Our 2020 research contributions to a more trusted and resilient internet infrastructure
Looking back on the year that Covid redefined the relevance of the internet
Authors: SIDN Labs team 2020 is a year that we won’t forget soon. Covid-19 affected millions of people’s lives around the globe and resulted in the Netherlands ending up in a lockdown twice. Fortunately, the internet enabled many of us to continue a significant part of our day-to-day life online, which further demonstrated the huge importance of the internet as a foundational infrastructure of our digital society. So, while we look back on 2020 as a year of hardship for many, we’re also proud that we have been able to contribute to a trustworthy and resilient internet infrastructure for the Netherlands, Europe and the world through our research at SIDN Labs, and we will devote all our energy to doing the same next year.
Our eight key achievements in 2020
In this blog, we’ll give you a rundown of our eight key achievements in 2020 and discuss our plans for 2021. Feel free to click through to them using these links:
Expanded the set of measurement-based tools for DNS operators
Gained new insights into the centralisation of the internet infrastructure
Developed algorithms and visualisations to fight malicious .nl sites
Developed prototypes for SCION-based future internet infrastructures
We provide links to our papers, software, testbeds and data if you’re interested in more details. Of course, you can also contact us for questions and feedback.
Expanded the set of measurement-based tools for DNS operators
We worked with SIDN’s DNS operations team to develop Anycast2020, a worldwide testbed of twenty virtualised anycasted name servers that we can flexibly switch on and off to handle dynamically changing traffic loads. The nodes run in the cloud, hosted by operators such as Packet and Vultr that let us announce our own IP address space via BGP. We made TimeNL available through Anycast2020 and as a result the testbed has been serving around 35,000 NTP clients per second worldwide as of December (NTP server here). We developed a new method and tool ('Anteater') that measures the round-trip latencies of DNS queries, which are typically very hard for a DNS operator to determine because most clients send their DNS queries over UDP. The tool relies on passive TCP data and it enabled us to spot that Google, one of our largest clients, experienced high latencies (around 90 msec round-trip) to reach the .nl authoritative servers. We worked with our colleagues at SIDN operations and operators at Google to reduce it to around 25 msec by manipulating BGP routes. Other operators can implement our tool as well using ENTRADA, our open-source platform for storing and analysing large amounts of DNS traffic. In the BGP space, we developed the BGP Tuner tool, which allows operations teams to manage their anycasted DNS infrastructures based on catchment measurements. The tool also allows operations teams to manage their name servers more easily as a single unit, for instance, because it enables them to easily roll out path prepend policies across anycast sites to dynamically balance DNS traffic loads. We evaluated BGP Tuner together with the University of Twente, NLnet Labs and the Federal University of Rio Grande do Sul (Brazil) and published a peer-reviewed paper about the work. In 2021, we’ll be using these tools to further improve the DNS anycast service for .nl. For example, we’ll be working with our operations colleagues to build a layer of virtual name servers that we can dynamically grow and shrink in addition to our more static 'bare metal' name server infrastructure. In combination with our tools, this will bring us another step closer to realising our vision of the registry of the future.
Gained new insights into the centralisation of the internet infrastructure
We carried out several focused measurement studies to empirically investigate how the internet infrastructure is evolving. For example, we investigated to what extent it is centralising by analysing a total of 55.7 billion DNS queries from .nl, .nz and B-Root, covering snapshots from 2018 through 2020. We found that around 30% of DNS traffic on .nl (and .nz) is from hypergiants such as Google and Facebook, which we believe constitutes a significant level of concentration (interactive graph here). We published a peer-reviewed research paper on this work together with InternetNZ, USC/ISI and the University of Twente. We also looked at centralisation from other angles. For example, we measured the concentration of router vendors at IXPs and certificate authorities used in .nl (interactive graph here) and found indications that concentration is taking place in these parts of the internet as well. Similarly, we measured the adoption of DNS-over-HTTPS (DoH), a security protocol for the DNS but also one of the potential drivers for DNS centralisation. We set up an experimental DoH service to better understand the technology, and to provide users with access to a shared DoH server operated in the Netherlands. At the level of internet routing, we discovered that 40% of all .nl domain names are protected by RPKI (interactive graphs here and here), which leaves room for improvement, for us at SIDN as well. RPKI is important because it helps to prevent IP address space hijacks, which can lead to network outages, for instance in the DNS. At the start of the Covid pandemic, we measured its effects on .nl and wrote a paper with Delft University of Technology on assessing the efficiency of voluntary blacklists in fighting Corona-related malicious sites (under review). Next year, we will pay particular attention to making more of the results of our measurement studies available on stats.sidnlabs.nl through interactive and attractive visualisations (experimental example here).
