We work with highly regarded partners.

We typically work in collaboration with universities and other research labs, but sometimes we also run projects on our own. This page provides an overview of the projects we’re currently involved in. Our past projects are here.


Name Mitigating IOT-Based DDoS Attacks via DNS

The goal of the MINIONS-NL project is threefold: first, it is to provide empirical insight into the landscape of insecure IoT devices and the causal drivers behind concentrations of compromised devices; second, it is to design DNS-based techniques to detect compromised IoT devices; and third, to prevent the growing misuse of IoT botnets by identifying compromised devices and their command and control infrastructures, and engaging in real-world IoT device clean-up efforts.

MINIONS-NL makes use of an IoT honeypot infrastructure operated by TU Delft and YNU in Japan. It has been more or less operational for around two years and data collection is ongoing. The honeypot data can also be used by SIDN for other purposes, such as passive and DNS measurements. We expect that the honeypot will remain operational beyond the project period. Within that set-up, data will be collected and shared on an ongoing basis.

MINIONS-NL is closely associated with the DAGOBERT project at the Open University, which focuses on botnet detection in DNS traffic (the second goal of MINIONS-NL).

Duration June 2018 till May 2020
Partners Delft University of Technology
Funded by SIDN
Lead researcher Dr Arman Noroozian (Delft University of Technology)
SIDN Labs contact Elmer Lastdrager



Name Design, application and governance of a botnet detection and profiling system
Abstract The DAGOBERT project aims to improve internet security. It addresses the fight against botnets, which are networks of computers infected with malicious software that subsequently can be controlled remotely by cybercriminals to perform malicious activities. Cybercrime due to botnets constitutes a major threat with serious economic and societal impact. We intend to derive profiles of both known and unknown botnets and subsequently apply the profiles in a botnet detection system. We are researching, developing and evaluating automated systems for real-time, large-scale, accurate botnet profiling and detection, as well as the governance of system deployment by intranet structure providers.
Duration October 2017 till October 2019
Partners Open University, Quarantainenet
Funded by Open University, SIDN
Lead researcher Dr. Harald Vranken (Open University)
SIDN Labs contact Elmer Lastdrager
Website -


The Root Canary Project

Name The Root Canary Project

The “Root Canary” is a system for monitoring and measuring an entire root key rollover event from the perspective of validating DNS resolvers. The Root Canary project has three goals. First, to provide an internet-wide perspective on the impact of the root KSK rollover. Second, to generate timely warnings when observed DNS resolvers experience problems. Finally, to collect high-quality longitudinal measurements, with a view to analysing the impact of the root KSK rollover over the entire duration of the process.

The system currently combines three active measurement platforms to achieve the broadest possible coverage of validating resolvers. Results of the root key rollover of October 2018 were presented in near real-time, to allow the global DNS community to act if problems arose. We are currently using the recorded datasets for an in-depth analysis, from which the internet community can draw lessons for future key rollovers, either at the root or at lower layers in the DNS hierarchy.

Duration May 2017 till present (ongoing)
Partners SURFnet, NLnet Labs, University of Twente, Northeastern University, RIPE NCC, ICANN
Funded by Project partners
Lead researcher Dr Roland van Rijswijk-Deij (University of Twente)
SIDN Labs contact Moritz Müller
Website https://rootcanary.org/ 



Name Project Public-private Actions Against Botnets: Establishing the Legal Boundaries
Acronym BotLeg

Combatting botnets, which facilitate many forms of cyber-attack, is a key challenge in cybersecurity. The classic crime-fighting approach of prosecuting perpetrators and confiscating crime tools fails here: botnets cannot be simply 'confiscated', and law-enforcement's reactive focus on prosecuting offenders is ill-suited to dealing effectively with botnet threats. A wider set of anti-botnet strategies, including pro-active strategies and public-private cooperation, is needed to detect and dismantle botnets. Public-private anti-botnet operations, however, raise significant legal questions: can data about (possibly) infected computers be shared among private parties and public authorities? How far can private and public actors go in anti-botnet activities? And how legitimate are public-private partnerships in which private actors partly take up the intrinsically public task of crime-fighting?

