Skip to main content

Top Level Domain Incident Response Resource Now Available

When Top Level Domain operations are attacked, ICANN's SSR department may be asked to assist with incident response, either directly, or as a facilitator that can identify competent incident response, recovery, or subsequent investigations.  

A recent series of attacks against Top Level Domain operators of the Domain Name System underscores the contention and growing concern that all critical infrastructures are vulnerable. One of the targeted assets of recent attacks is the authoritative name service of a Top Level Domain. Attackers that can successfully compromise an authoritative name server are able to alter DNS data on those servers to conduct defacement or web impersonation attacks. 

ICANN's SSR department, in cooperation with subject matter experts from Mark Monitor, Network Startup Resource Center (NSRC), and Farsight, Inc., have produced a "recovery checklist" to assist TLD operators who may fall victim to authoritative name server compromise attacks. The checklist considers immediate, interim, and long-term actions that an operator should consider taking when it determines or is notified that its authoritative name service has been compromised.

Top Level Domain Incident Response: A "Recovery" Checklist [PDF, 148 KB] begins with investigations basics: we briefly explain how to implement an IR plan, to report the incident, and to preserve the (crime) scene. We explain how to investigate the compromised system(s), how to restore authoritative name service and how to recover or restore other services affected by the attack. As part of these descriptions, we identify measures to most effectively mitigate vulnerabilities, measures to mitigate malicious software or compromised configuration data that may have been used during the attack, and measures that to make the overall security of the authoritative name service more resilient or resistant to future attacks. We include references to resources that are more detailed or prescriptive throughout the document.

We are cognizant that the attack landscape constantly evolves and that current, accepted, or recommended practices may change. We welcome your suggestions for improvements or updates.


    Domain Name System
    Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."