Contributed to making DNSSEC quantum-safe
DNSSEC is a key security protocol for a trusted and resilient internet, both for traditional applications like e-mail and web browsing, and for (future safety-critical) Internet of Things applications. As for looking to the future, we evaluated DNSSEC signing algorithms that will remain secure in the age of quantum computers. These computers are much more powerful than today’s and could break all cryptographic algorithms currently used in DNSSEC. We found that RainbowIa and RedGeMSS128 are likely the most suitable 'quantum safe' algorithms for DNSSEC. It’s important to plan the transition to quantum-safe algorithms already, because it can take years to deploy a newly standardised algorithm. For example, we found that it took around five years for the ECDSAP256 algorithm to go from RFC to 100K domain names being signed with ECDSAP256 in the wild. Planning ahead is also important because quantum-safe algorithms will likely require changes to the DNSSEC protocol, for instance to handle the larger public keys used by the new algorithms. We published our work in the form of two peer-reviewed papers at top-tier venues (ACM Internet Measurement Conference and ACM SIGCOMM Computer Communication Review). In 2021, we’ll be experimenting with quantum-safe DNSSEC algorithms on a realistic testbed in our lab and studying their impact on the DNSSEC protocol in more detail.
Matured the DDoS Clearing House
DDoS attacks continue to plague the internet. For instance, in September, we saw attacks on several Dutch ISPs. Interestingly, this time the attacks led to parliamentary questions, which shows an increased societal awareness and underscores the relevance of the problem. In 2020, we matured the prototype of the DDoS Clearing House, a shared system that enables organisations to collaboratively fight DDoS attacks by sharing measurements of DDoS attacks in real time (e.g. protocol types, packet sizes and source IP addresses). Our implementation is based on the concept of a DDoS Clearing House-in-a-box, which allows organisations to easily deploy the system in their networks as a single virtual machine. We worked with our colleagues in the Dutch Anti-DDoS Coalition to improve the generation of so-called 'DDoS fingerprints', in particular with NBIP and SURF. We also worked with our European partners in CONCORDIA to visualise fingerprints, enrich them and make them available for a future European cross-sector threat intelligence platform. Next year, we will be carrying out a pilot with the Clearing House to actually share fingerprints and will further mature the prototype, for instance to create fingerprints for additional types of DDoS attack.
Developed algorithms and visualisations to fight malicious .nl sites
At the content level, we further improved our fake web shop detector FaDe by adding monitoring tools that help assess whether our detection models are still accurate. FaDe helped us take down around 4,500 fake shops in 2019 and SIDN’s support team therefore added it to the set of tools they use on a daily basis. Based on that experience, we developed a new user interface that makes it easier for SIDN’s support team to process notifications at scale. We published our work in a peer-reviewed paper to enable the research community to benefit from our experiences as well. We also carried out a pilot with Currence, in which we extended FaDe to detect the usage of iDEAL logos on suspicious e-commerce websites. That allows us to disrupt scammers through their 'sales' channel (i.e. the domain name) as well as through Currence’s payment platform. Our results show that the algorithm we developed for that purpose correctly detects the logo 88% of the time. During the pilot, we shared suspicious domains with an iDEAL logo with Currence for further analysis, which led to several sites being closed down. We also provided input for articles on fake web shops in the mainstream media, such as the Financieel Dagblad. The other tool we developed this year is DEX (Domain name Ecosystem eXplorer), which provides intuitive visualisations of domain name attributes for our anti-abuse experts based on multiple datasets, such as DNS query data and web crawling data. DEX enables our colleagues to interactively explore domain names related to a known malicious site, such as sites that have the same TLS certificate as the malicious site. As a result, anti-abuse experts are better equipped for their job and can ultimately better protect .nl users from such sites. In 2021, we’ll continue to improve our anti-abuse tools, such as our logo detector. We’ll investigate how we can make them useful for registrars and other users to deploy on their systems and we’ll expand stats.sidnlabs.nl with abuse-related data, such as the numbers of compromised sites we detected over time.
