In response, we have conferred with those ICANN staff members who have the greatest expertise in the areas of the inquiries, in order to give thorough and accurate responses. Those responses have now been posted and can be found at http://beijing46.icann.org/meetings/beijing2013/presentation-public-forum-responses-11apr13-en.pdf [PDF, 101 KB].

As always, we welcome your questions and comments during Public Forum sessions. Internally, we on the Board are wrestling with a dilemma – Should we do what we have been doing, specifically, take your questions in the Public Forum then respond later (as we did this time) OR should we answer your questions immediately, if possible, at the Public Forum?

We evolved to the current system simply in an effort to afford more people, both those in the room and remote participants, the opportunity to ask more questions. However, some have argued that they would rather hear fewer questions and get immediate responses from the Board.

We would be interested in what you think, please send your comments to public_forum@icann.org.

I’m looking forward to hearing more of your questions and comments during the next Public Forum at our Durban meeting.

The proposed agreement is the result of several months of negotiations, formal community feedback, and meetings with various stakeholders and communities. Based on the community feedback during the ICANN 46 meeting in Beijing, ICANN and the Registry Agreement Negotiating Team maintained a consistent and swift pace to finalize the negotiations and bring the proposed terms into a final draft form, ready for community review and comment.

We have come a long way since February 2013 when we posted a proposed Revised New gTLD Registry Agreement for public comment. A new and highly spirited sense of mutual trust has catapulted us into a fresh atmosphere of collaboration, which in turn has led to a consistently more productive environment. The spirit of teamwork, productive dialogue and partnership that has underpinned this negotiation process is tremendously heartwarming, as it has allowed us to bring to fruition a robust contractual framework for the New gTLD Program.

On behalf of ICANN, I would like to sincerely thank the registry community for acting in good faith and with tremendous goodwill, making this last key step possible.

This particular session also marked the posting of the Proposed Final 2013 Registrar Accreditation Agreement (RAA) for which ICANN is seeking public comment. Getting to this stage, after eighteen months of intense negotiations, is a tremendous collective accomplishment and I would like to convey my sincere appreciation to the Registrar Negotiating Team for their significant contributions and collaborative dialogue throughout the process.

As part of the summit agenda, participants briefed each other on efforts to raise the profile of the DNS sector, provided status reports on various DNS initiatives, and delved into mechanisms that can be utilized to further demonstrate the value of the Internet. For instance, discussions centered on topics such as info graphics for depicting the domain name value chain; philanthropic vehicles to support DNS entrepreneurship in the developing world; industry conferences and consumer awareness forums; and proposals to codify ethical standards for DNS businesses. What I found to be particularly beneficial during our interactive brainstorming sessions were the perspectives and experiences of the ccTLD operators.

We emerged with a timeline for completing our work to be showcased to the broader community at ICANN 47 in Durban in July. I want to emphasize this work was conducted entirely by the CEOs, with ICANN serving as facilitator, and it was truly exciting to see this diverse group of leaders in action.

In addition, a sub-group of participants presented their plans to form a Domain Name Industry Association, entirely independent of ICANN, designed to further the interests of a range of organizations within the ever-evolving DNS sector.

During the latter part of our meeting, we focused on ICANN’s future through an interactive session, one of many conversations to take place in the coming months. As I explained in Beijing, we will begin a process in June toward creating a new vision and a five-year strategic plan for ICANN, and all stakeholders are invited to participate. More information: Video and Strategy Conversation.

I am extremely grateful to everyone who could be there, including ICANN Board Members Cherine Chalaby and Bruce Tonkin, and for their deep insights on how ICANN can continue to achieve its goal of becoming a mature, inclusive and efficient organization. ICANN’s Engagement Team is already at work organizing comparable events and is planning a CEO Roundtable for leaders from academia, civil society and nonprofits in the near future.

Our work, however, is only just beginning as we look ahead to the bright horizon. The New gTLD Program Timeline [PDF, 488 KB] is reflective of these important endeavors, and I remain invigorated by the forward steps that we are all achieving together.

