Our top eight insights from 2021

The eight insights

Our top eight insights from 2021 are listed below, in no particular order. We would, of course, love you to read about them all, but you can also jump to selected topics using the links.

1. Clear guidelines on DNS loops can help prevent DDoS attacks

2. Time services also appear to be increasingly centralised

3. It's possible to do academic research and have operational impact

4. Realistic simulations are a valuable steppingstone to production deployment

5. Logo scanning can be used for large-scale malicious website detection

6. DNS data can help prevent data breaches in 6.2 million domain names

7. There is increasing traction for research into the internet of the future

8. Sometimes it's best to transfer a project to the community

You can also read about our plans for 2022.

Insight #1: clear guidelines on DNS loops can help prevent DDoS attacks

One import insight obtained in 2021 was that clear RFC guidelines on how DNS resolvers should deal with 'DNS loops' can help prevent security incidents. We reached that conclusion by investigating 'tsuNAME': a vulnerability in some DNS resolvers, where two or more DNS records that refer to each other can be exploited to mount a DDoS attack. A vulnerable DNS resolver will continue sending queries about either of the domain names that it receives from clients, stubs and forwarders, until the loop is detected. That results in a huge volume of traffic to upstream authoritative servers for each incoming query. Malicious actors can easily exploit the vulnerability to mount DDoS attacks on DNS operators such as SIDN by creating two DNS records that point to each other, and then sending a large number of queries to a vulnerable resolver. We discovered tsuNAME in December 2020, when a large volume of traffic from Google Public DNS was received on the .nl name servers. The registry for New Zealand's .nz ccTLD observed a 50 per cent spike in DNS queries attributable to the issue, while another European ccTLD saw traffic rise tenfold. Our research revealed that, around the world, 3,600 resolvers (8.9 per cent of the 41,400 or so we observed) across 2,652 autonomous systems were vulnerable. With a view to preventing tsuNAME causing problems in the future, we wrote an Internet Draft and submitted it to the DNS Operations Working Group. In the draft, we proposed that resolvers should reply to queries about looping domain names from their caches, instead of forwarding them to authoritative servers. Our proposal is intended to supplement the guidance on DNS loops given in RFCs 1034, 1035 and 1536. For details, see our recent blog. In order to warn the community about tsuNAME, we initiated a responsible disclosure process (figure 1). It was the first time we had coordinated and implemented one of these processes, and we discovered that, while some people welcomed our information (e.g. TLD operators affected by tsuNAME), others accused us of scaremongering.

Figure 1: tsuNAME responsible disclosure timeline.

The main thing for us was that, by going through the responsible disclosure process, we helped providers such as Cisco and Google, as well as DNS resolver software vendors, to fix the problem. By doing so, we contributed make the internet slightly safer. We were also pleased that our measurements and analyses added to understanding of DNS loops and their potential impact, which had previously been lacking.

Insight #2: time services also appear to be increasingly centralised

In 2021, we started a measurement programme looking at the NTP Pool, a global infrastructure of more than four thousand time servers. We were interested because very little research had previously been conducted into how the NTP Pool works and how dependent we are on it. Yet time services are very important for generating and verifying digital certificates, for time-based logins such as OAuth, and for various other applications, including DNSSEC. What we discovered is that, where some countries are concerned, there appears to be a trend towards the centralisation of time services. For example, we found that twenty-three countries rely exclusively on Cloudflare. We had previously demonstrated that similar centralisation was taking place in other parts of the internet infrastructure, e.g. the DNS, IXP services and certification services. Reliance on a single time provider also represents a potential single point of failure, although that does depend on how the time provider (e.g. Cloudflare) organises their services. For example, a time provider might use a single anycast IP address for all its NTP servers, so that the only faults visible to the NTP Pool's availability and precision monitor in the US are those affecting 'nearby' NTP servers. We too use anycast for our TimeNL service (any.time.nl), which we added to the NTP Pool in 2021 (figure 2). Supported by any.time.nl's twenty-eight globally distributed virtual time servers, the TimeNL service has seen usage grow to 100,000 NTP queries a second, roughly 10 per cent of them from the Netherlands. That's more than the number of DNS queries that SIDN handles for .nl, emphasising the importance of time services.