Created an initial version of our open IoT data platform
In 2020, we refocused our work on IoT security. Our new objective is to develop an open IoT data platform that the research community can sustainably use for research on IoT security and that uses SPIN-enabled routers, IoT honeypots and other IoT traffic measurements as inputs. We validated our new approach through a workshop with researchers from the University of Twente and Delft University of Technology. To develop the platform, we enabled (SPIN) users to easily upload anonymised traffic traces and visually analyse them. In addition, we changed the role of SPIN to that of an IoT network sensor (although it can still act as an intelligent IoT firewall). Specifically, we extended SPIN so that users can manually upload PCAP recordings of their network traffic into the platform and we made it easier to deploy SPIN by adding the PCAP Reader, a component that can capture PCAP files on different types of device (e.g. servers). We set up and experimented with two IoT honeypots, for instance to analyse Mirai traffic and tunnelling attacks. We also ran initial experiments with machine learning algorithms that use the IoT platform to classify IoT device types based on their network traffic. We wrote a tech report (draft here) with experts at RIPE to help ISPs select technologies they can use on home routers to protect IoT devices. We contributed to SSAC’s vision on the interplay of the DNS and the IoT and taught the MSc course Security Services for the IoT at the University of Twente.
Next year, we will evaluate the platform with the research community and experiment with new device classification algorithms and more advanced visualisations. We will also start new work, for instance on validating the trustworthiness of future IoT deployments (devices, connections, services) in INTERSCT.
Developed prototypes for SCION-based future internet infrastructures
We developed a demonstrator that shows how people would work from home using SCION, one of the future internet infrastructures we are experimenting with as part of the 2STiC programme. The demo shows how SCION data paths change when a network failure occurs, and how clients can pick the path that their data should follow through the networks. It uses a video conferencing session as an example application and builds on SCIONLab, a global test network based on the SCION internet architecture that we have connected to through a 'BGP-free' link since April. We’ll be making a video of our demo with more details available early next year. In the field of programmable networks, we further advanced our P4 implementation of the SCION data plane protocol and expect to move it from the P4 simulator to the actual hardware switches in the 2STiC testbed early next year (we’ll blog about it). We also wrote a technical introduction to SCION and are running a joint project with ETH Zürich on bridging the gap between the current internet and SCION using authorisations in the RPKI. We used our experience on future trusted internet infrastructures to teach the MSc course Advanced Networking at the University of Twente. In 2021, we plan to carry out a pilot to better understand how SCION works in an operational setting. Also, we’ll be investigating other types of network architecture to enable 2STiC to grow into a centre of expertise on trusted and resilient internet infrastructures for strategic autonomy.
Coined the concept of a responsible internet
Finally, we coined and fleshed out of the concept of a responsible internet together with several universities and research labs. A responsible internet helps to increase the digital sovereignty of societies at the level of interconnected networks, which is a topic that hasn’t been explored before. We detailed our thinking in a paper and submitted a proposal in response to the NWA Cybersecurity Call to request funding to further investigate the concept. The work will complement work in UPIN, which was awarded funding by the Dutch Research Council (NWO) this year. Next year, we will organise a special issue of the Journal of Network and Systems Management on the responsible internet as well as a broader workshop at the Lorentz Center on future internet infrastructures.
Team
João Ceron joined the SIDN Labs team from the University of Twente and two MSc students successfully completed their research projects at SIDN Labs this year: Joost Prins and Robin de Heer.
