A new year, a new research agenda

Five challenges, two research areas

We extended and reorganised SIDN Labs’ research agenda to make a broader contribution to the security and resilience of internet communications. We’re putting more effort into reducing the effects of large-scale security incidents and we’ve added emerging inter-domain networking systems as a new challenge. As usual, we’re interested in hearing your feedback.

So, who are you guys again and what do you do?

SIDN Labs is the research team of SIDN, the operator of the .nl country-code top-level domain (ccTLD). Our goal is to advance theoperational security and resilience of end-to-end internet communications through (1) empirical, measurement-based research and (2) prototyping and evaluating new internet systems and tools.

In our measurement studies we have for instance scrutinised the interactions between resolvers and authoritative servers in the Domain Name System (DNS), showing which criteria resolvers use to choose among multiple authoritative servers. That led SIDN’s operations team to phase out unicast from .nl’s authoritative servers, which currently run anycast services only. More recently, we showed how different parts of the DNS infrastructure contribute to resilience against DDoS attacks (using TTL values, caching and resolver retries, for example). In the past, we analysed the resilience of .nl from a routing perspective, the stability of the root server system and the levels of DNS abuse in gTLDs.

Examples of our prototype development activities include our open-source ENTRADA system for storing and easily analysing large amounts of authoritative DNS traffic, our DMAP crawler for longitudinally measuring the security-related characteristics of large numbers of domain names, the Root Canary toolset for monitoring DNSSEC root key rollovers, and our open-source SPIN platform for protecting the internet and users against insecure IoT devices.

Amongst the datasets that we use for our work are ENTRADA for .nl  (more than 1 trillion rows, updated every few minutes), DMAP for .nl (5.8 million data points, updated monthly), and OpenINTEL’s longitudinal data on the evolution of the DNS in .nl and other TLDs (3 trillion data points, updated daily). Our measurement studies are governed by a privacy framework, which we developed for ENTRADA but is now being used SIDN-wide.

Five challenges, two research areas

Our updated research agenda extends the scope of our work to five research challenges, which we have grouped into two areas: core internet systems and internet evolution. Later this year, we’ll add a third area: inter-domain trust infrastructures (e.g. using the DNS), which is related to the work of SIDN’s subsidiary Connectis. We’ll discuss it in more detail in a separate blog.

We identified the five challenges based on projects we carry out with our partners (e.g. peer research labs, universities and SIDN’s operational teams) and the communities we are involved in (e.g., IETF/IRTF, RIPE and ICANN). These interactions are an important part of our daily work and enable us to continually sharpen our focus and make sure we address relevant topics.

Our motivation for the new set of challenges is that we would like to make a broader contribution to the security and resilience of internet communications. We believe we’re in a position to actually make this happen because three new people recently joined the team (Caspar, Thymen and Joeri), because of our in-house technical expertise and our strong collaborations with both the operational and academic communities, and because of SIDN’s neutral position and ability to sustainably invest in research.

Core internet systems

The goal of our first research area is to empirically understand what factors drive the security and resilience of core internet systems such as the DNS and prototype novel technical mechanisms to improve it. The work is based on our vision of intelligent domain name registries and the concept of collaborative internet security. We are concentrating on three challenges:

Improving the operation of DNS infrastructures: how to enable DNS operators to better engineer their infrastructures, in particular to maximise security and resilience. This work involves, for instance, prototyping and evaluating novel measurement methodologies that help DNS operators understand the factors that influence the resilience of their (global) DNS infrastructures, such as Round-trip Times (RTTs) and anycast catchments. It’s also about providing DNS operators with intelligent measurement-based tools that allow them to operate their DNS infrastructures at the level of entire anycast deployments rather than at the level of individual machines. These tools should for instance enable them to easily assess the effect that moving an anycast node has on resilience and RTTs, and provide real-time recommendations on how to reconfigure a DNS anycast deployment during a DDoS attack. Such tools are important to enable operators to deal with new types of DDoS attack (e.g. multiple-Tbps attacks by large IoT botnets) and with the growing complexity and dynamics of their infrastructures (e.g. in terms of nodes and third-party operators).

Reducing domain name abuse: how to enable registries, registrars, hosting providers and other stakeholders to protect internet users against actors that use domain names for malicious purposes, such as for fake web shops, DDoS-for-hire sites and coordinated phishing attacks. This work involves, for instance, the dynamic modelling of large DNS zones (e.g. the 5.8 million domain names of the .nl zone), developing and evaluating algorithms that deduce the security properties of domain names and the services they link to (e.g. whether a site offers a DDoS-for-hire service) based on multiple heterogenous datasets (e.g. known malicious sites, DNS traffic statistics, user reports and screen shots), mapping coordinated abuse actions (e.g. phishing or fake web shop campaigns) and developing generic methods for sharing information on specific types of abuse within the DNS industry.