DDoS attacks are serious problems. While ICANN’s role in mitigating these threats is limited, the Security Team offers these insights to raise awareness on how to report DDoS attacks

Distributed Denial of Service attacks have increased in scale, intensity and frequency. The wide range of motives for these attacks – political (hacktivism), criminal (coercion), or social (malice) – makes every merchant or organization with an online presence a potential target. The shared nature of the Internet infrastructure – whether hosting, DNS, or bandwidth – puts many merchants or organizations at risk of becoming collateral damage, as well. If you find that your site or organization is under attack, it’s important that you report such attacks quickly to parties that are best positioned to help you mitigate, weather, and restore normal service.

I’m under attack. What should I do? Whom should I call?

Any Internet service – web, DNS, Internet voice, mail – can be the target of a DDoS attack. If your organization uses a hosting provider for a service that is attacked, first contact the hosting provider. If your organization hosts the network or Internet service that is under attack, first take measures to contain or dampen the attack. Next, call the service provider that provides Internet access for your network. Most hosting providers and ISPs post emergency contacts on their web sites and many include at least general contact numbers on bills. If you only have a general contact number, explain that you are under attack and ask the customer care agent to escalate (forward) your call to operations staff with the ability and authority to investigate.

Helping Hands

Traffic associated with a single DDoS attacks may originate from hundreds or thousands of attack sources (typically compromised PC or servers). In many cases, your hosting provider or your Internet access provider should act on your behalf (and in self-interest). They will contact “upstream” providers and the ISPs that route traffic from the DDoS attack sources to notify these operators of the nature and suspected origins of the attack. These operators will investigate and will typically revoke routes or take other measures to squelch or discard traffic close to the source.

If you cannot find contacts, or if the contacts you find are unresponsive, try contacting a Computer Incident, Emergency, or Security Incident Response Team (CERT/CIRT/CSIRT), or a Trusted Introducer (TI) team. CERT/CIRT organizations (find a national list here) or TI teams will investigate an attack, notify and share information with hosting providers or ISPs whose resources are being used to conduct the attack, and work with all affected parties to coordinate an effective mitigation.

Should I contact Law Enforcement?

Contact your national law enforcement agency if you believe that a crime is being committed; for example, you should contact law enforcement if your organization received a threat prior to the attack, or received a demand for money in return for not being attacked, or if you believe that critical infrastructure or delivery of a critical service (such as Emergency 911) is threatened.

Contact law enforcement to report a crime, not to mitigate an attack. DDoS attacks are criminal acts in many jurisdictions. By filing a report, you and other victims provide valuable information that may be relevant in any subsequent investigation or prosecution of the attackers.

Provide Good Intel

At an operational level, you, your hosting provider or ISP should gather as much information related to the attack as possible. The Operations Security Trust Forum recommends collecting the following kinds information:

1. Provide as much time information as possible: identify the start of attack, end of attack, whether the attacks are repeated, and whether there are observable patterns or cycles to the attacks.
2. Share any insights or suspicions you have regarding the nature of the attack. Does it appear to correlate with a geo-political event? Did you receive threatening correspondence prior to or during the attack and if so, what was the nature of the threat?
3. Provide detailed traffic information including: type of traffic (ICMP, DNS, TCP, UDP, application), source and targeted IP addresses and port numbers, packet rate, packet size, and bandwidth consumed by the attack traffic.
4. Describe any unique traffic or packet characteristics you observe. Is the attack targeting a particular virtual host or domain? What have you observed from application protocol headers? Have you observed any unusual patterns of flag settings in underlying protocols (TCP, UDP, ICMP, IP)?
5. Identify any changes you observe in the attack over time (i.e., to packet sizes, rates, unique IPs seen per epoch, protocols, etc.). These may be indications that the attacker is reacting to mitigation efforts you or others have implemented.
6. Provide your assessment of the impact; for example, explain whether you are managing the attack using mitigations and assistance, or that your services or performance is {moderately, severely} affected, or that your services have been disrupted entirely.

