Sunday, 10 September 2017

NIS Directive and Internet companies in the UK…

This blog is about some upcoming legislation which could have a lot more impact than you might expect on smaller companies that provide internet related services.

Summary

The Network and Information Systems Directive is an EU Directive which will be implemented in to UK law next May. At this stage the UK implementing law is not drafted and we have a chance to influence how it is drafted by responding to a DCMS consultation. If you offer any sort of web hosting, or your are ISP, even a small one, you may find yourself in scope, and so should look in to this now. The penalties can be huge, much like GDPR penalties.

Key problems

Who should be in scope? It is not entirely clear on some aspects who should be in scope - who the directive is aiming at - we can guess some big players like LINX, Google, and Nominet, but when it comes to DNS and cloud services, it is very unclear.
Defining the scope. This is very important as defining the scope by describing the service and some measurable scale, can be very hard. I would struggle to define a DNS provider to include all of that they intend with no unintended consequences, even if I could understand the intended scope in the first place.

Both of these are areas where DCMS urgently need help so as to avoid some bad legislation — not only would it put an undue burden on smaller ISPs, it would actually be counterproductive and increase the risk.

What is the NIS directive?

If you have not heard of it before, the NIS directive is an attempt to increase the security and resiliency of network and information systems, primarily the Internet, to minimise disruption and downtime, and the ensuring impact on the economy. It builds on rules which are already in place covering electronic communications networks and services.

Essential Services

The main targets are those providing essential services. This covers Transport and Energy and so on but specifically covers internet related services provides by IXPs, DNS providers, and TLD registries. Whilst IXPs covered are likely to be LINX and perhaps a few others, and TLD providers are likely to be Nominet, the “DNS providers” is a concern as I will explain later.

Digital Service Providers

The directive also covers Digital Service Providers, which covers all sorts of people like on-line marketplaces, cloud computing, and search engines. Unlike “essential services”, there is a threshold test for digital service providers: a provider which employs fewer than 50 persons and whose annual turnover and/or annual balance sheet total does not exceed €10 million is out of scope.

Do we really need legislation

Sadly the time to tackle this has gone as this is an EU directive which the UK is bound to implement, though it will be reviewed from time to time. However, this is an important question as the UK has some discretion as to the way in which the directive is implemented, and it may be possible to limit the scope to the few larger providers that already have in place the measures that the directive requires. Considering if the legislation is actually needed could be a factor in this.

The reason I am unconvinced is that the industry, at all levels from low level protocol design, to network operations of companies like google and ebay, already take these issues seriously and are constantly working on improvements.

Just looking at DNS, it was designed to be robust in the first place, and improvements to resolvers (randomised ports) and changes like DNSSEC are tacking some of the ways the system can be “attacked”. Even at higher levels, things like https (secure web pages) are making DNS attacks less useful. You then have the reputation of these larger companies, and their experience - when was the last time you could not get to Google or Facebook which was their fault (i.e. not just a broadband outage)?

So if industry is constantly working on this, do we need legislation? Will legislation simply add additional burden? Can we limit that burden when putting this in to UK law?

Search engines

They presumably mean google and bing, but how in scope do these companies become if they shut down EU offices? Maybe they should just list them as being in scope? However the definition actually talks of a service that searches all web sites, which no search engine does or ever could do, so google could easily argue it is out of scope. I am not that fussed as we are not a search engine, phew, but it would help to get DCMS to understand and refine these definitions — and, to their credit, they really do appear to be willing to listen.

Cloud computing and on-line marketplaces

This gets more complex as it could cover simple web hosting. There are the turnover figures, but if a medium sized company was to do some web hosting it could find itself in scope. At the very least the thresholds need to be tied to “relevant turnover”, and I think the definitions need to pinned down somewhat. There is a danger we could be in scope one day, and many ISPs only slightly bigger than us are probably going to be in scope.

The scope of “cloud computing services” proposed to be in scope by DCMS seems to go way beyond what the UK is required to implement under the directive, and we are not sure why. The directive requires only providers of a “digital service that enables access to a scalable and elastic pool of shareable computing resources” to be in scope, but DCMS is seemingly proposing that anyone who provides online services to businesses must be in scope — email, IM, VoIP, web hosting, and so on. Since very few of these services are actually critical to the economy, their inclusion seems unnecessary.

DNS providers

This is a special can of worms, and hence the largest part of this blog post. The problem is that this comes under the onerous “essential services” category which includes some serious fines for non compliance, and does not have the same turnover / employee threshold as the "digital services" obligations.

The actual EU directive talks of DNS being a “hierarchical system” that “refers queries”. To me that is authoritative DNS servers only. Remember that TLD operators are covered as well. The proposed UK legislation seems to cover caching and recursive resolvers too. That is where it becomes a problem.