Figure 2: Three of the nine TimeNL NTP servers in the NTP Pool. Any.time.nl is an anycast server with twenty-eight nodes.

Insight #3: it's possible to do academic research and have operational impact

In September, Labs team member Moritz Müller obtained a doctorate cum laude from the University of Twente for his thesis 'Making DNSSEC Future Proof'. For the last four years, Moritz has been investigating what insights and tools DNS operators require to confidently roll over DNSSEC keys and algorithms. The ability to perform the rollovers is a key precondition for the future security of the DNS once quantum computers make their entrance and the whole DNS has to switch to quantum-safe algorithms. Moritz's work yielded the insight that academic research can go hand-in-hand with operational impact on the DNS. That was illustrated by the interest shown in Moritz's work by both the academic world and the operational community. He published five related papers at leading international conferences, while the operators of .br (Brazil), .se (Sweden) and .dk (Denmark) all rolled over their DNSSEC keys and algorithms using the measurement tools he developed. That unique combination of academic and practical influence was enabled by the roles that SIDN Labs and SIDN play in the global DNS community. Moritz's research was carried out in collaboration with other SIDN Labs team members and partners such as the University of Twente, NLnet Labs and Virginia Tech.

Insight #4: realistic simulations are a valuable steppingstone to production deployment

Our work on the DDoS Clearing House gave us the key insight that a realistic simulation (TRL6) is a valuable stepping stone towards a pilot (TRL7) or production service (TRL 8/9). We previously had no experience of such simulations, having traditionally gone straight from a prototype to a pilot (e.g. LEMMINGS) or a production service (e.g. DMAP). The DDoS Clearing House is a system that enables DDoS attack victims to automatically share attack 'fingerprints' with other potential victims. So, for example, a targeted bank might share the fingerprint of an attack with ISPs and relevant government agencies. Fingerprint sharing enables organisations to understand the properties of an attack and adapt their networks accordingly before they get hit. We developed the Clearing House as part of the CONCORDIA project, together with researchers from SURF, the University of Twente, the University of Zurich, FORTH, Telecom Italia and Siemens. It will be tested by the Dutch National Anti-DDoS Coalition (NL-ADC), the clearing house's ultimate user. We developed the simulation in order to thoroughly test the DDoS Clearing House in a realistic environment, without the need for participants to enter into data processing agreements (covering the IP addresses in fingerprints, which count as personal data) or to connect their production networks to the clearing house. Avoiding those spinoff requirements of testing was important, because experience has taught us that they can delay the development of the DDoS Clearing House by months. Although vital for a production version of the system (TRL8-9), they represent an undesirable brake on development and evaluation. For our simulation, we developed a testbed with components distributed around the internet and across the participating organisations (currently SIDN, SURF and FORTH). The set-up allowed each participant to send simulated DDoS traffic from the internet to themselves. The traffic was then fingerprinted by the clearing house and the fingerprint shared with the other testbed participants. The test traffic was generated using five separate, globally distributed virtual machines (VMs) running in the cloud. The IP addresses of the VMs don't count as personal data, because they don't belong to natural persons. We developed the testbed as part of the CONCORDIA project, in collaboration with colleagues at SURF (figure 3).

Start video

Figure 3: Thijs (SIDN Labs) and Remco (SURF) discussing the DDoS Clearing House testbed.

The testbed is also important in the context of preparations for the realisation of a production version of the DDoS Clearing House. That goal came another step closer in 2021, when the NL-ADC members committed to annual financial backing for the project. The initiative also secured a grant of 200k from the Digital Trust Center to cover further development of the clearing house, and the European Commission added the clearing house to its innovation radar.

Insight #5: logo scanning can be used for large-scale malicious website detection

In 2020, we started a project to investigate the scope for identifying malicious .nl websites (e.g. phishing sites and fake webshops) that abuse trusted logos to give visitors a false sense of security. The main insight we gained in 2021 was a clear picture of how to implement large-scale logo scanning. We developed a system called LogoMotive, which dynamically compiles a dataset of screen grabs of sites linked to all 6.2 million .nl domain names. LogoMotive then uses the popular YOLO (You Only Look Once) algorithm to identify logos within the screen grabs. LogoMotive also features a dashboard where anti-abuse analysts can process the system output. We evaluated our method by running two pilots, one in cooperation with the national government (figure 4) and one in cooperation with Thuiswinkel Waarborg. The pilots showed that logo abuse detection can make a practical contribution to the proactive identification of malpractice, and is a useful adjunct to existing systems, such as abuse feeds.