This project aims to enhance legal certainty for stakeholders and the legitimacy of public-private anti-botnet operations in two key sectors involved in botnet-fighting (telecommunications/internet and higher education), and thus to promote lawful and legitimate anti-botnet operations. The objectives are to investigate the legal limits of and opportunities for public-private anti-botnet operations, to raise awareness among stakeholders of the legal scope for anti-botnet operations, and to develop guidelines and sectoral codes of conduct that clarify and establish the boundaries of anti-botnet operations.

The overall research question is: under what conditions can efficacious public-private anti-botnet operations be lawfully and legitimately undertaken? The methodology combines legal analysis (Dutch and European law), comparative legal analysis (Germany, England) and social-scientific methods of stakeholder analysis. National and international collaboration is intended to foster wide dissemination of best practices in combating botnets.

Duration December 2014 till December 2018
Partners Tilburg University (TILT), SURFnet, Vereniging Abuse Information Exchange, SIDN, LeaseWeb, Politie Nederland (Team High Tech Crime)
Funded by SURFnet, Vereniging Abuse Information Exchange, SIDN, LeaseWeb, Politie Nederland (Team High Tech Crime)
Lead researcher Karine e Silva (TILT)
SIDN Labs contact Cristian Hesselman
Website https://research.tilburguniversity.edu/en/projects/public-private-actions-against-botnets-establishing-the-legal-bou 



Name Classification of COmpromised versus MAliciously Registered Domains
Acronym COMAR
Abstract The goal of COMAR is to develop a machine learning-based classifier that labels blacklisted domains as compromised or maliciously registered, then extensively evaluate its accuracy, and implement it in a production-level environment. We also plan to study the attackers’ profit-maximising behaviour and their business models. We shall apply our classifier to unlabelled domain names on URL blacklists, for example, to answer the following question: do attackers prefer to register malicious domains, compromise vulnerable websites, or misuse the domains of legitimate services such as cloud-based file-sharing services in their criminal activities?
Duration November 2018 till November 2022
Partners Grenoble Alps University, AFNIC Labs
Funded by SIDN, AFNIC
Lead researcher Dr Maciej Korczynski (Grenoble Alps University)
SIDN Labs contact Cristian Hesselman
Website www.comar-project.fr (available soon) www.comar-project.nl (available soon)


DDoS Clearing House for NL and Europe

Name DDoS Clearing House for NL and Europe
Acronym -

The goal of this project is to prototype and pilot a DDoS clearing house: a system that enables different (critical) infrastructure operators to automatically generate, share and use so-called “DDoS fingerprints” containing the unique characteristics of DDoS attacks. The clearing house provides an additional layer of security on top of traditional DDoS mitigation services such as scrubbing centres and allows infrastructure operators to collaboratively and proactively prepare for DDoS attacks that haven’t hit them yet but that might come their way. This is a departure from today’s DDoS mitigation strategies, which are reactive and uncoordinated.

The pilot roughly spans TRLs 5-7 and will evaluate the effectiveness of different mechanisms for:

  • Generating fingerprints, for instance using different types of network trace (packet-based, flow-based and log-based) captured at different sites (e.g. at DDoS targets or at IoT honeypots).
  • Sharing fingerprints, for instance across critical service providers, with the academic community (e.g. to develop new DDoS detection algorithms) or with CERTs/SCIRTs (e.g. to notify them of machines used in attacks). This includes sharing of derived information, such as fingerprint-based detection and mitigation rules.
  • Using fingerprints for mitigation, such as to generate rules for upstream traffic filtering, dynamically shifting DNS traffic across anycast sites during attacks and limiting outgoing traffic from compromised IoT devices in edge networks.
  • Using fingerprints for attribution: collecting fingerprints over time to assist in attributing attacks to specific actors for prosecution purposes.

