Verisign: operating critical Internet infrastructure

31-03-2013

Scott Courtney

Verisign: operating critical Internet infrastructure

The Internet has come a long way, but as it has grown so have the threats to its security, as Scott Courtney explains.

It’s hard for many to believe that two decades ago, the Internet was mostly just used to connect technologists and researchers interested in information sharing. Fast forward to today, and the Internet has grown to more than 250 million domain names and almost 2.5 billion users worldwide who rely on it for many facets of their lives.

A 2011 report from McKinsey Global Institute, entitled Internet Matters: The net’s sweeping impact on growth, jobs and prosperity, found that the Internet has delivered substantial economic growth and created jobs on a large scale, while also facilitating the exchange of $8 trillion a year through e-commerce.

Industries such as manufacturing and retail have reinvented themselves thanks to the new models of automation and e-commerce. Yet, even though there is a very large dependence on the Internet, there is very little understanding of what it takes to operate its critical infrastructure.

Internet infrastructure demands have grown exponentially

In the early days of the Internet, the focus was more on creating scalable protocols than in running critical services. Over time, as more critical resources became reliant on the Internet, stakeholders from national and international organisations, governments, the private sector, and research, academic and technical communities came together to create shared policies and standards.

Their efforts helped to standardise a framework that made reliability and the ability to scale early drivers of the Internet’s growth. This started a cycle that is still seen today and is expected to continue as we discover the ever-increasing opportunities that the Internet has to offer.

At the basic operational level, the Internet is a globally distributed computer network composed of many other independent networks. It’s made up of network links between hardware like routers, smart devices and servers that perform computations and store information.

It also has a common set of protocols—or rules—that all machines connected to the Internet must follow for communication between devices to occur. The Transmission Control Protocol (TCP) and the Internet Protocol (IP) are the main two that establish the rules for sending and receiving of information over the Internet. Layered on top of these protocols is the Domain Name System (DNS).

The DNS is a hierarchical distributed naming system for any resource connected to the Internet.

Every Internet-connected device and destination ultimately is reachable through a public IP address made up of a long series of numbers that serves as a unique identifier. IP addresses allow the location of literally billions of digital devices that are connected to the Internet to be pinpointed and differentiated from other devices. In the same sense that someone needs your mailing address to send you a letter, a remote computer needs your public IP address to communicate with your computer or device.

However, since it is difficult to remember IP addresses, domain names were created to provide a more user-friendly way to navigate the Internet. Each domain name maps to a specific IP address. The DNS, made up of a complex system of root and name servers, translates user-friendly domain names to numerical IP addresses.

Every domain name is powered by a registry operator. A registry operator is the part of the DNS ecosystem that manages the database of domain names for a top-level domain (TLD)—the characters to the right of the dot —and generates the zone files which convert domain names to IP addresses.

For example, Verisign is the registry operator responsible for maintaining the databases of all .com, .net, .gov, .edu, .tv, .name, .jobs, and .cc domain names. When you make a request—or a query—from your browser to go to a website, such as VerisignInc.com, your device creates a request to search the network for the target domain name server where the information associated with the domain name is stored.

Once located, the domain name server translates the domain into its corresponding IP address, in this case 69.58.188.38, and responds to the querying device with the requested information, enabling your browser to retrieve the Verisign website. This initial connection, called a DNS lookup, usually takes place in less than one-tenth of a second and is facilitated by the domain name registry operator.

Requirements to operate a large TLD such as .com

As the registry operator for .com, Verisign has provided the essential underlying service layers that direct Internet users to where they want to go online. We have observed and responded to the explosive growth of the Internet, the majority of which has occurred within the domains we operate, by consistently over-delivering on the requirements of the day to support the uninterrupted operation of the Internet.

With a current average of 77 billion DNS lookups performed daily—and peaks far in excess of this—it is vital that Verisign’s Internet services be operational around the clock. To make this possible, we have designed a sophisticated service from the ground up to address multiple complex, high-volume, real-time demands. This includes diverse hardware, operating systems, middleware and custom applications, power provider and network provider diversity, and a number of other protections.

Massive scale helps ensure global performance and data integrity at all times and supports real-time updates as new domain names are added at 75 authoritative name server sites around the world as well as the operation of the A and J roots, two of the 13 root servers supporting DNS operations for all domains on the Internet.

This combination of a reliable, secure platform and significant capability provides a foundation for a wave of new applications and services that are poised for growth in the near future with advancements in cloud computing, Big Data and the ‘Internet of Things.’

Adoption of these new applications and services will once again raise the bar on infrastructure requirements to deliver available and secure services that engender the trust of Internet users, such as the impending shift to Internet Protocol version six (IPv6) to allow for greater expansion of the Internet addressing space, and mass adoption of DNS Security Extensions (DNSSEC) to provide a chain of custody for DNS lookups and help prevent man-in-themiddle attacks.

