruition a robust contractual framework for the New gTLD Program.

On behalf of ICANN, I would like to sincerely thank the registry community for acting in good faith and with tremendous goodwill, making this last key step possible.

{ 0 comments }

On April 23, I met with leaders of ccTLDs, Registries, and Registrars in New York City for a milestone event that converged our work initiated during each of the CEO Roundtables hosted since the beginning of this year. Throughout the roundtable series, I have learned a great deal and have been profoundly impressed by the participants’ dedication to enhancing, strengthening and advancing the Domain Name System (DNS) sector.

This particular session also marked the posting of the Proposed Final 2013 Registrar Accreditation Agreement (RAA) for which ICANN is seeking public comment. Getting to this stage, after eighteen months of intense negotiations, is a tremendous collective accomplishment and I would like to convey my sincere appreciation to the Registrar Negotiating Team for their significant contributions and collaborative dialogue throughout the process.

As part of the summit agenda, participants briefed each other on efforts to raise the profile of the DNS sector, provided status reports on various DNS initiatives, and delved into mechanisms that can be utilized to further demonstrate the value of the Internet. For instance, discussions centered on topics such as info graphics for depicting the domain name value chain; philanthropic vehicles to support DNS entrepreneurship in the developing world; industry conferences and consumer awareness forums; and proposals to codify ethical standards for DNS businesses. What I found to be particularly beneficial during our interactive brainstorming sessions were the perspectives and experiences of the ccTLD operators.

We emerged with a timeline for completing our work to be showcased to the broader community at ICANN 47 in Durban in July. I want to emphasize this work was conducted entirely by the CEOs, with ICANN serving as facilitator, and it was truly exciting to see this diverse group of leaders in action.

In addition, a sub-group of participants presented their plans to form a Domain Name Industry Association, entirely independent of ICANN, designed to further the interests of a range of organizations within the ever-evolving DNS sector.

During the latter part of our meeting, we focused on ICANN’s future through an interactive session, one of many conversations to take place in the coming months. As I explained in Beijing, we will begin a process in June toward creating a new vision and a five-year strategic plan for ICANN, and all stakeholders are invited to participate. More information: Video and Strategy Conversation.

I am extremely grateful to everyone who could be there, including ICANN Board Members Cherine Chalaby and Bruce Tonkin, and for their deep insights on how ICANN can continue to achieve its goal of becoming a mature, inclusive and efficient organization. ICANN’s Engagement Team is already at work organizing comparable events and is planning a CEO Roundtable for leaders from academia, civil society and nonprofits in the near future.

Our work, however, is only just beginning as we look ahead to the bright horizon. The New gTLD Program Timeline [PDF, 488 KB] is reflective of these important endeavors, and I remain invigorated by the forward steps that we are all achieving together.

{ 0 comments }

Dave Piscitello, on behalf of the ICANN Security Team

DDoS attacks are serious problems. While ICANN’s role in mitigating these threats is limited, the Security Team offers these insights to raise awareness on how to report DDoS attacks

Distributed Denial of Service attacks have increased in scale, intensity and frequency. The wide range of motives for these attacks – political (hacktivism), criminal (coercion), or social (malice) – makes every merchant or organization with an online presence a potential target. The shared nature of the Internet infrastructure – whether hosting, DNS, or bandwidth – puts many merchants or organizations at risk of becoming collateral damage, as well. If you find that your site or organization is under attack, it’s important that you report such attacks quickly to parties that are best positioned to help you mitigate, weather, and restore normal service.

I’m under attack. What should I do? Whom should I call?

Any Internet service – web, DNS, Internet voice, mail – can be the target of a DDoS attack. If your organization uses a hosting provider for a service that is attacked, first contact the hosting provider. If your organization hosts the network or Internet service that is under attack, first take measures to contain or dampen the attack. Next, call the service provider that provides Internet access for your network. Most hosting providers and ISPs post emergency contacts on their web sites and many include at least general contact numbers on bills. If you only have a general contact number, explain that you are under attack and ask the customer care agent to escalate (forward) your call to operations staff with the ability and authority to investigate.