The two sides of DNS…

Authoritative servers: The DNS database is distributed and hierarchical. It is a target for attack. If you can change the DNS entries, or make them appear to be changed, for, say, a bank, or one of those digital service providers, you can disrupt services and defraud people as well. So DNS is important.

One problem here is that DNS can be, and is, in the hands of the companies with these important domains. It is unlikely they would rely on their local ISP to manage the DNS. The TLD provider like Nominet would refer (delegate) to the company’s own authoritative DNS servers. So it could be that the DNS servers in question are not covered by the legislation anyway in the cases where attacks would cause the most damage.

Where it could come in is where there are ISPs providing authoritative DNS as a service to others. We do that as a small ISP. But our customers can, and probably should, be using secondary servers from other providers.

The threats here are mainly that DNS records are changed, and this could be by some social engineering (phoning claiming to be customer, emailing, trojanning to get control page login details, etc), or technical (straight hacking). Obviously there is a risk of something simple like a power outage, but that should be covered by the the fact DNS has redundant servers. There is also a risk of DoS attacks on such servers. The issue here really is that small ISPs like us, that could well be in scope here, are not going to be used by big players like a bank, or someone important. As such we are a lower risk target anyway, and less of a disruption when attacked. Even so, we offer our customers two factor authentication to minimise risk of unauthorised changes being made.

There is one other threat, one of incompetence, and I worry we could be failing such legislation if it applies to us. What happens is a customer will go to some web developer. The web developer will say that they will need the DNS name servers for the domain changed over to them. Many web developers work like that, and have no clue about other uses of DNS, even email!. We try very hard to warn customers if they ask for DNS to be changed to new name servers, but even so, it is not uncommon to have the customer on the phone an hour later asking why email is not working any more.

At the end of the day, I am not sure which “larger players” in the authoritative DNS market (below the TLD such as Nominet) would sensibly be a target for this legislation. Are there “Authoritative DNS providers to the stars” out there, offering authoritative DNS to large companies? Who are they?

Caching and recursive resolvers: This is where it does get scary. As worded now by DCMS we come in to scope as an essential service provider because of the caching recursive DNS resolvers we provide to customers. That is crazy! We are a small ISP, with under 10,000 customers. DCMS has proposed that only providers who get more than 60 million queries in 24 hours would be in scope but, having measured these, we exceed this threshold by a factor of two on our customer facing resolvers right now, but it gets more complex.

Each of the customer routers typically has a DNS resolver or forwarder, some of these are owned by us, and for many ISPs the customer router is owned, or maintained, by the ISP. If they come in to scope (and I cannot see that they would not), then they will be getting an order of magnitude more queries. I think, in our case, most customer routers are not “ours”, thankfully, but even those that are, I am unsure how we would know how many queries they get. Of course one customer deliberately hitting their own router on its 100Mb/s LAN as fast as they can with queries would put that one router in scope, even if the requirement is billions of queries in 24 hours. That would put that customer, or us (if it is “ours”) in scope suddenly.

There are other issues with DNS resolvers. The industry has tacked threats as they have come along, and one was that older/simpler resolvers were vulnerable to being flooded with incorrect answers and then made to look something us - not that hard to do with code embedded in a web page. So what happens if a specific make of customer router has such a vulnerability - that could cause wide spread impact on services, spoofed DNS and fake web sites and fraud. Who is, or should be responsible for that? The manufacturer? The reseller? The end users? The legislation seems to ignore this risk completely, but it is also easy to see it being impossible to police for “made in china” routers anyway, and you really cannot make code 100% bug free.

The other issue is that this could easily “put all eggs in one basket”. At present ISPs will operate a lot of customer facing caching recursive DNS resolvers. Lots of redundancy. This makes attacks such as DoS harder. As a small ISP I doubt we can afford to find ourselves in the “essential services” scope, so what would we do? What would lots of small ISPs do? We would almost certainly (with suitable announcement) change DNS servers to use googles 8.8.8.8/8.8.4.4 service (and its IPv6). Alternatively we may subcontract some commercial DNS provider. That could get us below any thresholds and out of the essential services scope.

The problem with this is that you end up with a few large DNS resolver companies instead of every ISP operating lots of separate caching resolvers, giving end users choice and redundancy (they can always switch to use 8.8.8.8 if they want or even run their own resolver). These few large providers, even though in scope of the regulation (if they are in the EU) will then be a juicy target for attack, either as DoS or DNS poisoning or simple bribery. They become the sole gatekeepers of the underlying hierarchical DNS system, undermining its integrity. This undermines the reliability of DNS and goes head to head with the technical community that DCMS should be embracing, and not fighting.

Of course, we have the issue of published resolvers that will be hard coded. We could port map these to an external DNS resolver. But then the port mapper boxes become as important as the DNS resolvers they replace - so do they become in scope as “DNS resolvers” themselves? What if part of CGNAT boxes? What if a feature of customer routers?

