Top Level Domain Incident Response Resource Now Available
When Top Level Domain operations are attacked, ICANN's SSR department may be asked to assist with incident response, either directly, or as a facilitator that can identify competent incident response, recovery, or subsequent investigations.
A recent series of attacks against Top Level Domain operators of the Domain Name System underscores the contention and growing concern that all critical infrastructures are vulnerable. One of the targeted assets of recent attacks is the authoritative name service of a Top Level Domain. Attackers that can successfully compromise an authoritative name server are able to alter DNS data on those servers to conduct defacement or web impersonation attacks.
ICANN's SSR department, in cooperation with subject matter experts from Mark Monitor, Network Startup Resource Center (NSRC), and Farsight, Inc., have produced a "recovery checklist" to assist TLD operators who may fall victim to authoritative name server compromise attacks. The checklist considers immediate, interim, and long-term actions that an operator should consider taking when it determines or is notified that its authoritative name service has been compromised.
Top Level Domain Incident Response: A "Recovery" Checklist [PDF, 148 KB] begins with investigations basics: we briefly explain how to implement an IR plan, to report the incident, and to preserve the (crime) scene. We explain how to investigate the compromised system(s), how to restore authoritative name service and how to recover or restore other services affected by the attack. As part of these descriptions, we identify measures to most effectively mitigate vulnerabilities, measures to mitigate malicious software or compromised configuration data that may have been used during the attack, and measures that to make the overall security of the authoritative name service more resilient or resistant to future attacks. We include references to resources that are more detailed or prescriptive throughout the document.
We are cognizant that the attack landscape constantly evolves and that current, accepted, or recommended practices may change. We welcome your suggestions for improvements or updates.