Verisign OpenHybrid™ for Corero and Amazon Web Services Now Available
Verisign outlined its vision for a revolutionary new approach to Distributed Denial of Service (DDoS) protection by announcing the availability of the Verisign OpenHybrid™ architecture, which helps organizations protect their critical assets and applications across distributed environments from DDoS attacks, using a single solution. By integrating intelligence from a customer’s existing security defenses, Verisign OpenHybrid™ provides timely detection and restoration of services in the event of an attack, while providing increased visibility of DDoS threats across multiple environments such as private datacenters and public clouds.
In an earlier blog post on the topic, I noted the increasing scale and complexity of DDoS attacks, and the strong need for organizations to enable awareness and mitigation of attacks across on-premise devices, in addition to both public and private cloud environments using standards based open protocols.
Today we are pleased to announce two important updates in our path toward enabling open DDoS protection: the availability of Verisign OpenHybrid™ for Corero SmartWall TDS and Verisign OpenHybrid™ for customers hosted in the Amazon Web Services Elastic Compute Cloud.
Registration Operations is More Than Just Registering Domain Names
Perceptions can be difficult to change. People see the world through the lens of their own experiences and desires, and new ideas can be difficult to assimilate. Such is the case with the registration ecosystem. Today’s operational models exist because of decisions made over time, but the assumptions that were used to support those decisions can (and should) be continuously challenged to ensure that they are addressing today’s realities. Are we ready to challenge assumptions? Can the operators of registration services do things differently?
Verisign Celebrates #30YearsofCOM
This year marks 30 years since the first .com domain name – Symbolics.com – was registered, and the internet and world as we knew it changed forever. Verisign, the authoritative registry operator of .com, is celebrating its 30th anniversary and the remarkable impact .com has had on the economy and culture.
In the last 30 years, the internet has evolved from an unknown phenomenon used primarily by academics and researchers to a global communication, commerce and information sharing channel that few could imagine life without; in fact, nearly three billion people around the world are online today, and more than $300 billion in U.S. e-commerce sales and over $1.3 trillion in global e-commerce sales rely on the internet.
Internet Grows to 288 Million Domain Names in the Fourth Quarter of 2014
Today, we released the latest issue of the Domain Name Industry Brief, which showed that the Internet grew by four million domain names in the fourth quarter of 2014. The total number of domain names across all top-level domains (TLDs) is now 288 million. This is a 1.3 percent increase over the third quarter of 2014. [1]
.com and .net Breakdown
New .COM and .net registrations totaled 8.2 million, bringing the combined number of .COM and .net TLDs to 130.6 million domain names in the domain name base by the end of the fourth quarter of 2014.
gTLD Breakdown
At the end of the fourth quarter of 2014, 478 new gTLDs were delegated into the root; with 65 new gTLDs delegated during the fourth quarter of 2014. [2]
The chart below captures the initial 60-day registration volume rank for those new gTLDs reaching 60 days of General Availability (GA) during the quarter. In the fourth quarter of 2014, 78 new gTLDs reached 60 days of GA and of those, the 10 largest new gTLDs, as measured by zone size at the end of the quarter, were: [3]
ccTLD Breakdown
Country-code top-level domains (ccTLDs) reached 134.0 million domain names. The top 10 ccTLD registries by domain name base were:
DNS Query Load
Verisign’s average daily Domain Name System (DNS) query load during the fourth quarter of 2014 was 110 billion across all TLDs operated by Verisign, with a peak of 146 billion. Year over year, the daily average increased 33.5 percent and the peak increased 47.1 percent.
For more domain stats from the fourth quarter of 2014, check out the infographic below and the latest issue of the Domain Name Industry Brief.
[1] The gTLD and ccTLD data cited in this report are estimates as of the time this report was developed, and is subject to change as more complete data is received. Totals include ccTLD Internationalized Domain Names.
[2] The total number of gTLDs and their registrations is published through the Centralized Zone Data Service: https://czds.icann.org/en
[3] The new gTLDs that reached 60 days of General Availability during the fourth quarter was determined using: ntld stats
Top 10 Trending Keywords in .COM & .NET Registrations in February
This Sunday, March 15, marks the 30th anniversary of the first .com domain name registration, Symbolics.com. Today, there are more than 116 million .com domain names registered globally, and more being registered every day. Below is a list of the top 10 trending keywords registered in .com and .net during the month of February 2015. Any surprises?
