Part 3 of 4 – Name Collision Mitigation Requires Qualitative Analysis
As discussed in the several studies on name collisions published to date, determining which queries are at risk, and thus how to mitigate the risk, requires qualitative analysis (New gTLD Security and Stability Considerations; New gTLD Security, Stability, Resiliency Update: Exploratory Consumer Impact Analysis; Name Collisions in the DNS). Blocking a second level domain (SLD) simply on the basis that it was queried for in a past sample set runs a significant risk of false positives. SLDs that could have been delegated safely may be excluded on quantitative evidence alone, limiting the value of the new gTLD until the status of the SLD can be proven otherwise.
Similarly, not blocking an SLD on the basis that it was not queried for in a past sample set runs a comparable risk of false negatives.
A better way to deal with the risk is to treat not the symptoms but the underlying problem: that queries are being made by installed systems (or internal certificates are being employed by them) under the assumption that certain gTLDs won’t be delegated.
How Financial Institutions Can Up Their Game Against DDoS Attacks
With the ease of access to the internet and prevalence of social media today, unsuspecting computer users are making it easier than ever for malicious actors to target them with malcode. This trend has helped provide the perfect environment for Distributed Denial of Service (DDoS) attacks to grow in size, complexity and range of targets. Today’s attacks are not limited to web infrastructure; attackers are increasingly targeting the Domain Name System (DNS) infrastructure as well. This trend has been particularly noticeable in the financial industry, which has been hit hard over the last year.
Part 2 of 4 – DITL Data Isn’t Statistically Valid for This Purpose
For several years, DNS-OARC has been collecting DNS query data “from busy and interesting DNS name servers” as part of an annual “Day-in-the-Life” (DITL) effort (an effort originated by CAIDA in 2002) that I discussed in the first blog post in this series. DNS-OARC currently offers eight such data sets, covering the queries to many but not all of the 13 DNS root servers (and some non-root data) over a two-day period or longer each year from 2006 to present. With tens of billions of queries, the data sets provide researchers with a broad base of information about how the world is interacting with the global DNS as seen from the perspective of root and other name server operators.
In order for second-level domain (SLD) blocking to mitigate the risk of name collisions for a given gTLD, it must be the case that the SLDs associated with at-risk queries occur with sufficient frequency and geographical distribution to be captured in the DITL data sets with high probability. Because it is a purely quantitative countermeasure, based only on the occurrence of a query, not the context around it, SLD blocking does not offer a model for distinguishing at-risk queries from queries that are not at risk. Consequently, SLD blocking must make a stronger assumption to be effective: that any queries involving a given SLD occur with sufficient frequency and geographical distribution to be captured with high probability.
Put another way, the DITL data set – limited in time to an annual two-day period and in space to the name servers that participate in the DITL study – offers only a sample of the queries from installed systems, not statistically significant evidence of their behavior and of which at-risk queries are actually occurring.
Verisign Delegates Four New gTLDs to the Root Zone
Guest post from Pat Kane, Senior Vice President, Naming and Directory Services
On Oct. 23, 2013, at approximately 11:00 a.m. EDT, Verisign received authorization instructions from the U.S. Department of Commerce National Telecommunications and Information Administration (NTIA) to delegate four new gTLDs into the root zone, which we are responsible for maintaining per the Cooperative Agreement between Verisign and NTIA. Verisign acted in accordance with our contractual obligation and delegated these TLDs into the root zone at 2:33 p.m. EDT the same day.
Verisign Launches Verisign DomainScope: Take the Guesswork Out of Finding the Right Domain Name
Today Verisign announced the launch of Verisign DomainScope, a new domain name discovery tool designed to enhance the search for unique, relevant domain name choices in the .com, .net, .tv and .cc top-level domains. Incorporating the same functionality found in our DomainFinder, DomainScore and DomainCountdown tools, DomainScope replaces these tools and allows users to focus their domain search and uncover new domain name registration opportunities in one place.*
Domain Buyers React to Government Shutdown
The world is abuzz with news of the United States government shutting down as of Oct., 1 2013. As we have seen with previous major news events there was a notable increase in domain name activity that seems to be correlated.
Why Small Businesses Say Having a Website is Important
Today, people often turn to the internet first for information about businesses and products – whether they are shopping online, or simply looking for a business’ address or phone number – making an online presence one of the most important assets for any business; not just to share information, but to build credibility.
Consumers are looking to connect with companies more than ever, and establishing an online presence through a website, blog or social channels provides a great way to fulfill this desire. But there are still many small businesses lacking an online presence, effectively hanging a closed sign up for their potential customers.
To understand the benefits, barriers and preferences for creating an online presence, Verisign recently worked with Merrill Research to conduct a global survey of 1,050 small businesses with an online presence about their experiences and gained some interesting insights.
Tips to Protect E-Commerce Website Availability and Security During the Holidays
With the holiday shopping season quickly approaching, internet retailers are gearing up for an onslaught of web traffic – which is great, as long as they have the right measures in place to keep their customers safe and satisfied.
Even one hour of downtime due to a website outage or a malicious attack can have significant impact on a retailer’s reputation and revenue, especially during the holidays, a time which the National Retail Federation says can add up to 40 percent of an online retailer’s annual revenue. With some large e-commerce sites earning millions each day during the holiday season, even a few minutes of downtime can lead to financial losses in the tens of thousands of dollars, not to mention customer frustration.
Diversity, Openness and vBSDcon 2013
“There never were in the world two opinions alike, no more than two hairs or two grains; the most universal quality is diversity”
–Michel Eyquem, seigneur de Montaigne (1533–1592)
Diversity is a central design principle of the Domain Name System. With respect to the DNS root, it’s the reason that there are 13 separately managed root servers with 12 independent operators. It’s the reason Verisign operates the two root servers we’re responsible for – the A and J roots – as well as other name servers – at multiple locations around the world. It’s also the reason that within these locations operated by Verisign, multiple physical servers handle the incoming traffic. And it’s the reason that among these multiple servers, we use multiple hardware and software platforms, as well as multiple network providers.
In other words, diversity is one reason the DNS industry in general, and Verisign in particular, doesn’t do everything the same way and in the same place.
New gTLD Queries at the Root & Heisenberg’s Uncertainty Principle
Since we published our second SSR report a few weeks back, recently updated with revision 1.1, we’ve been taking a deeper look at queries to the root servers that elicit “Name Error,” or NXDomain responses and figured we’d share some preliminary results.