1. Conficker Update John Crain

2. What is Conficker? An Internet worm  Malicious code that is self-replicating and distributed over a network A blended threat  Uses various methods to spread the infection (network file shares, map drives removable media) A Dynamic Link Library  Conficker is not an executable but “additional code” that an executable already on a computer must load

3. What is the Conficker botnet? An army that can be directed at will by rendezvous points to support a wide range of malicious, criminal or terrorist activities for as long as the computer remains infected and as long as the bots can remotely communicate with the rendezvous point(s)

4. Infections? Source: http://www.confickerworkinggroup.org

5. CcTLDs used by conficker

6. Is conficker still active? Despite best efforts infected machines still number in the many millions!! Could DNS still be used as a rendevouz? Yes, however peer-to-peer and other mechanisms are being used for updates. Should we still block and “sinkhole” Yes, at a minimum the sink-holing gives those attempting to tackle conficker insight into the infection and helps with ongoing clean up.

7. Global DNS CERT Business case for collaboration in security

8. Background Growing risks to DNS security and resiliency  Emergence of Conficker.  Growing number of domain hijacking cases Community calls for systemic DNS security planning and response ICANN commitments under Affirmation of Commitments Initiatives called for in ICANN 2010-2013 Strategic Plan

9. Objectives of threats to DNS Politically-motivated disruption of DNS Desire for financial gain Demonstration of technical superiority Gratuitous defacement or damage Source: 2009 Information Technology Sector Baseline Risk Assessment, US Dept of Homeland Security

10. Potential impacts Long lasting damage to “Trust” in system Significant and lasting economic harm Is the Internet as we know it at Risk from malicious behavior?

11. Lessons learned Conficker (’08- )  DNS played a role in slowing Conficker  Complex interactions with DNS community  Resource-intensive response activity Conficker WG noted need for a dedicated incident response capability

12. Lessons learned Protocol vulnerability (’08)  Fast response, but  Predicated on ability to find “key people” A coordination center would have improved situational awareness Diagram of cache poisoning attack

13. Lessons learned Avalanche (’08- )  Targets financial sector  Exploits the limited resources of registrars  Trend continues upward Complex coordination requires dedicated team

14. http://www.icann.org/en/topics/ssr/d ns-cert-business-case-10feb10- en.pdf Maybe a DNS-CERT?

15. Mission of DNS CERT “Ensure DNS operators and supporting organizations have a security coordina- tion center with sufficient expertise and resources to enable timely and efficient response to threats to the security, stability and resiliency of the DNS”

16. Goals Validate need for standing collaborative response capability to address systemic threats/risks  Full-time/global; coordinate existing capabilities; serve all stakeholders especially less resourced operators Operational focus determined in engagement with stakeholders and leveraging existing efforts  Fostering situational awareness; incident response assistance/coordination;

17. Stakeholders by role

18. Participation and feedback DNS CERT must respond to constituency needs Participation by key constituents  Adds capability to CERT  Extends its geographic reach  Helps keep focus on constituency needs

19. Resource requirements $4M initial annual budget 12 technical staff (3 technical resources x 4 global regions) 3 overhead staff (covering legal, administration & finance) Operations support, travel and facilities

20. Open questions include: Where should it be housed? What is best model? How should it be funded? Etc. etc.

21. Way Forward This is a “proposal” we need feedback! Seek community feedback  Session scheduled for Nairobi meeting  Email yurie.ito@icann.org with comments