Home / Blogs

Maintaining Security and Stability in the Internet Ecosystem

DDoS attacks, phishing scams and malware. We battle these dark forces every day—and every day they get more sophisticated. But what worries me isn’t just keeping up with them, it is keeping up with the sheer volume of devices and data that these forces can enlist in an attack. That’s why we as an industry need to come together and share best practices—at the ICANN community, at the IETF and elsewhere—so collectively we are ready for the future.

The challenge before us is growing every day. The Internet ecosystem is comprised of roughly 3.5 billion global Internet users, millions of businesses, civil society organizations and governments operating over 900 million websites using 334 million domains. With this growth, we are seeing major shifts in the how the Internet is used: It isn’t just computers and smart phones anymore. Maintaining the security and stability of the internet means protecting more “things”—from smart watches to smart TVs to smart refrigerators—from more bots, scrapers, and spammers.

The domain industry must place a greater focus on creating trust through security and stability. At Afilias, I focus the company to not only manage and develop our systems to scale and meet technical demands and ensure 100% availability and uptime, but also to focus efforts on maintaining interoperability and to develop open standards for the industry.

How do we do this? Trustworthiness. In computing terms that means being able to rely on systems to be available and secure. While it sounds simple, it requires a combination of security, privacy and reliability to exist in all interactions with the registry system and DNS networks. It requires usage and storage practices to be well documented and audited to ensure that the organization does what it says. Trustworthiness is, in turn, dependent on several core principles:

  • Global reach: The ability of any system to be able to reach any other system supported, wherever the sender and the receiver are on the Internet. To ensure this, we make sure to run a global addressing and naming service infrastructure.
  • Interoperability: The primary factor in ensuring interoperability is an ironclad commitment to open standards. Afilias is a signatory to OpenStand, the modern paradigm for standards, shaped by adherence to five fundamental principles: due process, broad consensus, transparency, balance, and openness.
  • Accessibility: Providing access to Internet resources, regardless of device or software. Afilias best embodies this by allowing networks on IPv4 and IPv6 to equally access its systems without bottlenecks. Other examples abound.

These principles are essential to the security and stability of the ecosystem to meet the challenges of today, scale and grow in the future, and work harder to increase access for the billions of people yet to be connected. We believe—using the multi-stakeholder approach to Internet governance with broad participation from technical, business and civil society leaders—we can collaboratively develop a new model for the industry as a whole.

We will continue to do our part to harness secure, reliable, scalable and globally available technology and to encourage others to do the same. Our belief and vision is that sharing such best practices can help the global Internet community will share a strong and vibrant Internet. The DDoS attacks, phishing scams and malware are not going to stop but we will do our part to help and lead our community to be better prepared for the battle.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By Ram Mohan, Chief Operating Officer at Afilias

Mr. Mohan brings over 20 years of technology leadership experience to Afilias and the industry.

Visit Page

Filed Under

Comments

It'd also help if there was pressure Todd Knarr  –  Oct 2, 2016 2:48 AM

It’d also help if there was pressure on network operators, particularly edge-network operators like consumer ISPs, to implement ingress filtering on the downstream side (so customers can’t send packets into the ISP’s network with source addresses not within the customer’s expected netblocks) and egress filtering on the upstream side (so packets can’t exit their network unless their source address is in a netblock the ISP owns or that belongs to an ISP’s customer). It’s not a complete solution, but it’d cut down on a lot of the avenues for running DDoS attacks. One of the best defenses is to keep your opponent from launching an attack in the first place.

Sounds Logical Christopher Parente  –  Oct 5, 2016 1:31 PM

Todd -- that seems to make a lot of sense. Would this be a challenge for ISPs to deploy? Or is there no business case for ISPs to do this, so they don't.

For networks that carry mostly transit traffic Todd Knarr  –  Oct 5, 2016 1:49 PM

For networks that carry mostly transit traffic it's hard to deploy, and the closer to the backbone you get the harder it is. But for edge networks like consumer ISPs who don't carry a lot of transit traffic from netblocks they don't directly own it's fairly straightforward. Back when I had little experience with iptables it only took me an hour or two to write a complete set of rules for it for my network (router handling 2 /24 netblocks). RFC 3704 covers the subject. Primarily I think it doesn't happen because there's no business case. The originating ISPs aren't the entities being damaged by the DDoS attacks, and disconnecting or suspending customers who're originating DDoS traffic might cost them those customers since those customers are unlikely to believe their systems have been infected. For them any effort expended is a dead loss. The damaged entities at present have no recourse against the originating networks, so there's no natural way of imposing any costs on the originating networks. What it'd take is standard language in interconnect contracts requiring downstream ISPs to implement RFC 3704 on their networks or face disconnection if they were caught originating part of a DDoS attack, with a possible exception for pure-transit networks who took appropriate measures to enforce 3704 compliance on their own internal networks and all downstream customers.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

DNS

Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC