DDoS attacks in a nutshell
A denial-of-service (DoS) attack is a malicious attempt to prevent legitimate users accessing a service. In this context, the term 'service' covers things such as websites and the associated web servers. The strategy of most DoS attacks is to swamp a server's internet connection with network traffic, thus overloading it. Another common tactic is to use up a server's memory by bombarding it with requests for, say, a web page. The effect of a DoS attack can be increased by having multiple machines employing the same aggressive strategy. The attack is then said to be 'distributed', hence the term 'distributed denial-of-service' (DDoS) attack.
There are two general categories of DoS attack: volumetric attacks and semantic attacks. A volumetric attack relies on the sheer volume of the network traffic involved. By contrast, a semantic attack seeks to disrupt a service by exploiting a particular vulnerability in a server. A semantic attack doesn't necessarily involve a large volume of network traffic.
What are anti-DDoS services?
Anti-DDoS services are services that protect against DDoS attacks. Website administrators and others can use such services – usually for a fee or subscription – to help defend themselves against (complex) attacks. The services may protect against volumetric attacks, semantic attacks, or both. Protection can take various forms. For example, special equipment may be installed on the subscriber's premises, e.g. between the web server and the internet. Alternatively, all network traffic may be routed via equipment running in a data centre operated by the anti-DDoS service provider. Only non-malicious traffic intended for the subscriber is then forwarded by the service provider. Major volumetric attacks can't usually be fought off using equipment set up on the subscriber's premises, because everything then still depends on the capacity of the internet connection. Effective protection against attacks of that kind requires the rerouting of network traffic via the anti-DDoS service. The service providers generally have very high-capacity connections that enable them to receive all the traffic and filter out the malicious component.
There are two ways of rerouting network traffic. First, you can make use of the Border Gateway Protocol (BGP). That's the protocol used for interconnecting various entities (e.g. service providers) on the internet. The BGP can be used to divert all the traffic for a whole network (the IP addresses of multiple machines) at one go. The second approach relies on the Domain Name System (DNS). That tends to be the preferred option for protecting services that users access by means of a domain name, e.g. websites. DNS resolution of, say, www.example.nl doesn't then yield the address of the web server, but the address of a 'reverse proxy' running in the anti-DDoS service provider's data centre. All would-be visitors to the site – both malicious and non-malicious – are first connected to the proxy. The malicious traffic is filtered out by the anti-DDoS service, while the non-malicious traffic is forwarded to the web server.
Figure 1 visualises the rerouting of network traffic using the DNS. The name server responsible for giving out the IP addresses for www.example.nl responds to queries by giving the address of the proxy, rather than that of the web server. All website requests then go to the anti-DDoS service, which forwards only non-malicious requests to the protected server.
Who can use anti-DDoS services?
In principle, anyone can use an anti-DDoS service to protect one or more machines. To use a DNS-based service, all you have to do is make a few administrative changes to the configuration of the relevant domain name. However, the DNS can be used to reroute only traffic based on a protocol that supports reverse proxy interoperability, e.g. the web protocols HTTP and HTTPS. There are also certain criteria for the effective configuration, which are usually well-documented by anti-DDoS services. It's also worth noting that some anti-DDoS services can be used without charge.
What's the picture in .nl?
In a study published last year, we looked at the rise of large commercial anti-DDoS services . One of the study's focuses was how such services are used with .nl domain names. Data was gathered by daily scanning of the DNS over an extended period. That involved requesting the publically accessible DNS configurations – including IP addresses – of all .nl domains every day. Because IP addresses are linked to internet entities, we could see from the incoming data which domain names were protected by anti-DDoS services.
Our study took in nine commercial anti-DDoS service providers: Akamai, CenturyLink, CloudFlare, DOSarrest, F5 Silverline, Incapsula, Level 3, Neustar and Verisign. For this article, we have analysed data from a longer reference period than that used for the earlier publication. The new analysis relates to a sixteen-month period from 1 March 2016 to 1 July 2017.
The growth in use is illustrated in figure 2. The green line represents the increase in use of the nine providers' services: more than 31 per cent over the sixteen months. The black line depicts growth in the total number of (active) .nl domain names: almost 3.5 per cent, from about 5.2 million to 5.7 million. Clearly, therefore, the use of anti-DDoS services has grown much more rapidly than the total number of domain names.
The DNS scanning system used for the study checked more than 55 billion data points over the reference period. All the data thus obtained was stored in a file system distributed across a cluster of several dozen powerful computers. Using such a storage strategy makes it possible to perform parallel big data analysis. The cluster we used is part of the OpenINTEL project, a joint initiative by the University of Twente, SIDN and SURFnet . OpenINTEL is intended to support academic study of the DNS and therefore facilitates research into the security and stability of .nl.
Conclusions and future work
Because an increasing proportion of .nl domain names are protected by anti-DDoS services, we believe that the .nl domain is becoming more secure.
As mentioned above, the DNS configuration of a domain name needs to satisfy a number of criteria in order for an anti-DDoS service to be effective. Otherwise, sophisticated attackers may be able to circumvent the protection entirely. We therefore intend to study the errors that domain name DNS operators are liable to make in this context and how such errors could be flagged up (possibly automatically).
The study received financial support from the Netherlands Organisation for Scientific Research (NWO) as part of the D3 Project (628.001.018). The study was also made possible by OpenINTEL, a joint project by the University of Twente, SIDN and SURFnet .
 M. Jonker, A. Sperotto, R. van Rijswijk-Deij, R. Sadre, and A. Pras, "Measuring the Adoption of DDoS Protection Services," in Proceedings of the 2016 ACM Internet Measurement Conference (IMC’16), 2016, pp. 279–285.
 "OpenINTEL Active DNS Measurement Project," 2015, https://www.openintel.nl/.
About the author
Mattijs Jonker is a PhD student at the University of Twente. The focus of his research is DDoS attack mitigation. His main research interests include network security, internet measurements and big data analytics.