November 2016 has been a great month for SIDN Labs. First, we presented our paper “Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event” at the renowned ACM Internet Measurements Conference (IMC2016), which took place in Santa Monica, California. IMC is the most reputable internet measurements conference, and brings industry and academia together with the focus on operations. We co-authored our paper with colleagues from the University of Southern California and the University of Twente.
As well as our presentation, the conference this time had a section devoted exclusively to DNS research – and two other papers in the same session were co-author by colleagues from TU Delft and the University of Twente, in projects co-sponsored by SIDN Labs. The first one, by Maciej Korczynski et al., analysed the case of zone poisoning on DNS authoritative servers. The second paper, by Mattijs Jonker et al., investigated the adoption of DDoS protection services by analysing DNS records in the context of the OpenIntel project. In addition, we presented our DNS big data platform – ENTRADA – at the work in progress session. Roland van Rijswijk-Deij presented our joint OpenIntel project in that same session.For us from SIDN Labs, it was a great conference – we reached an important milestone by presenting at the most important event that brings together both research and operational expertise, demonstrating the quality and relevance of our work. Our paper on Anycast vs DDoS is directly relevant to how we manage our anycast infrastructure, as are our colleagues’ papers. It is the first publicly available study that shows how a large anycast infrastructure behaves during a DDoS attack. Based on our observations, we present a series of strategies that can be used to help mitigate the DDoS attack, either by letting some anycast sites act as absorbers and isolating the traffic, or by manipulating BGP announcements so as to shift traffic to sites that can handle the attack. We have also shown evidence of collateral damage: some of our .nl anycast servers observed no incoming traffic during the Root DNS event, due to being located close to targeted root servers. In the face of rising DDoS attacks, engineers can use our study as an additional approach to filtering to mitigate attacks.Many other interesting papers were presented at the conference, and I recommend taking a look at the conference programme and the papers, which are all open access. Just to mention a few, a paper by Springhall et al presented the risk associated with TLS crytpo shortcuts, which can make many Alexa Top1M sites vulnerable, even if they use TLS. Onaolapo et al presented an ingenious measurement in which they leaked Gmail credentials and used them as honeypots. That enabled the researchers to observe the nature of the malicious uses, such as spamming, registration on websites, etc, and to develop preventive responses. And van der Sloot et al. presented a paper comparing the various efforts to obtain a complete view of the certificate ecosystem.Right after IMC, our co-author John Heidemann from the Information System Institute, University of Southern California, hosted the DNS and Internet Naming Research Directions 2016 (DINR) workshop. The goal of the workshop was to present ongoing DNS research and identify possible research directions. We presented two abstracts there: the first one, named “Blind Name and the DNS”, provided an overview of the current challenges in detecting domain-related abuse, and how the current literature suffers from incomplete datasets. TLD operators such as SIDN have a natural advantage, since they have a centralised view of their zones – including registration, queries, and records. The goal is to use these datasets better to improve the security of our .nl zone. The second abstract we presented was entitled “Optimizing Authoritative Severs Deployment on TLDs”, and focused on determining the optimal number of authoritative name servers for a TLD, taking into account performance (lower RTT), stability, cost and resilience. I suggest that you take a look at the programme and abstracts, which are openly available. As a side note, the DINR workshop was held in the very building and on the very floor where the DNS was created: they named an office named after Jon Postel, in memory of one of the fathers of the DNS, who was also IETF RFC editor from 1969 to 1988.Together, the two abstracts summarise some of the ideas we are currently working on. Both will help us to improve the security and stability of the .nl zone.Last but not least, the venue for IMC and DINR could not have been better: sunny Santa Monica, where the temperatures were up to 26 degrees. The next IMC will be held in London.