“What’s in a Name?” Using DANE for Authentication of Internet Services
Do we already have strong security protections for our Internet services? For many years now, we have had numerous cryptographically enhanced protocols. Standards and suites like S/MIME, Transport Layer Security (TLS), IP Security (IPSec), OpenPGP, and many others have been mature for years, have offered us a range of protections and have been implemented by a wealth of code. Indeed, based on these protections, we already count on having “secure” eCommerce transactions, secure point-to-point phone calls that our neighbors can’t listen in on, secure Virtual Private Networks (VPN) that let us remotely connect to our internal enterprise networks, etc. However, our Internet security protocols have all excluded a very important step from their security analyses; none of them describe a crucial step called secure key learning. That is, before we can encrypt data or verify signatures, how does someone bootstrap and learn what cryptographic keys are needed? In lieu of a way to do this, we have traditionally prefaced the security protections from these protocols with techniques like Out of Band (OOB) key learning (learning keys in an unspecified way) or Trust on First Use (ToFU) key learning (just accepting whatever keys are found first), and each protocol must do this separately (and potentially in its own, different, way). This is because the protocols we use for protections have not formally specified a standardized way to securely bootstrap protocols.
Minimum Disclosure: What Information Does a Name Server Need to Do Its Job?
Two principles in computer security that help bound the impact of a security compromise are the principle of least privilege and the principle of minimum disclosure or need-to-know.
As described by Jerome Saltzer in a July 1974 Communications of the ACM article, Protection and the Control of Information Sharing in Multics, the principle of least privilege states, “Every program and every privileged user should operate using the least amount of privilege necessary to complete the job.”
Need-to-know is the counterpart for sharing information: a system component should be given just enough information to perform its role, and no more. The US Department of Health and Human services adopts this principle in the HIPAA privacy policy, for example, which states: “protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function.”
There may be tradeoffs, of course, between minimizing the amount of privilege or information given to a component in a system, and other objectives such as performance or simplicity. For instance, a component may be able to do its job more efficiently if given more than the minimum amount. And it may be easier just to share more than is needed, than to extract out just the minimum required. The minimum amounts of privilege may also be hard to determine exactly, and they might change over time as the system evolves or if it is used in new ways.
Least privilege is well established in DNS through the delegation from one name server to another of just the authority it needs to handle requests within a specific subdomain. The principle of minimum disclosure has come to the forefront recently in the form of a technique called qname-minimization, which aims to improve privacy in the Domain Name System (DNS).
Can’t Decide Which .Com Domain Name to Register? Our Internet Official Contest Judges Are Here to Help!
As you may have seen, the #InternetOfficial contest celebrating #30YearsofCOM, is well underway. Choosing a domain name is an important step when building your business or startup, so we’ve enlisted the help of our #InternetOfficial industry experts— domain investor and blogger Michael Berkens, SMB authority Anita Campbell and naming expert Steve Manning— to offer business branding and domain naming tips.
Verisign Q4 2014 DDoS Trends: Public Sector Experiences Largest Increase in DDoS Attacks
Verisign just released our Q4 2014 DDoS Trends Report, which provides a unique view into online distributed denial of service (DDoS) attack trends from mitigations on behalf of, and in cooperation with, customers of Verisign DDoS Protection Services, and the security research of iDefense Security Intelligence Services. Many notable observations were made, including a rise in the average size of DDoS attacks against our customers; the most common attack vector continued to be User Datagram Protocol (UDP) amplification attacks leveraging Network Time Protocol (NTP), while Simple Service Discovery Protocol (SSDP) also continued to be exploited. Verisign also mitigated more attacks in December than any other month in 2014.
The most notable observation, however, is that public-sector customers experienced the largest increase in attacks, constituting 15 percent of total mitigations in Q4. Verisign believes the steep increase in the number of DDoS attacks levied at the public sector may be attributed to attackers’ increased use of DDoS attacks as tactics for politically motivated activism, or hacktivism, against various international governing organizations, as well as in reaction to various well-publicized events throughout the quarter, including protests in Hong Kong and Ferguson, Missouri. As outlined in iDefense’s 2015 Cyber Threats and Trends blog post, the convergence of online and physical protest movements contributed to the increased use of DDoS as a tactic against organizations, including the public sector, throughout 2014.
Help Ensure the Availability and Security of Your Enterprise DNS with Verisign Recursive DNS
At Verisign, we’ve made the Domain Name System (DNS) our business for more than 17 years. We support the availability of critical Internet infrastructure like .com and .net top-level domains (TLDs) and the A and J Internet Root Servers, and we provide critical Managed DNS services that ensure the availability of externally facing websites to customers around the world.
As we continue to expand our role in Internet security, we are excited to announce the next step in protecting the stability of enterprise DNS ecosystems: Verisign Recursive DNS. This new cloud-based recursive DNS service leverages Verisign’s global, securely managed DNS infrastructure to offer the performance, reliability and security that enterprises demand when securing their internal networks and that communications safely and securely reach their intended destinations.