Helping Hands

Traffic associated with a single DDoS attacks may originate from hundreds or thousands of attack sources (typically compromised PC or servers). In many cases, your hosting provider or your Internet access provider should act on your behalf (and in self-interest). They will contact “upstream” providers and the ISPs that route traffic from the DDoS attack sources to notify these operators of the nature and suspected origins of the attack. These operators will investigate and will typically revoke routes or take other measures to squelch or discard traffic close to the source.

If you cannot find contacts, or if the contacts you find are unresponsive, try contacting a Computer Incident, Emergency, or Security Incident Response Team (CERT/CIRT/CSIRT), or a Trusted Introducer (TI) team. CERT/CIRT organizations (find a national list here) or TI teams will investigate an attack, notify and share information with hosting providers or ISPs whose resources are being used to conduct the attack, and work with all affected parties to coordinate an effective mitigation.

Should I contact Law Enforcement?

Contact your national law enforcement agency if you believe that a crime is being committed; for example, you should contact law enforcement if your organization received a threat prior to the attack, or received a demand for money in return for not being attacked, or if you believe that critical infrastructure or delivery of a critical service (such as Emergency 911) is threatened.

Contact law enforcement to report a crime, not to mitigate an attack. DDoS attacks are criminal acts in many jurisdictions. By filing a report, you and other victims provide valuable information that may be relevant in any subsequent investigation or prosecution of the attackers.

Provide Good Intel

At an operational level, you, your hosting provider or ISP should gather as much information related to the attack as possible. The Operations Security Trust Forum recommends collecting the following kinds information:

1. Provide as much time information as possible: identify the start of attack, end of attack, whether the attacks are repeated, and whether there are observable patterns or cycles to the attacks.
2. Share any insights or suspicions you have regarding the nature of the attack. Does it appear to correlate with a geo-political event? Did you receive threatening correspondence prior to or during the attack and if so, what was the nature of the threat?
3. Provide detailed traffic information including: type of traffic (ICMP, DNS, TCP, UDP, application), source and targeted IP addresses and port numbers, packet rate, packet size, and bandwidth consumed by the attack traffic.
4. Describe any unique traffic or packet characteristics you observe. Is the attack targeting a particular virtual host or domain? What have you observed from application protocol headers? Have you observed any unusual patterns of flag settings in underlying protocols (TCP, UDP, ICMP, IP)?
5. Identify any changes you observe in the attack over time (i.e., to packet sizes, rates, unique IPs seen per epoch, protocols, etc.). These may be indications that the attacker is reacting to mitigation efforts you or others have implemented.
6. Provide your assessment of the impact; for example, explain whether you are managing the attack using mitigations and assistance, or that your services or performance is {moderately, severely} affected, or that your services have been disrupted entirely.

Don’t Wait Until You Are a Victim

If you have not already prepared a plan to respond to a DDoS attack, please consider doing so. The article Preparing for the (Inevitable) DDOS Attack offers a checklist of contacts, information, and mitigation strategies. Some helpful resources to better understand different kinds of DDoS Attacks, mitigation techniques and how your organization can help reduce the overall threat of these attacks are included below:

• SAC004, Securing The Edge
• SAC008, DNS Distributed Denial of Service (DDoS) Attacks [PDF, 963 KB]
• BCP 38, Network Ingress Filtering
• BCP 140, Preventing Use of Recursive Nameservers in Reflector Attacks
• Protecting the World from YOUR Network
• Mitigating DNS Denial of Service Attacks
• The Worrisome Threat of DNS DDoS Amplification Attacks
• Do More to Prevent DDoS Attacks
• Firewall Best Practices – Egress Traffic Filtering
• Distributed Denial of Service (Attacks/Tools)

{ 0 comments }

We are there. As a result of sincere and constructive negotiations that have gone on for nearly 18 months, a new 2013 Registrar Accreditation Agreement is in our hands. All remaining differences have been settled and ICANN and the members of the Registrar Negotiating Team have achieved an agreement on all issues.

