FCC Recommends Code of Conduct for ISPs
In an earlier blog we mentioned the recommendations made by the CSRIC (Communications Security, Reliability and Interoperability Council), a Federal Advisory Committee for the Federal Communications Commission (FCC), to improve Internet safety. This is a set of industry-wide best practices for ISPs and other organizations that operate critical infrastructure. The voluntary best practices outlined in the recommendations are designed to address three main cyber-security issues facing commercial networks and the Internet:
• domain name fraud
• botnets
• IP route hijacking
domain name fraud – CSRIC recommends that ISPs implement best practices to better secure the Domain Name System. In 2008 an exploitation method was documented by Dan Kaminsky on how traffic could be redirected to a false site. The lack of security for DNS has enabled spoofing, allowing Internet criminals to coax credit card numbers and personal data from users who do not realize they are on an illegitimate website. DNSSEC is a set of secure protocol extensions that prevent such fraudulent activity. This recommendation is a significant first step toward full DNSSEC implementation.
botnets –To reduce the threat of botnets in residential networks, CSRIC recommends a voluntary Anti-Bot Code of Conduct for ISPs
A botnet is a network of private computers that are–unbeknownst to the computers’ owners–infected with malicious software. Botnets enable criminals to steal personally identifiable information and launch distributed denial-of-service (DDoS) attacks against websites. As this article explains, botnets represent a serious problem for all internet users, which is why the Communications, Security, Reliability and Interoperability Council (CSRIC), an industry advisory group, is now asking U.S.-based internet service providers (ISPs) to adopt a “code of conduct” for weeding out botnet infections.
According to Michael O’Reirdan, a CSRIC Working Group chairman, nothing will make botnets go away, but implementing even a small fraction of the code’s major principles will make it harder for attackers to operate. Adhering to the code of conduct involves educating consumers about the dangers of botnets, taking steps toward the detection and remediation of the infections, and collaborating with other ISPs that have also agreed to follow the recommendations to increase Internet safety.
IP route hijacking – Today there is no verification of authorized routes. CSRIC recommends an industry framework to prevent Internet route hijacking (the erroneous routing of Internet traffic through potentially untrustworthy networks). CSRIC recommends that ISPs work to implement new technologies and practices to better assure safe and authorized routes. This is necessary to protect Internet traffic from possibly being exposed to unwanted packet scanning or not reaching the intended destination.
The FCC is not mandating that ISPs adhere to the recommendation. Instead, the guidelines encourage providers to voluntarily participate, just as they have been doing for years to help filter out spam. According to the FCC report, several major ISPs including AT&T, CenturyLink, Comcast, Cox, Sprint, Time Warner Cable, T-Mobile, and Verizon have agreed to implement the code of conduct.
Secure64 has developed a white paper covering the FCC recommendations and outlines how Secure64 can help with high performance DNS products to help deploy an internet infrastructure that can be trusted and lead the greater Internet safety. Contact us to learn more.