I am looking for a domain name registrant. Where can I look it up?
The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.
On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.
I would like to transfer my domain name to another registrar. What is the procedure?
To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.
The details registered about me/my company are incorrect or out of date. How can I get them updated?
To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.
Why is my domain name in quarantine?
When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.
One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.
Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?
Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.
What conditions do I have to meet as a registrar?
Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.
SIDN Labs has teamed up with NBIP and their DDoS scrubber service (NaWas) to analyse metadata on filtered DDoS attacks and correlate it with DNS data. The aim being to shed more light on how DDoSes are carried out in the wild. Along with this blog, we're releasing a new technical report detailing the main findings of the research.
NBIP, the not-for-profit Internet Service Provider Management Association of the Netherlands, has been running a DDoS scrubber service (NaWas) for its members since 2014. The 151 current members are therefore able to request DDoS filtering services when under attack. The scrubber service uses DDoS filtering hardware to mitigate the attacks.
To understand how attackers operate, we teamed up with NBIP to analyse attacks filtered by their scrubber service. We analysed 22 months of DDoS metadata and correlated it with DNS information we have available at SIDN. The aim was to boost understanding of attack mechanisms, with a view to improving detection systems.
The attacks
In the 22-month study period (July 2017-May 2019), NaWas filtered 1826 attacks. The attacks targeted only IPv4 addresses (576 unique addresses), within 65 Autonomous Systems. On average, attacks lasted roughly 1 hour and were not particularly big: the average attack was 3.9 Gbps, and the maximum observed was 79 Gbps. Figure 1 shows the attack timeseries (each cross represents the start of a single attack) and the attack peaks in Gbps.
Figure 1. Attacks and peaks.
Collateral damage
NaWas is set up to filter attacks at the IP level. We divided the list of 576 attacked IP addresses whose traffic was scrubbed during the study period on the basis of the associated top-level domain, and then determined how many domain names were hosted at the IP addresses within each TLD.
The table below shows the number of second-level domains hosted at the attacked IP addresses in each TLD on the attack dates. The data is derived from OpenIntel, a research project we are involved with, for which various DNS zones are crawled on a daily basis. We extracted all the domain names hosted at each attacked IP address from the OpenINTEL data.
As can be seen, .nl hosts the largest number of domains at attacked IP addresses – which is only to be expected, given that most NaWas members are from the Netherlands.
DNS zone
Second-level domains
IPs
.nl
242,355
226
.com
72,180
178
.net
5,220
100
.org
5,314
94
Others
6,541
98
Total
331,610
576
Table 1. Collatateral damage to second-level domains on IP's under attack. ‘Others’ is: .at, .ca, .dk, .fi, .ru, .se, .us, combined.
In total, 330,000 domains were indirectly affected by the DDoS attacks, insofar as their IP addresses were targeted. The number of affected domain names is therefore far larger than the number of attacked IP addresses. The explanation for that disparity is shared hosting: it seems that many domains suffered simply as a consequence of DDoS attacks targeted at other domains, with which they shared parts of their infrastructure.
Detecting DDoSes using DNS
So, 242,000 .nl domains were potentially under DDoS attack. Is it possible to distinguish the ones that were actually targeted from those that suffered collaterally?
With a view to answering that question, we looked at DNS queries arriving at the authoritative .nl servers. As the .nl operator, we run the authoritative servers that answer queries about .nl domain names. We collect the queries for research purposes on ENTRADA, our open-source DNS analysis platform.
The figure below shows all the .nl domains that came under attack – as per the previous table. For each domain, the number of queries on the attack day is plotted on the Y axis. The average daily number of queries in the week before the attack is plotted on the X axis. The hypothesis is that some DDoS attacks may be accompanied by a large increase in the number of DNS queries for certain domains. For instance, a major botnet attack on example.nl would involve numerous machines around the world looking up that domain. That would generate a sharp rise in the number of incoming DNS queries for example.nl.
Figure 2. Domain names and average daily queries (y axis) in the week before the attack (x axis).
As the figure shows, only a few domains actually match our filtering criteria: at least 500 queries on the attack day, and at least a 5x increase in the number of queries on the attack day. Out of the 220k domain names, 74 matched our criteria – suggesting how DNS can be used to detect some DDoS attacks.
We begin by analysing an attack targeting an IP address that had only one .nl domain name linked to it on the attack day (dedicated hosting). We plot a timeseries of the number of queries per hour for that domain. Before the attack, the number of queries was less than 200/h, but that figure grows to almost 1400/h when the attack starts. The pink area shows when NaWas was deployed to filter the traffic, leading to the end of the attack.
Figure 3. Timeseries of incoming queries for a .nl domain with dedicated hosting. The pink area represents the period when the scrubbing service was active; the grey area represents the period when the attack was apparent on the DNS.
In some cases, DNS data also enables us to tell which of a group of domain names hosted at a single IP address was the actual target. The figure below shows 6 .nl domain names that were hosted at an attacked IP. Only the domain name on the far right was associated with a very large increase in the number of queries on the attack day (note the log scale on the axis). Although the other 5 domain names were not associated with similar increases, we can assume that they suffered collateral damage. After all, being hosted at the same IP address implies sharing parts of their infrastructure with the true target, and therefore being impacted by an attack on the shared elements.
Figure 4. Number of queries for 6 .nl domain names with shared hosting, revealing the true target of an attack.
Other attacks, however, seem to be more sophisticated. We observed attacks where a series of domains at the same IP address were targeted from the same attacking IP addresses – in order to avoid detection, our data suggests. That is illustrated in the figure below, where each line shows the number of queries per domain name at a single attacked IP address. Note that the same resolvers send queries for each domain around the same time – suggesting some sort of coordination.
Figure 5. timeseries of queries to 8 targeted .nl domains.
Summary
Cheap, easy, and relatively popular: that is how attackers view DDoSes. To fend off such attacks, an entire industry has emerged, and scrubbing services are among the most popular solutions. To shed light on the operations of scrubbers, we present the first longitudinal study of one non-commercial scrubbing service provider (NaWas) that has been operating for several years.
We show that most attacks do not last very long once scrubbing starts, probably because scrubbing makes an attack less effective and therefore frustrates the attacker's aims. The attacks we observe are not as big as the terabit attacks sometimes witnessed in the last few years. Nevertheless, even gigabit-scale DDoSes are likely to overwhelm web servers and disturb some inter-domain links.
We triangulate the DDoS attack metadata with two other datasets, allowing us to estimate the collateral damage caused by the attacks. For the analysed datasets, we show that the number of collateral victim domains is in quadratic proportion to the number of attacked IP addresses – indicating the level of collateral damage from such attacks.
The results of this research will help us to design early warning systems for the detection of DDoS attacks on the basis of DNS data.