As you know, on 7 March, we posted a draft of the 2013 RAA for public comment noting the outstanding differences remaining in the negotiations at that time. Differences that have since been reconciled through many additional hours of meeting and dialogue. ICANN and the Registrar Negotiating Team considered as part of the negotiations the public comments received and resolved all the remaining issues and differences. Now the ICANN community is able to review this final draft before it is approved and adopted. And so, we are posting the final draft of the 2013 RAA for public comment.

I must say that I am extremely delighted with the new spirit of partnership that has evolved between ICANN and the registrar community as a whole. On behalf of ICANN, I would like to express my sincere gratitude to the members of the Registrar Negotiating Team for their tireless efforts and spirited attitudes in getting us to the finish line. A few of them have offered their own reflections on the process and the Agreement.

Matt Serlin, Chair of the Registrar Stakeholder Group:

“On behalf of the entire Registrar Negotiating Team, I am pleased to see negotiations on the 2013 RAA have come to a conclusion after a long process in which both parties worked long and hard to resolve difficult issues. The outcome of these discussions is a new RAA which will be impactful for everyone involved in the DNS industry including every ICANN accredited registrar. We look forward to continuing to work with ICANN as we now move from the negotiations phase to implementing the numerous new requirements contained in the 2013 RAA.”

James Bladel, GoDaddy.com:

“The new 2013 RAA represents over a year’s work between registrars and ICANN Staff, and is an important milestone in the development of the DNS ecosystem. It raises the bar for service providers, provides new tools for law enforcement, and gives registrars long-term stability in their relationship with ICANN.”

Volker Greimann, Key-Systems Group:

“ICANN and the registrars negotiation teams have worked long and hard towards the completion of a 2013 RAA to address the difficult issues put before us. Despite complicated issues, sometimes moving goalposts and further complications were able to conclude the negotiations with a result that we hope will be a great step ahead for the community. I am especially pleased that the negotiated 2013 RAA recognizes the need for fair and balanced exemption process where applicable law prohibits the direct implementation of certain terms within new requirements, such as the data retention specification.”

Rob Hall, Momentous.com:

“It isn’t just the new RAA that is significant, it is the collaborative way it was created.  Those of us who participated saw the dawn of a new day at ICANN, one where getting things done for the community as a whole takes precedence over any single concern.”

{ 0 comments }

ICANN has a long tradition of working with the Internet community to support technical training, going back 10 years to the ICANN meeting in Carthage, Tunisia in October 2003. Over the years, these trainings have assisted with improving skills, creating awareness of DNS threats and mitigations, and enabled DNSSEC in a number of ccTLDs. Last month, ICANN, the Network Startup Resource Center (http://nsrc.org/) and ISOC Lebanon conducted DNSSEC training in Beirut, Lebanon. ICANN Security was also represented at the ION Singapore Conference in collaboration with the Internet Society’s Deploy 360 initiative (http://www.internetsociety.org/deploy360/).

In the Security team [https://www.icann.org/security], we see this technical engagement with the community as a key part of delivering on ICANN’s mission to facilitate the security, stability and resiliency of the Internet’s unique identifier systems through coordination and collaboration.

We do this with community partners across the globe, at the request of operators and universities in the Caribbean and the Middle East, in Africa, Asia-Pacific and South America. We have increasing interest among the law enforcement community for this training. The Security team recently conducted DNS training at Europol, at the International Criminal Law Network in the Netherlands, and with other agencies in the United Kingdom. We are exploring opportunities with the Commonwealth Cybercrime Initiative, and have upcoming DNSSEC training in Tunis, Tunisia next week.

The community has an opportunity to tell us what you think of this training, and on ICANN’s security activities by commenting on the FY 14 Security, Stability and Resiliency Framework. The document has been translated into 7 languages, and is open for comment through 20 April 2013 (with a reply comment period to 20 May 2013, 23:59 UTC). Please take some time to read this document, and provide comments.