Staying ahead of Internet threats

Without a doubt, the cost of running critical Internet infrastructure at these performance levels is high, but let’s consider the cost of failure.

If Internet connectivity were significantly interrupted for an extended time period, or even just our infrastructure that enables the lookup of the more than 120 million .com and .net domain names in the world, a long list of things we’ve come to rely upon would likely fail, all with varying degrees of impact. Naturally, we would probably lose access to much of the news and information that guides our day-to-day lives. The communication channels to family, friends, and business associates would fail.

“BEYOND DIRECT ATTACKS ON WEBSITES, WE ARE SEEING THE AUTHORITATIVE DNS BEING TARGETED IN DDOS ATTACKS AND HAVE DEVELOPED SPECIALISED DEFENCES IN RESPONSE.”

While important, these impacts are benign in comparison to others, such as loss of critical notification systems, or an interruption to the billions of dollars per day of economic activity that occurs on the Internet. Thankfully there are a number of redundancies built into Internet infrastructure that are designed to help prevent this from happening.

Verisign has pioneered solutions for addressing new generations of threats to the security and stability of critical Internet infrastructure. As the strength of the DNS has engendered public trust, and businesses, governments and individuals have moved critical operations and information online, this has also created a massive opportunity for cyber criminals to engage in competitive sabotage, extortion, theft, and general disruption of services.

Some of the most talked about and common methods of disruption seen today are distributed denial of service attacks (DDoS), advanced persistent threats (APTs) and exploitation of user errors through techniques such as typosquatting and phishing.

DDoS attacks have increased massively in size and in frequency in the past 12 months. While there are several different types of DDoS attacks, in general this term describes what occurs when attackers use multiple hosts (such as compromised PCs or servers) to overwhelm service bandwidth or computer power, rendering a site unavailable. Beyond direct attacks on websites, we are seeing the authoritative DNS being targeted in DDoS attacks and have developed specialised defences in response.

APTs refers to cyber espionage activities sponsored by nation states. This type of activity has increased in recent years as access to more critical information has been made available by the Internet. The primary goal of APTs is usually to gain and maintain access to target networks to exfiltrate intellectual property, personally identifiable information, and financial and targeted strategic information from governments, corporations and individuals. It takes spying to a whole new level.

Lastly, the trend of malicious actors registering typosquatting domains is also on the rise. Most of us have typed a domain name incorrectly into our browsers, usually to be directed to the wrong website or an error message. Unfortunately, there are several ways that malicious actors can take advantage of this common mistake by replicating a legitimate website on the wrong URL, so unsuspecting visitors who think they are safely conducting business on an intended website may actually be opening themselves up to malware or phishing.

Planning for the future

In 2013 and beyond, we expect to see an increase in all of the aforementioned threats, so Verisign is working to develop innovative services to help thwart these. Our DDoS Protection service, developed with expertise from protecting the infrastructure for .com and .net, is helping defend enterprises from attacks by blocking harmful traffic in the cloud before it reaches their network or application.

Our iDefense Security Intelligence Services are working to provide up-to-the-minute, actionable intelligence on how to prevent APTs. And we have implemented DNSSEC in the .com and .net zones to help assure users that the data they receive from their Internet request originated from the stated source and that it was not modified in transit by malicious actors.

Our team of researchers is also constantly working to identify new and improved ways of safeguarding the Internet through, among other things, participating in the public stakeholder discourse on Internet governance and best practices, conducting primary research, and developing patented innovations spanning the technology landscape.

We have been instrumental in advancing DNS protocols for security and efficiency. For example, we have worked to enhance the DNS-Based Authentication of Named Entities (DANE) protocol, which builds on the DNSSEC infrastructure to enable cryptographically secure communications. This technique can be used to exchange cryptographic credentials, such as for more generally enabling signed and encrypted email between Internet users.

The work of our teams underscores the point that to continue to enable secure and reliable connectivity, we need to look differently at DNS: not because the services we’ve been providing are any less important, but because the services our stakeholders and customers are likely to want in the future continue to evolve.

They need a back-end service to support infrastructure, but they also need more intelligence in the front end and the middle. They need simple answers to simple questions, but sometimes they also need different answers. And they need a place to look up more information than just the IP addresses of servers. In effect, they need a way to enable access to more things with confidence and reliability, any time, anywhere.

Our commitment is to ensuring that an infrastructure powered by Verisign is always operating at the highest level to enable the innovation required to address the needs of the future, while also addressing the needs of today.

This article was first published on 01 April 2013 in World IP Review

Verisign, Internet threats, DNS, DDoS

Trademarks and Brands Online