2019 in the rearview mirror
SIDN Labs’ main accomplishments of the past year
With 2019 getting into our rearview mirror, we’re taking a quick look at SIDN Labs’ main accomplishments of the past year. Our overall highlights are that we further strengthened our contribution to the DNS measurements community, that our research helped further improving SIDN’s operational services, and that we successfully launched our new line of research on future internet infrastructures and open programmable networks.
Rolling forward on DNS measurement research
We conducted a longitudinal study on the DNSSEC root key rollover of October 11, 2018, together with our colleagues at the University of Twente, NLnet Labs, USC/Information Sciences Institute, Verisign, and Rochester Institute of Technology. We reported the results in our paper “Roll Roll Roll Your Root: A Comprehensive Analysis of the First Ever DNSSEC Root KSK Rollover”, which was accepted for the prestigious ACM Internet Measurement Conference (IMC2019) and won the Distinguished Paper Award. We also carried out a measurement study on the use of DNS TTL values and provided several recommendations, which were taken up by our DNS operations team as well as by 3 other ccTLD registries (e.g., Uruguay). We documented this work along with previous work in a best practice document for authoritative DNS operators, which is currently under consideration in the IETF. We ran the study together with experts at USC/Information Sciences Institute and the University of Passo Fundo. We managed to get it published at IMC2019 as well, along with a third paper, which was on DNS resolver measurements. Other measurement work we carried out this year was on the uptake of QNAME minimization and the classification of resolvers that query the .nl name servers.
Getting into future internet infrastructures
One of our major chunks of work this year was getting up to speed with “future internet” technologies. For example, we implemented the data plane protocol of the SCION internet architecture in P4, a domain-specific language to program packet processors in open programmable hardware. Based on this work, we proposed new headers for the SCION protocols, which were accepted as a draft by the Network Security Group at ETH Zurich (maintainer of the SCION source code) and Anapaya (manufacturer of SCION routers). We connected our network to SCIONLab, an experimental internet based on the SCION architecture. We also hooked up our P4 switch to the Dutch national P4 network, with nodes at the University of Twente (UT), the University of Amsterdam (UvA), Delft University of Technology (TUD), and SURF, interconnected through SURF’s optical network. We’ll be using this national P4 network the coming years to experiment with programmable networks, new types of internets, and their applications. The national P4 network is part of the 2STiC research program, which we launched this year together with the UT, UvA, TUD, SURF, NLnet Labs, and the Amsterdam Internet Exchange (AMS-IX). The goal of 2STiC is to experiment with new types of internet infrastructures (e.g., based on SCION or RINA) that provide better security, resilience, and transparency for critical applications such as energy grids, intelligent transport systems, and delivery drones. We published the joint vision of the 2STiC partners on this exciting new field of research and together presented a poster at IMC2019. We submitted a project proposal to the NCSRA-III cybersecurity research call together with UvA, UT, NLNet Labs, and SURF, which NWO accepted for funding. The goal of the project is to enable users to control and verify the route that their data takes through an internet using open programmable switches. It will extend the 2STiC community with 2 Ph.D. students the coming 4 years.
Supporting SIDN’s abuse desk fighting fake webshops
We developed a new system called “FaDe” (Fake webshop Detector), which automatically detects fake webshops in the .nl zone by combining machine learning, crawls of the entire .nl zone, and the expertise of the folks running SIDN’s abuse desk. We evaluated FaDe from August through early November and it reported 1.210 suspiciously looking domain names in that period. Our colleagues at the abuse desk manually assessed that 958 of them were actual fake webshops, which is a 79% hit rate. Our abuse experts feed their findings back into FaDe, which means that we expect it to get better over time. FaDe is part of SIDN’s overall strategy to proactively fight domain name abuse in .nl and is a result of SIDN Labs’ machine learning strategy that we developed earlier this year. FaDe builds on our earlier work in the field of fake webshop detection.