Don’t Wait Until You Are a Victim

If you have not already prepared a plan to respond to a DDoS attack, please consider doing so. The article Preparing for the (Inevitable) DDOS Attack offers a checklist of contacts, information, and mitigation strategies. Some helpful resources to better understand different kinds of DDoS Attacks, mitigation techniques and how your organization can help reduce the overall threat of these attacks are included below:

• SAC004, Securing The Edge
• SAC008, DNS Distributed Denial of Service (DDoS) Attacks [PDF, 963 KB]
• BCP 38, Network Ingress Filtering
• BCP 140, Preventing Use of Recursive Nameservers in Reflector Attacks
• Protecting the World from YOUR Network
• Mitigating DNS Denial of Service Attacks
• The Worrisome Threat of DNS DDoS Amplification Attacks
• Do More to Prevent DDoS Attacks
• Firewall Best Practices – Egress Traffic Filtering
• Distributed Denial of Service (Attacks/Tools)

As you know, on 7 March, we posted a draft of the 2013 RAA for public comment noting the outstanding differences remaining in the negotiations at that time. Differences that have since been reconciled through many additional hours of meeting and dialogue. ICANN and the Registrar Negotiating Team considered as part of the negotiations the public comments received and resolved all the remaining issues and differences. Now the ICANN community is able to review this final draft before it is approved and adopted. And so, we are posting the final draft of the 2013 RAA for public comment.

I must say that I am extremely delighted with the new spirit of partnership that has evolved between ICANN and the registrar community as a whole. On behalf of ICANN, I would like to express my sincere gratitude to the members of the Registrar Negotiating Team for their tireless efforts and spirited attitudes in getting us to the finish line. A few of them have offered their own reflections on the process and the Agreement.

Matt Serlin, Chair of the Registrar Stakeholder Group:

“On behalf of the entire Registrar Negotiating Team, I am pleased to see negotiations on the 2013 RAA have come to a conclusion after a long process in which both parties worked long and hard to resolve difficult issues. The outcome of these discussions is a new RAA which will be impactful for everyone involved in the DNS industry including every ICANN accredited registrar. We look forward to continuing to work with ICANN as we now move from the negotiations phase to implementing the numerous new requirements contained in the 2013 RAA.”

James Bladel, GoDaddy.com:

“The new 2013 RAA represents over a year’s work between registrars and ICANN Staff, and is an important milestone in the development of the DNS ecosystem. It raises the bar for service providers, provides new tools for law enforcement, and gives registrars long-term stability in their relationship with ICANN.”

Volker Greimann, Key-Systems Group:

“ICANN and the registrars negotiation teams have worked long and hard towards the completion of a 2013 RAA to address the difficult issues put before us. Despite complicated issues, sometimes moving goalposts and further complications were able to conclude the negotiations with a result that we hope will be a great step ahead for the community. I am especially pleased that the negotiated 2013 RAA recognizes the need for fair and balanced exemption process where applicable law prohibits the direct implementation of certain terms within new requirements, such as the data retention specification.”

Rob Hall, Momentous.com:

“It isn’t just the new RAA that is significant, it is the collaborative way it was created.  Those of us who participated saw the dawn of a new day at ICANN, one where getting things done for the community as a whole takes precedence over any single concern.”

In the Security team [https://www.icann.org/security], we see this technical engagement with the community as a key part of delivering on ICANN’s mission to facilitate the security, stability and resiliency of the Internet’s unique identifier systems through coordination and collaboration.

We do this with community partners across the globe, at the request of operators and universities in the Caribbean and the Middle East, in Africa, Asia-Pacific and South America. We have increasing interest among the law enforcement community for this training. The Security team recently conducted DNS training at Europol, at the International Criminal Law Network in the Netherlands, and with other agencies in the United Kingdom. We are exploring opportunities with the Commonwealth Cybercrime Initiative, and have upcoming DNSSEC training in Tunis, Tunisia next week.

The community has an opportunity to tell us what you think of this training, and on ICANN’s security activities by commenting on the FY 14 Security, Stability and Resiliency Framework. The document has been translated into 7 languages, and is open for comment through 20 April 2013 (with a reply comment period to 20 May 2013, 23:59 UTC). Please take some time to read this document, and provide comments.