We will set up and run the pilot first in the Netherlands and then in Italy. Part of the work involves developing a “cookbook” that enables groups of service providers to easily set up their own DDoS clearing houses and run them as self-supporting services, thus allowing the concept to scale up to a European level. The development of the cookbook will involve working with the critical infrastructure communities in the Netherlands and in Italy (e.g. through workshops) and investigating the viability of the DDoS clearing house from multiple perspectives, including financial, legal, governance and technical operations.

The work is part of an engineering-oriented project in the Netherlands (informally known as the “national anti-DDoS initiative”) as well as of a more research-oriented European project (H2020 CONCORDIA).

Duration January 2019 till January 2023
Partners SIDN, SURFnet, University of Twente Partners in the “national anti-DDoS initiative” (Netherlands) Partners in H2020 Concordia (Task 3.2)
Funded by Partners in the “national anti-DDoS initiative” (Netherlands)
Lead researcher TBD
SIDN Labs contact Cristian Hesselman
Website https://www.concordia-h2020.eu/ 



Name Security, stability, and transparency in inter-network communications
Acronym 2STiC

2STiC's goal is to develop and evaluate mechanisms for increasing the security, stability and transparency of internet communications, for instance by experimenting with and contributing to emerging internet architectures, such as SCION, RINA, and NDN, as well as the existing (IP-based) Internet. The 2STiC partners envisage that such new types of internet will complement and co-exist with the current Internet, serving specific types of application. Our long-term objective is to establish a centre of expertise in the field of trusted and resilient internets and help put the Dutch (and European) networking communities in a leading position in the field.

We have written a vision document describing the project in more detail, for instance in terms of goals, motivation, timeliness and research topics.

2STiC is a multi-year research programme following a hands-on approach with connections to existing testbeds (e.g., SCION’s or NDN’s), running code to evaluate new networking concepts and applications, experiments, and demos.

2STiC will actively seek collaborations with the operational and academic communities in the Netherlands and Europe.

Duration October 2018 till October 2020 (phase 1)
Partners AMS-IX, NLnet Labs, SIDN Labs, TU Delft, University of Amsterdam, University of Twente, SURFnet
Funded by Project partners
Lead researcher Victor Reijs (SIDN Labs)
SIDN Labs contact Victor Reijs
Website www.2stic.nl



Name Domain Name Ecosystem Mapper
Acronym DMAP

The project goal is to develop, prototype and evaluate DMAP, our crawler system that regularly measures the (security) characteristics of large sets of domain names (order of magnitude: millions) for purposes such as fake web shop detection and research.

DMAP uses the measurements obtained to dynamically model the ecosystem behind the domain names and creates, updates and deletes the underlying data structures. DMAP can be flexibly extended with classifiers (algorithms) that associate probabilistic attributes with a domain name. Examples include a classifier that calculates the probability that a domain name is being used for phishing, that it is a DDoS-for-hire site, that the site has been hacked, or that the domain name is being used as a DGA.

A classifier may derive an attribute from multiple heterogenous data sources, such as DNS traffic, abuse feeds, the RIPE address/AS database and RIPE ATLAS.

Duration July 2016 till present (ongoing)
Partners N/A
Funded by SIDN
Lead researcher Maarten Wullink (SIDN Labs)
SIDN Labs contact Maarten Wullink
Website https://dmap.sidnlabs.nl/ 



Name ENhanced Top-level domain Resilience through Advanced Data Analysis

The goal of ENTRADA is to increase the stability and security of the .nl internet zone and the global internet infrastructure by enabling new applications and automated services that scan our DNS traffic for anomalies and threats.

ENTRADA is an open-source platform designed to ingest and quickly analyse large amounts of DNS traffic, even on a small cluster of nodes. ENTRADA is able to deliver such performance because of two key features:

  • Employment of an optimised columnar file format (Apache Parquet, based on Google's Dremel)
  • Employment of a high-performance SQL query engine (Apache Impala)

Privacy is an important aspect when working with DNS data, which is why we developed a privacy framework that integrates legal, organisational and technical aspects of privacy management. The framework is incorporated by design into the ENTRADA platform.

The ENTRADA deployment at SIDN currently contains about four years of DNS traffic from our name servers, which equates to 1 trillion DNS queries and the responses to them. The ENTRADA applications that we are working on include algorithms for phishing detection and the identification of botnet traffic.

ENTRADA is an open-source project and a small community of ENTRADA users has developed. New applications based on ENTRADA can aid further enhancement of the stability and security of the internet as a whole.

Duration January 2014 till present (ongoing)
Partners N/A
Funded by SIDN
Lead researcher Maarten Wullink (SIDN Labs)
SIDN Labs contact Maarten Wullink
Website http://entrada.sidnlabs.nl/ 



Name Security & Privacy for In-home Networks
Acronym SPIN

The goal of the project Security & Privacy for In-home Networks (SPIN) is to research, prototype and evaluate methods and systems for protecting the internet and users against insecure IoT devices in small networks, such as home networks. We started the work in response to the 1.2 Tbps DDoS attack on DNS operator Dyn, which was powered by some 600,000 IoT bots and caused widespread outages of popular services such as Twitter and Spotify.

SPIN is our open-source platform for resource-constrained devices that analyses the traffic on a network and looks for anomalies that might signal that an IoT device has been compromised. An example is a Wi-Fi-enabled light bulb that for months has interacted with remote internet services only infrequently and at night, but suddenly starts sending and receiving large numbers of messages during the day. In such situations, SPIN automatically blocks traffic to and from that device to prevent it participating in a botnet (e.g. to launch DDoS attacks on a DNS operator like SIDN) or undermining the security, privacy or safety of end users. SPIN thus supports targeted device blocking, which is crucial for the IoT with even small networks potentially serving hundreds of (tiny) IoT devices that seamlessly interact with people’s physical environments. We designed SPIN to operate in a local network without having to share measurements with cloud services, which increases its privacy friendliness.

Duration January 2017 till present (ongoing)
Partners N/A
Funded by SIDN
Lead researcher Jelte Jansen (SIDN Labs)
SIDN Labs contact Jelte Jansen
Website https://spin.sidnlabs.nl 



Name Self-managing Anycast Networks for the DNS
Acronym SAND

The problem that SAND addresses is that DNS operators have very few intelligent real-time tools that enable them to monitor their anycast services, for instance during a DDoS attack. The goal of SAND is to develop, prototype and evaluate tools and recommendations for anycast system operators.

There is a high level of complexity in today's internet DNS infrastructure: authoritative servers are replicated using IP anycast, multiple NS records and load balancers. Resolvers, in turn, may also employ IP anycast and have different selection algorithms. Users’ experiences depend on the interrelationships amongst the various infrastructure components.

Operators, such as SIDN, strive to deliver low-latency DNS services. In recent years, research carried out at SAND has distinguished certain parts of the layers of complexity in the DNS infrastructure and evaluated them carefully, culminating in a series of recommendations for DNS operators on how to run their services.

The goal of SAND is to help DNS operators to make informed decisions concerning the operation of their networks, taking account of the various layers of complexity and the interactions between the various protocols underpinning the DNS. In addition, SAND is intended to assist operators by providing measurement and visualisation tools. 

Duration Phase 1: November 2014 till November 2016 Phase 2: April 2018 till April 2020
Partners University of Twente, NLnet Labs
Funded by SIDN, NLnet Labs
Lead researcher Dr João Ceron (University of Twente)
SIDN Labs contact Giovane Moura
Website http://www.sand-project.nl/ 



Name Plannning for Anycast as Anti-DDoS
Acronym PAADDoS

The PAADDoS project’s goal is to defend against large-scale Distributed Denial-of-Service (DDoS) attacks by making anycast-based capacity more effective than it is today. Anycast uses internet routing to associate users with the geographically close sites of replicated services. During a DDoS attack, anycast sites can provide capacity so that the attack can be absorbed, and they can be used to confine the attack to part of the network.

We will work toward our goal of improving anycast use during DDoS attacks by (1) developing tools to map anycast catchments and baseline loads, (2) developing methods for planning changes and predicting their effects on catchments, and (3) developing tools to estimate attack loads and assist anycast reconfiguration during an attack.

