Keep ‘m rolling
On 11 October we used the Root Canary tool to monitor the DNS root key rollover. The internet-wide event went almost flawlessly and we published the tool's output in real time on our Twitter account so that everyone could follow its progress. We presented our results at OARC29 as well. The gathering was coincidentally held in Amsterdam the day after the rollover, so that the presentation was also not far off being in real time!
The root key rollover was important, both for technical reasons (the older a key is, the greater the risk of it being cracked), and for maintaining the internet community's confidence in the DNS and its multistakeholder management model. In October 2017, ICANN postponed the key rollover because it appeared that many resolvers hadn't installed the new Key Signing Key (KSK). ICANN therefore feared that people relying on the resolvers in question wouldn't be able to reach DNSSEC-enabled domains, meaning that the associated websites, mail servers and other services wouldn't work.
We also used the Root Canary tool to monitor the algorithm rollovers performed by our colleagues at .se (Sweden) and .br (Brazil).
Resilience of the DNS against DDoS attacks
In November, we presented our article “When the Dike Breaks: Dissecting DNS Defenses During DDoS” at the ACM Internet Measurement Conference (IMC 2018). The article described a series of experiments we conducted to study the behaviour of DNS resolvers when authoritative servers are hit by DDoS attacks.
Our research quantified the extent to which DNS query caching by DNS resolvers increased the resilience of the DNS and showed, for example, that end users are often unaffected by DDoS attacks, even when 90 per cent of legitimate DNS queries don't reach the authoritative servers. We also demonstrated that the time to live (TTL) selected for resolver caches plays a critical role. Long TTLs (e.g. one to six days for root records) result in resolvers caching DNS queries for long periods, increasing their ability to ride out DDoS attacks on the authoritative servers. By contrast, short TTLs (e.g. one minute) can aggravate DDoS attacks. When a TTL expires, a resolver will send additional messages in an effort to reach an authoritative that isn't responding, even though the reason for the lack of response may be that the server is under attack. The authoritatives in question therefore have to cope with additional legitimate DNS traffic, as well as DDoS traffic. The volume of such 'friendly fire' can be up to eight times as great as the normal DNS traffic that the resolver receives from clients. Our experiments indicate that the optimum resolver TTL for CDNs is 30 minutes, for example. However, further research is needed before we can make a firm recommendation.
IMC is a prestigious international conference, and 2018 was the third year in a row that we secured an invitation to present our work there. The research was undertaken in collaboration with colleagues from the University of Twente, the University of Southern California/Information Sciences Institute, the University of Passo Fundo (Brazil) and NLnet Labs. Under the auspices of the IETF, we are currently summarising the research we have carried out in recent years in the form of an Informational Draft for authoritative DNS server operators.
Another highlight of 2018 was that, partly in response to our IMC2017 paper, our colleagues in SIDN's DNS operations team began converting .nl's DNS infrastructure to a fully anycast-based system and increased the number of anycast nodes.
In 2019, we'll be taking the first steps towards hopefully securing a second IMC hat-trick. :-)
Making the IoT more secure: greater flexibility and better anomaly detection
In the first quarter of the year, we redesigned SPIN, our open-source platform for protecting the internet and end users against insecure IoT devices in the home and other small networks. With its new design, SPIN is suitable for use in various ways (e.g. centrally on a home router or distributed around various measuring points in a network). We see the increased flexibility making SPIN more attractive for use as a basic network hardware component (e.g. on the Turris router).
During 2018, we also took our first steps in the field of the automated detection of insecure IoT devices. For example, we developed a library for processing MUD profiles, which describe the network behaviour of smart devices (e.g. the cloud services that a device connects to and the ports it uses to do so). We also developed a tool that automatically generates a MUD profile from a device's normal network traffic and then blocks any abnormal traffic. In addition, a network measurement centre was built for SPIN. The centre maintains a dynamic model of communication on the network and makes information available to anomaly detection modules. In 2019, we'll be working with Delft University of Technology to develop and evaluate several such modules.
We presented SPIN at various congresses, including the CENTR R&D workshop, the RIOT congress, ICT.Open and the Innovation Congress organised by the Dutch Ministry of Justice and Security. Following on from SPIN, we developed a course entitled Security Services for the IoT (SSI), which we provided at the University of Twente. SSI was taken by students working towards a Cyber Security master's. Asked to rate the course at the end, the students gave it eight out of ten.
We additionally linked up with Delft University of Technology to run the MINIONS project, whose aims include quantifying the concentrations of insecure IoT devices on the internet, mapping IoT botnets and cleaning up infected devices.