Here is some testimony from Rick Lamb, one of our team members and a lead on DNSSEC adoption and engagement:

I consider myself fortunate to be able to participate in this space, following in the footsteps (and the beneficiary of the experience pool) of other seasoned ICANN trainers.

Although I have taught in the past, I had forgotten about the heady mixture of fear, happiness and exhilaration that comes from interacting with a classroom full of intelligent, interested students. After typically spending the better part of an intense week together, trusted relationships are forged, giving the students not just technical knowledge, but a sense of being part of the larger Internet community. These relationships clearly benefit everyone involved.

I know that these are familiar sensations for my seasoned colleagues, but I think that sometimes we should be reminded about the not-so-obvious value of training efforts and the importance of these personal interactions toward building and maintaining the international network of trust that keeps the international network we call the Internet running.

Dr. Richard Lamb
Sr. Program Manager, DNSSEC, ICANN

If you are interested in more information on these trainings, our partners at NSRC maintain excellent wiki pages providing past training agendas and materials. An example from the Lebanon training can be found at https://nsrc.org/workshops/2013/nsrc-isoclb-dnssec/.

Photo Credit – Phil Regnauld, NSRC

Photo Credit – Phil Regnauld, NSRC

Development of this strategy has been truly community-driven and bottom-up, just as the implementation will be in full partnership with the regional and International Internet community. Already, many organizations, like the Internet Society, Regional Internet Registries, ccTLD managers and others, are active in this area, and our efforts are complementary to theirs.

The public is invited to comment on the draft strategy until 19 April, and I encourage you to do so if you haven’t already. We plan on posting the final document in May, and look forward to working with the community on the implementation plan.

• Watch interview with Baher Esmat about the strategy development process
• Read the draft ICANN Engagement Strategy in the Middle East

• What do you think are the most important forces potentially affecting the Internet in the next 1-5 years that should be broadly taken into consideration when ICANN creates its new five-year strategy?
• What are the most important things to keep in mind when considering how the above forces connect with ICANN’s mission and core values (as detailed in our bylaws)?
• What key factors should we consider related to ICANN’s roles, responsibilities, operations, and structure?

Please share your answers to these, as well as other applicable thoughts or comments, you may have. Your input will be synthesized and carefully considered by ICANN’s CEO and Board, and will help provide a framework for ICANN strategic planning.

The strategic planning process will formally begin in June 2013, and will include a more focused public discussion (online and at the ICANN Durban meeting), a draft Strategic Plan posted for public comment, and Board consideration and action at the end of this year. The results will be a new Strategic Plan that will serve as the foundation for developing a new ICANN Operating Plan and Budget.

Thank you for helping to shape ICANN’s future.

I cannot stress enough what an important milestone this is for ICANN in the implementation of the New gTLD Program as these entities will help to guarantee that domain names within a new gTLD continue to resolve in the event of a failure by a new TLD operator.

While we do not anticipate that any of the new registries will fail in the future, we knew it was important to take steps to mitigate the risk of how a failure could impact the stability and security of the DNS.  We did this in two phases. First, we created a robust evaluation process to help ensure new registries are operationally, financially and technically sound. And second, ICANN has established the EBEROs to make sure that should anything happen, back-end registry operators stand ready to meet our obligation to provide continuity and maintain the stability of the DNS.

The three geographically diverse organizations – CNNIC, Neustar and Nominet – met stringent technical requirements and demonstrated years of experience in operating domain name services, registration data directory services and extensible provisioning protocol services. Our cross-functional evaluation team had a difficult job in selecting them, as 14 very capable companies from around the world responded to our Request for Information.

We are so pleased to have the participation of these three providers, whose geographic diversity is aligned with the diversity of the new gTLD applicants and future registries.

• Affirmation of Intent [PDF, 52 KB]
• Watch Beijing Signing Ceremony

Left to right:

Fadi Chehadé, President & CEO, ICANN
Karla Valente, gTLD Registry Programs Director
Lesley Cowley, Managing Director/Chief Executive, Nominet
Jeff Neuman, Vice President, Neustar, Inc.
Xiangyang Huang, Director of CNNIC