Increasing anti-DDoS capabilities
We worked with our product development team to get SPIN deployed in people’s homes, thus better protecting Internet infrastructure operators like ourselves from IoT-powered DDoS attacks and helping users gain more insight into the remote services that their IoT devices silently interact with. To accomplish this, we increased the stability of the SPIN software and packaged it as a product to help router/modem manufactures incorporating SPIN into their equipment more easily. While a few did (e.g., Turris, Embedd, and CIRA), we had limited impact at bigger manufacturers and therefore decided to temporarily pause the SPIN product development path. Based on our conversations with ISPs and equipment manufacturers, we did learn a lot, though. For example:
The lack of security of IoT devices is an important problem for many organizations operating in the edges of the Internet as well as for regulators, which underscores the relevance of edge security systems such as SPIN;
ISPs are struggling with their level of involvement in home networks, for instance because they expect expensive support calls when edge security systems temporarily block networks access for IoT devices that behave suspiciously; and
Router manufactures consider security a feature instead of a “hygiene factor”, which means that they will typically only take the costs of developing and maintaining it if a sufficiently large share of their customers (e.g., ISPs) are willing to pay for this feature.
In terms of research, we got a paper on SPIN accepted at the NOMS2020 Experience Session and one of our team led the writing of SAC105, an SSAC report on the interaction between the DNS and the IoT. We also actively contributed to the further development of the Dutch National Clearing House, a collaborative system that enables service providers to automatically extract the characteristics of the DDoS attacks they handle and share these “DDoS fingerprints” with other providers so they are prepared in case the attack targets them. We led the development of a data sharing agreement and set up a prototype of the clearing house at SIDN Labs. We’re working on a European version as part of the CONCORDIA project.
Stimulated DNS analysis through ENTRADA 2.0
In the summer, we published version 2.0 of ENTRADA, our platform for analyzing large amounts of DNS traffic. The key new feature of ENTRADA 2.0 is that it supports serverless DNS-analytics. This means organizations and researchers can easily deploy ENTRADA in the cloud, which makes it easier for them to start working with ENTRADA because they don’t need to set up a Hadoop cluster first. At SIDN Labs, we continue to run ENTRADA using our own hardware because we want to store the .nl DNS traffic in the Netherlands. In addition, our data set has grown to more than 85 TB over the past 5 years and we often run complex, computationally intensive queries, which makes a cloud deployment more expensive than running ENTRADA on our own hardware. Another feature that we added is support for measuring round-trip times (RTTs) between resolvers and authoritative DNS servers using the TCP protocol, specifically by calculating the latency between a TCP SYN-ACK request packet and the subsequent TCP ACK response packet. This is possible because around 5% of the DNS queries we handle on the .nl servers use TCP as their transport protocol instead of UDP. ENTRADA is an open source project and multiple TLD registries use and contribute to it, such as .at, .ch and .nz. Our colleagues at .nz specifically helped improving ENTRADA 2.0.
Time made transparent: TimeNL
TimeNL is SIDN’s public service that enables Internet devices to get the current time in UTC at millisecond accuracy. We set it up because we discovered that existing public time services are often unclear about their service levels (e.g., in terms of accuracy and how well they are being maintained) and often only rely on GPS as their time source. TimeNL is unique, because it makes this information transparent at time.nl, for example in terms of the service level we provide and the three different time sources we use (GPS, Galileo, and DCF077). TimeNL runs on our own infrastructure and uses NTP (Network Time Protocol). We recently added NTS (Network Time Security), NTP’s security extension. Time services form a largely invisible part of the Internet infrastructure, but are indispensable for a wide range of applications, such as DNS caching, the validity period of DNSSEC signatures, and reliably timestamping domain registrations.
What’s up for 2020?
In 2020, we’ll continue to use our research results to help further strengthening SIDN’s services, for instance by improving the measurement and machine learning tools we developed for our abuse desk (e.g., improvements of Fade) and for our DNS operations team (e.g., an intelligent tool for placing DNS anycast nodes based on the SAND project). We’ll put the aggregate outputs of these tools on stats.sidnlabs.nl, such as detected fake web shops over time and a real-time map of the RTT towards the .nl name servers using ENTRADA2.0. We’ll publish our research results, for example in the form of papers. We’ll also contribute to ramping up the pilot with the Dutch national DDoS, specifically by experimenting with the generation, distribution, and use of DDoS fingerprints and by improving the clearing house’s software (also as part of CONCORDIA). As for SPIN, we’ll be setting up a platform for storing and analyzing IoT device measurements, for example using edge systems such as SPIN and server-side systems such as IoT honeypots. Our goal is to make the datasets available to the Dutch research community. We’ll also continue to casually look for ISPs and router manufacturers interested in using SPIN as a product. Our future internet work will focus on running a sector-specific application on top of 2STiC’s national P4 testbed that enables us to evaluate the added value of SCION and other novel network functions that open programmable routers enable. We’re looking forward to it!