Finally, we joined forces with SIDN’s product development team to think of a product based on the SPIN software that could accelerate the rollout of SPIN. The idea is being pursued in partnership with EmbeDD, a Swiss supplier of open-source software for modems and routers.
Fewer fake webshops, more DMAP
We used our DMAP crawler tool to automatically scan the 5.8 million domains in the .nl zone for possible fake webshops. The findings were made available to SIDN's Registration and Service Desk, enabling them to work with .nl registrars on getting fake webshops taken down. The initiative led to more than 5,200 abusive sites being disabled between January and September 2018. We made presentations about our fake webshop prevention work at various conferences, including the ECP Annual Congress and the DHPA Tech Day. Our fake webshop detector was developed in the latter part of 2017 and systematically deployed in 2018.
We also extended DMAP itself, by increasing the number of security-related properties recorded about each domain name, for example. The additional information is used not only for fake webshop detection, but also for identifying security trends in the .nl zone (e.g. the use of DDoS services and certificates) and for testing domain names for IPv6 support in the context of the Registrar Scorecard scheme. A new firewall was installed on the SIDN Labs network, enabling us to further boost the efficiency of DMAP crawling.
In the fourth quarter, we started a project investigating the potential for new open inter-networks ('internets') such as NDN, SCION and RINA. The systems in question are experimental networks that, unlike the current internet, aren't based on the Internet Protocol (IP).
The aim is to ensure that the Netherlands and Europe are at the cutting edge of developments and ready for any new systems that emerge. We see that as important because emerging inter-networking technologies are likely to gain traction with the rise of programmable networks and growing demand for communication infrastructures that offer greater security, availability and transparency.
Our project focuses particularly on security and resilience aspects, because of their social significance and alignment with SIDN's interests. We will also be concentrating on initiatives with operational testbeds and active communities, and preferably links with the existing internet community (e.g. NDN, for which there is a working group at the IRTF). Our approach is hands-on with running code, prototypes and experiments, although the design will involve several years of work.
We began by connecting our lab network to the SCION testbed in mid-December. Three workshops were also organised to gather community feedback: at the OpenProvider partner event, the ECP Annual Congress and SIDN Connect.
Early in 2019, further details of the project will be published in a blog written in association with our research partners: University of Twente (DACS group), University of Amsterdam (SNE group), SURFnet and NLnet Labs.
Joint anti-DDoS initiatives
In April, together with the University of Twente and SURFnet, we co-authored an open letter proposing a proactive, collective anti-DDoS strategy for the Netherlands' vital infrastructure. Central to the proposal was a DDoS clearing house (referred to as 'DDoS radar') for the continuous automated exchange of 'DDoS fingerprints' (DDoS attack characteristics) amongst service providers. Intelligence on attacks would enable service providers to proactively adapt their infrastructures, e.g. by activating traffic filtering rules on routers. The DDoS clearing house would therefore act as an extra layer of security to complement existing anti-DDoS solutions such as the NaWas and commercial scrubbing centres.
Our proposal resulted in renewed exposure for the problem of DDoS attacks and their social impact. Against that background, a consortium of about twenty-five Dutch industrial concerns, government agencies and anti-DDoS partnerships subsequently launched a national initiative to realise the new anti-DDoS strategy and clearing house. Although much remains to be done, it appears that the days of individual organisations defending themselves on a reactive basis may be numbered.
We also introduced the DDoS clearing house concept to Concordia, a new European research project in the H2020 programme due to start in January. The idea is that the Concordia results will feed into the Dutch initiative, creating an interactive interface between the operational and research domains.
The DDoS clearing house is an example of collaborative internet security jointly developed by SIDN Labs and the University of Twente.
Greater insight into .nl and the internet
Our statistics site was given a new look and feel, and changes were made to the way data about .nl and the wider internet is presented on the site, with a view to making it more attractive and easier to understand. The new site is also geared up for the publication of additional research findings as they become available, such as our data on the uptake of DNS-based anti-DDoS services in the .nl zone.
Feedback and collaboration
At SIDN Labs, we are always looking for ways of improving our work, so we'd love to hear from you if you have a suggestion. And please feel free to get in touch if you can see a way of adding value to any of our research projects.
Best wishes for the New Year!
On behalf of everyone at SIDN Labs, I'd like to conclude by wishing you an enjoyable end to 2018 and a happy New Year!
The SIDN Labs team,
Maarten, Giovane, Elmer, Moritz, Marco, Jelte, Caspar, Thymen and Cristian