Protecting the internet against large-scale incidents: how to protect the DNS and the wider internet against large-scale (coordinated) incidents, such as the massive DDoS attacks generated by 600,000-node strong IoT botnets and routing hijacks. This includes, for instance, understanding such events using multi-site measurements, joint threat detection (e.g. through the automatic sharing of DDoS fingerprints) and joint mitigation (e.g. dynamically scaling up scrubbing capacity across providers using DOTS). It also involves prototyping and evaluating the required systems and tools, such as a DDoS clearing house that enables service providers to automatically and continually share characteristics of DDoS attacks, and our SPIN platform to proactively block IoT devices that might have been compromised by a botnet (e.g. Mirai or Hajime) so that they cannot act as sources in DDoS attacks. 

Internet evolution

Our second research area is the evolution of the internet, both in terms of how the internet evolves (deployment, protocols, architecture) and in terms of experimental non-IP inter-networking systems such as SCION, NDN and RINA. Our two challenges are:

Experiment with and advance emerging inter-networks: how to advance inter-domain networking systems to best serve society’s demands for increased networked service security, resilience and transparency. This includes, for instance, contributing to emerging inter-networks like SCION and NDN, research on mechanisms for deploying them in coexistence with the internet (e.g. using P4-programmable switches), and work items currently being investigated in the IRTF, such as path-aware networking and decentralised internet infrastructures. Another topic is security verification and transparency, which is about cryptographically verifying the authenticity of routers and service providers that a user’s data passes through in a scalable way and making the information available to users (in a machine-readable format). Our objective for this challenge is to keep the Dutch (and European) network communities ahead of the game by establishing a solid centre of expertise in this field. This for instance requires a deep understanding of inter-domain networking across various architectures, connections to existing testbeds (e.g. SCION’s or NDN’s) and running code to evaluate new networking concepts and applications. Collaboration with the operational and academic communities in the Netherlands and Europe will be crucial.

Understand the evolution of the internet: how to longitudinally measure, map and visualise various aspects of how the internet and its architecture evolves, for instance in terms of concentrations of power, the uptake of new protocols such as QUIC and DNS-over-HTTPS and best practices like BCP38, the adoption of Let’s Encrypt and the use of anti-DDoS services. This work requires advanced data analytics and measurement methodologies, for instance based on our own tools, OpenINTEL and community tools such as RIPE ATLAS

Way of working: as before

While we have updated our research agenda, our way of working remains unchanged. That is, we’ll continue to make our results available and useful for the wider internet community (e.g. DNS operators and universities) and apply them to the specific operational challenges facing SIDN. For example, we’ll continue to advance our SPIN open-source software and work with SIDN’s product development team to get SPIN deployed on modem/router equipment. We’ll be following the same approach for Connectis once we have our third research area in place.

In terms of technology development, we will continue to hover in the middle of the nine-point Technology Readiness Level (TRL) scale, which is roughly between levels 3 and 7. As before, we’ll collaborate intensively with the research community (e.g. University of Twente, NLnet Labs, SURFnet, University of Amsterdam, Delft University of Technology and the University of Southern California) on basic research (TRLs 1-3), and with operational teams at SIDN and elsewhere on projects requiring production-level expertise (TRLs 7-9).  

Goals for 2019

In 2019, our goals for the core internet systems area include advancing our Internet Draft for DNS operators, prototyping and evaluating new algorithms that use various datasets to detect malicious use of domain names (e.g. for fake web shops or DDoS-for-hire sites) as well as anomaly detection algorithms for IoT devices. In the field of internet evolution, we’ll concentrate on demonstrating and evaluating applications of emerging inter-domain networking systems and fleshing out our vision for this new area. Finally, we’ll be starting our work on inter-domain trust infrastructures, for instance by funding a researcher at a university. 

Let us know what you think!

We’re keen to get feedback on our new research agenda, so drop us an email if you have any suggestions. 


This blog is based on input and feedback from the whole SIDN Labs team. Thanks to Dr Roland van Rijswijk-Deij (University of Twente) for reviewing the draft version.


  • Wednesday 4 September 2019


    Knowing about online brand use is vital for large organisations


    Cybercrime corrosive for online brand reputation

    Read more
  • Friday 13 December 2019


    Warning: fake invoices from DNS Registraties NL


    Don't pay these invoices!

    Read more
  • Monday 23 July 2018


    Finding tomorrow's cyber-specialists


    Cyberwerkplaats uses innovative approach to bring talented youngsters and employers together

    Read more


Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.