Here is some testimony from Rick Lamb, one of our team members and a lead on DNSSEC adoption and engagement:

I consider myself fortunate to be able to participate in this space, following in the footsteps (and the beneficiary of the experience pool) of other seasoned ICANN trainers.

Although I have taught in the past, I had forgotten about the heady mixture of fear, happiness and exhilaration that comes from interacting with a classroom full of intelligent, interested students. After typically spending the better part of an intense week together, trusted relationships are forged, giving the students not just technical knowledge, but a sense of being part of the larger Internet community. These relationships clearly benefit everyone involved.

I know that these are familiar sensations for my seasoned colleagues, but I think that sometimes we should be reminded about the not-so-obvious value of training efforts and the importance of these personal interactions toward building and maintaining the international network of trust that keeps the international network we call the Internet running.

Dr. Richard Lamb
Sr. Program Manager, DNSSEC, ICANN

If you are interested in more information on these trainings, our partners at NSRC maintain excellent wiki pages providing past training agendas and materials. An example from the Lebanon training can be found at https://nsrc.org/workshops/2013/nsrc-isoclb-dnssec/.

Photo Credit – Phil Regnauld, NSRC

Photo Credit – Phil Regnauld, NSRC

{ 0 comments }

Today, ICANN posted a single information source for the current gTLD WHOIS-related agreement provisions and policies to make them easier for the community to access. The suggestion for such a webpage came from the WHOIS Policy Review Team and was accepted by the Board for implementation on 8 November 2012. This single source documents the current gTLD WHOIS-related policies set out in the gTLD Registry and Registrar contracts and GNSO Consensus Policies and Procedures. It will be incorporated in an “information portal” that is under development to support easy access to existing WHOIS information. This compilation of Whois-related policies and agreement provisions will be revised in the future to reflect new agreements and policies as they are adopted.

{ 1 comment }

Even though we’re gathered this week in the Asia Pacific, we are continuing our work on the three-year Middle East engagement strategy over the past three months. On Monday, I had the honor of facilitating a working session with about 60 ICANN community members about the draft strategy document. The strategy identifies key goals for the Middle East in relation to DNS security and stability, domain name industry and the Internet Governance ecosystem.

Development of this strategy has been truly community-driven and bottom-up, just as the implementation will be in full partnership with the regional and International Internet community. Already, many organizations, like the Internet Society, Regional Internet Registries, ccTLD managers and others, are active in this area, and our efforts are complementary to theirs.

The public is invited to comment on the draft strategy until 19 April, and I encourage you to do so if you haven’t already. We plan on posting the final document in May, and look forward to working with the community on the implementation plan.

• Watch interview with Baher Esmat about the strategy development process
• Read the draft ICANN Engagement Strategy in the Middle East

{ 0 comments }

As Fadi Chehadé, ICANN’s President & CEO, announced this week, we have launched a public conversation about ICANN’s future. We are seeking ideas from the global community to help create a new, overarching vision and five-year strategy for ICANN. An animated video and slides have been posted in six UN languages to help seed an online discourse about the complex, changing environment ICANN operates within and the future challenges and opportunities we should take into account as we prepare for a new planning cycle.

• What do you think are the most important forces potentially affecting the Internet in the next 1-5 years that should be broadly taken into consideration when ICANN creates its new five-year strategy?
• What are the most important things to keep in mind when considering how the above forces connect with ICANN’s mission and core values (as detailed in our bylaws)?
• What key factors should we consider related to ICANN’s roles, responsibilities, operations, and structure?

Please share your answers to these, as well as other applicable thoughts or comments, you may have. Your input will be synthesized and carefully considered by ICANN’s CEO and Board, and will help provide a framework for ICANN strategic planning.

The strategic planning process will formally begin in June 2013, and will include a more focused public discussion (online and at the ICANN Durban meeting), a draft Strategic Plan posted for public comment, and Board consideration and action at the end of this year. The results will be a new Strategic Plan that will serve as the foundation for developing a new ICANN Operating Plan and Budget.

Thank you for helping to shape ICANN’s future.

{ 0 comments }