The CZ.NIC Association is Ready for Potential Attacks

2013-03-07 11:10

Prague, 7 March 2013 – The CZ.NIC Association, maintainer of the national domain .CZ, realises that it may be among the targets of the next waves of attacks that have been launched against Czech companies since the beginning of this week (the media, banks, etc.). Thanks to the robustness of the entire system the CZ.NIC Association is using, it is unlikely that its operation could be interrupted in the event of an attack. It would take a very strong and sophisticated strike to cause such an interruption. The CZ.NIC security team has also prepared an effective tool that can help network and server administrators in testing the resilience of their infrastructure.

“The first component in our structure is the registration system, which is only used by domain registrars. It is deployed at two completely separate sites, with all network connections implemented as two independent routes. Both sites also have their own independent connections to two nodes of the NIX.CZ peering centre and to abroad, using both IPv4 and IPv6 protocols,” said Ondřej Filip, Executive Director of the CZ.NIC Association. “The second part of the system is the DNS servers themselves, which are used to propagate information on domain names. Continuous operation of DNS is provided by a system of secondary name servers. In addition to two sites in the Czech Republic, these servers are also located in the US, Chile, Japan, Austria, Germany, Sweden and the UK.”

CZ.NIC also emphasises the platform diversity of its solutions. The servers are based on different hardware solutions, run different operating systems and in the case of secondary name servers, also different implementations of the DNS server. Network infrastructures in each site are also based on devices from different manufacturers. Another factor increasing the robustness of the DNS system architecture is the Anycast technology used by our servers. One of the features of the Anycast system which is useful during attacks (among other cases) is effective load balancing between servers and individual sites.

“Because we are aware of the importance of this system, there is one more backup location besides the two publicly known sites hosting redundant servers in the Czech Republic. In the case of a successful attack, this site can be used to quickly redeploy the registrar interface and keep the system running,” Ondřej Filip added.

The CZ.NIC Association security team developed a tool which can generate traffic of the same type and intensity that was experienced in the real attacks. This tool is installed on a very high-performance server farm which can produce a data stream of the required strength. We are currently using this solution to test our own infrastructure, but will also be offering it to interested external parties.