Personally I cannot see any logic in including caching and recursive resolvers in scope at all. Is there a threat? Maybe if they specifically called out google’s public 8.8.8.8 service as in scope, perhaps that is all they intend?

Missing!

There also seem to be a few key services missing from the directive!

Data centres: Whilst technically a data centre is not different to someone else selling office space (they sell space, power, air-con and physical security basically), they are key to the operation of all of these digital services that are covered by the directive. Why are they not in scope?

Content Delivery Networks: These too are key to many services, and could have major impact if attacked, but again, it looks like they are not in scope.

Don’t just comment here!

Please, consider the directive and DMCS proposals and reply. We need people mitigating the impact, making sure it covers what needs to be covered, and making sure the definitions work.

The consultation document is here (https://www.gov.uk/government/consultations/consultation-on-the-security-of-network-and-information-systems-directive), and you have until 30th September to respond.

This is the A&A response, here.

(Thanks to Neil Brown for help with this blog post)

12 comments:

  1. "What happens is a customer will go to some web developer. The web developer will say that they will need the DNS name servers for the domain changed over to them. Many web developers work like that, and have no clue about other uses of DNS, even email!"

    Yep - deal with that request a few times a year. And the answer is an emphatic "NO". DNS stays right where it is and no access to it is provided to a web developer. If the web developer wants DNS changes then these will be agreed and planned in advance with a clear roll-back plan and carried out at specific agreed times, out of hours with the TTL prior set to 300 to enable fast roll-back. When I explain that lot the web developer normally looks at me blank and hasn't a clue what I've just said. This blank look alone verifies that my approach is the right one.

    ReplyDelete
    Replies
    1. As a professional Web developer who accidentally ended up being very dev-ops-y, this makes me sad :( I don't see how web devs can do their jobs properly without understanding DNS and such. I can understand asking to have the nameservers moved for some clients (I've had numerous clients with domains hosted by certain companies who shall remain nameless but who claim that simple things like CNAME records are impossible somehow?!) but I'd always prefer to not take on that extra responsibility and just have the client's domain host add a few records!

      Regarding this post's question about big companies acting as nameservers for other big companies, one company comes to mind: CloudFlare. Unless you have a very expensive Enterprise account with them, you have to use their nameservers. There could be companies large enough to be covered by this stuff but not large enough to want or need CloudFlare's Enterprise services. Akamai and others might operate in a similar fashion; I've never used them to find out.

      Delete
  2. I cannot tell you how many times we've had customers whose outsourced web developers want to transfer DNS name servers over to themselves or a third party, and don't ask for a zone dump and/or totally mess up the customer's MX record(s).

    ReplyDelete
  3. Why are we still implementing EU directives post article 50? I mean, I don't like brexit, but this seems like the one advantage of it.

    ReplyDelete
    Replies
    1. As I understand it, it is because we have not yet left the EU, and so are still bound by our treaty obligations, including implementing directives into national law.

      Delete
    2. The reason we still implement EU directives and are likely to continue to is that we want tariff free access to the common market. In short this is because of the issue of "non-tariff trade barriers" in the shape of standards. The hardcore of the brexiteers ignore this in their arguments because it is the reason trade agreements take years to set up and because the end result is quite popular with the public (people like safe consumer goods).

      Essentially it is about ensuring you do not get to make cheaper goods than me because you treat your workers in a materially worse fashion or use materials I have banned on account of safety. Pretty much all of the EU directives are about this in one way or another which is why you have directives on carrot quality. It is also why the EU has so much difficulty coming to a free trade deal with the US, either the US has to up it's standards or EU has to lower theirs.

      Delete
  4. Seems very strange not to have sort sort of escalator with the number of DNS queries, the number is only going upwards, so what might or might not be a large supplier now will doubtless change before the directive will be reviewed.

    Also seems sensible to sell off your DNS provision to
    1) Another company (A&A DNS Business LTD, A&A DNS South LTD, A&A DNS North LTD. Seems you can just have the same company number and some corporate schizophrenia to get away with that one...)
    2) Google

    Also makes implementing a caching resolver on the router and or artificially inflating the TTL values an attractive option.

    ReplyDelete
    Replies
    1. Sounds like a good idea from Steve Scott?

      Delete
    2. Can some popular dns caches eg in routers override silly low ttl values anyway? Much better performance then.

      Delete
    3. Yes, we have found that when setting a TTL to 300 seconds (5 minutes) that various DNS servers ignore that and still operate on a TTL of an hour or more.

      Delete
    4. Obviously overriding the TTL is not good from a technical point of view. It could, perhaps, be an unintended side effect of the legislation though if this significantly reduces the number of queries.

      Delete
    5. On my own personal dns server I overide low ttl values, I used to find it horrible practice a decade ago, but now so many mainstream services abuse the system with silly low values like just 5 seconds of TTL, however if I was running a DNS server for customers I wouldnt do that without an opt-in so I can see the awkward position it puts you in.

      Delete