We expect those innovations to improve service resilience in the face of DDoS attacks. Our tools will improve anycast agility during an attack, allowing capacity to be used effectively.
Duration 2019 till 2023 (expected)
Partners University of Twente/University of Southern California (ISI)
Funded by NWO (NL) and DHS (US)
Lead researcher Aiko Pras (University of Twente), John Heidemann (USC/ISI)
SIDN Labs contact Giovane Moura
Website https://ant.isi.edu/paaddos/ 



Name Open INTernet Evolution Library
Acronym OpenINTEL
Abstract The goal of the OpenINTEL project is to set up and manage the OpenINTEL platform, which will track the evolution of the internet by means of active and continuous DNS measurements. We opted for a DNS-based approach because tracking the evolution of the global internet at the IP level is virtually impossible due to the vast amounts of traffic and huge number of network nodes involved. Current approaches to DNS metrics rely largely on passive measurement. While that yields good results in certain spaces (e.g. security forensics), it does not paint a reliable picture of the DNS over time, because the data gathering methodology means that researchers have no control over the data collection frequency or the selection of domains for data collection. OpenINTEL is a scaled-up version of the dnsjedi platform designed and implemented by the University of Twente and SURFnet. The OpenINTEL platform will be a high-performance analysis infrastructure for the DNS, based on the Hadoop tool chain and will enable the efficient storage, analysis and sharing of measured data.
Duration 1 August 2015 to present (ongoing)
Partners University of Twente, SURFnet, NLnet Labs
Funded by University of Twente, SIDN, SURFnet 
Lead researcher Dr Roland van Rijswijk-Deij (University of Twente, NLnet Labs)
SIDN Labs contact Cristian Hesselman
Website http://www.openintel.nl/

Security Intelligence for Top-level Domain Operators

Name Security Intelligence for Top-level Domain Operators
Acronym SITO

Like the domains within any TLD, .nl domains can be abused for various types of attack: phishing, malware distribution, spam campaigns, fraudulent on-line shops, etc. Also, .nl domains may fall victim to distributed denial-of-service attacks (DDoS) and other such malicious activities. Moreover, domains can be hijacked, e.g. by stealing the registrant's credentials. The goal of SITO is to detect a large variety of attacks and abuses that might involve .nl domains. To do so, SITO builds on the ENTRADA project, employing a data-driven approach to the detection of abuses and various types of attack, including the use of domains for phishing or spam campaigns. Ultimately, the goal is to provide early warnings with a view to protecting users, registrars, registrants and hosting providers from domains that have been compromised or are involved in abuse. SITO is a large project which is divided into several modules, each of them addressing a specific type of attack. The first module is nDEWS (new Domain Early Warning System) and focuses on distinguishing 'normal' new domains from 'suspicious' ones by employing machine learning algorithms, using as input the DNS data that ENTRADA provides. Other modules will be developed in due course and information about them posted here.

Duration 1 January 2015 till present
Partners N/A
Funded by SIDN 
Lead researcher Giovane Moura (SIDN Labs)
SIDN Labs contact Giovane Moura (SIDN Labs)
Website -

Sponsored projects

Support for NLnet Labs

SIDN is supporting NLnet Labs for a period of five years, covering half of its turnover. We are providing this support because NLnet Labs' DNS software represents an important Dutch contribution to the security and stability of the internet infrastructure. The flagship products of NLnet Labs are the authoritative name server software NSD and the UNBOUND resolver. UNBOUND users include major Dutch internet service providers, such as XS4ALL and T-Mobile. Within the IETF, NLnet Labs has also contributed to numerous internet standards in fields such as DNSSEC, thus helping to guide the ongoing development of the internet. The work of NLnet Labs is therefore important for numerous internet infrastructure stakeholders, including our .nl registrars.


1 January 2012 to 1 January 2017 (phase 1) 1 January 2017 to 1 January 2022 (phase 2)

Funded by SIDN
SIDN Labs contact Cristian Hesselman (SIDN Labs)
Website http://www.nlnetlabs.nl/

Our partners


Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.