OFCOM open forum

29 Nov 2019 12:00h - 13:00h

Event report

[Read more session reports and updates from the 14th Internet Governance Forum]

Mr Jorge Cancio (Swiss Federal Office of Communications [OFCOM]) explained that the session would concentrate on a specific issue, domain name system (DNS) abuse and misuse. An issue that has been discussed in Internet Corporation for Assigned Names and Numbers (ICANN) meetings continuously, particularly at its last meeting in Montréal.

The functioning of the Internet and the DNS are interdependent which requires the collaborative work of all the players in the system. If a malicious attacker can manipulate the ‘Internet phone book’, we end up experiencing different types of attacks. At ICANN, there are different discussions on this issue but even ICANN had an interesting statement recently in which they confirmed an increased number of attacks on the DNS.

What can we do to preserve the DNS as the core infrastructure, as part of the public core of the Internet?

Growing international consensus is rising. The DNS is both a distributed database of domain names and a protocol, and we are seeing attacks against both. Ms Cristine Hoepers (CERT.br/NIC.br) alerted that there are differences between an attack, abuse, and misuse. There are some attempts to map the problem, but are we doing enough? We must create a stronger ecosystem. This year, there were two very different attacks being called ‘DNS hijacking attacks’ which has been confusing even for technical experts. The first one, the DNS architecture hijacking campaign, is where the domain itself is hijacked, the domain remains registered, but no longer leads to the right server. The actors (mainly registries) need to be quick to bring the domain back to the original owner. The second type of attack involves a malicious DNS resolver and consumer router compromise. In this case, the user’s home router is compromised and the resolution path is hijacked. The actors involved in this type are the hosting provider where the malicious DNS resolver is hosted, and the Internet service provider (ISP) is the actor that needs to disinfect the home router. The registrars and registries cannot do anything about this type of attack, unlike in the first case.

Therefore, DNS abuse and misuse are more than domain takedowns and there are multiple ways to misuse the DNS. It is hard for the user to detect if the resolution path is being manipulated or the domain is malicious. Who can do what about DNS abuse and misuse? DNS operators; computer emergency response teams (CERTs), for analysis and co-ordination; hosting providers, for policy updates; ISPs, and everyone else needs to be vigilant since principles of cyber hygiene need to be applied.

Mr Michael Hausding (Switch.ch) said that Switzerland represents a special case because it has had a law on Internet domains for over ten years and Switch, as a registry is obligated to implement it. Hausding is happy that the registry is not responsible to fight DNS abuse, but to fight cybercrime. He differentiated DNS attacks as: website compromises; domain delegation hijacking; DNS hijacking; sub-domain hijacking; rogue DNS (DHCP) servers; and blackhat search engine optimisation (SEO).

The Switch CERT is particularly busy dealing with fake webshops. They cannot determine which shop is fake by themselves, therefore they work very closely with the police. Finally Hausding talked of how .ch is a clean domain since it applies the following principles: clear and enabling regulation that encourages and requires co-operation; separation of powers; close co-operation between registry CERTs, industry, and authorities; subject matter experts; and automatisation.

By Tereza Horejsova