Figure 4: A phishing website with a government logo on its forged DigiD login page.

In the pilot run in partnership with the government, LogoMotive discovered a small number of phishing sites. Some featured a fake DigiD sign-on page, while others were made to look as if they belonged to particular government agencies. We also discovered several hundred government domain names whose existence officials didn't know about -- because, for example, they had been registered using incorrect registrant data. 'Forgotten' domain names represent a hazard, because no one at the government is checking that they are correctly configured to support (security) standards. Also, if they're left to expire, there is a risk of data breaches (see Insight #6). So far, the pilot with Thuiswinkel Waarborg has flagged up 151 cases of unauthorised Thuiswinkel logo use to elicit misplaced consumer trust in a website or possible fake webshop. Thuiswinkel Waarborg has approached all the site owners in question asking them to remove the logos. So the project is already making the .nl zone 'cleaner'. In 2022, we'll be integrating LogoMotive into SIDN BrandGuard and publishing a peer-reviewed paper about the pilots. We also intend to make the source code available to other TLD operators and researchers, so as to help them identify abusive domain names and continue refining the relevant technologies. In addition, we'll be getting to grips with our research agenda for machine learning, which we drew up in 2021 partly on the basis of LogoMotive.

Insight #6: DNS data can help prevent data breaches in 6.2 million domain names

Our sixth notable insight is that the DNS data processed by .nl's name servers can be useful for the prevention of data breaches. That's because breaches sometimes occur when a .nl domain name changes hands, leading to the new registrant getting mail that's intended for the old registrant. That has happened when domain names previously held by the police and a Youth Services Agency were allowed to expire, with the result that confidential information went to a subsequent registrant by mistake. By looking at the mail queries (MX queries) for lapsed domain names received by the .nl name servers, we are able to detect cases where the potential exists for data to fall into the wrong hands. In 2021, we therefore developed LEMMINGS, a prototype system that looks out for problematic situations by automatically analysing the two billion or so DNS queries we process and record in ENTRADA each day. Wherever it looks as if legitimate mail is still being sent to the old registrant, LEMMINGS contacts them to warn about the potential data security implications (see figure 5). In order to gauge LEMMINGS' value and operational impact, we organised two pilots in partnership with registrars: one with Argeweb, the other with OpenProvider. Across the two portfolios -- a combined total of 750,000 .nl domain names, or 12 per cent of the zone -- LEMMINGS detected 870 potentially problematic cases in four months. The detections didn't generate an upturn in enquiries to the support teams of the two registrars or SIDN. That's welcome news, especially for larger registrars, because support enquiries are a significant driver of workload and costs.

We wrote the LEMMINGS info for the SIDN website and the warning mail templates in conjunction with SIDN's Communications, Legal and Support teams. We also submitted the draft wording to the new SIDN Panel to get feedback from registrants. In 2022, we plan to offer LEMMINGS to all .nl registrars, so that protection is available to the entire zone. We'll also investigate how LEMMINGS alerts could be used to help government-designated CERTs for sectors such as health care.

Insight #7: there is increasing traction for research into the internet of the future

In 2021, it became apparent that traction for research into the internet infrastructure of the future was mounting. That's good news for 2STiC, the research programme focusing on the security, stability and transparency of the internet that we set up in early 2019 in conjunction with three universities and five internet operators. In April, for example, the NWO awarded a grant of 1.9 million euros for the CATRIN project. CATRIN is a Dutch initiative to start up the Responsible Internet, a security-by-design extension to the existing internet (or future networks) conceived with our 2STiC partners in 2020. Its aim is to make the internet infrastructure more transparent and give users more control, with a view to helping to turn the tide of waning individual, organisational and social digital autonomy, which is an urgent social problem. The NWO grant means that, between them, the University of Twente, Eindhoven University of Technology, the University of Amsterdam and Delft University of Technology can assign seven PhD students to work on CATRIN. That will bring the total number of PhD students working in Netherlands' future internet research community up to nine, with two already active in the UPIN project. The community also includes the students' supervisors and experts working for various players in the sector, such as the Waag Society, NLnet Labs, Leiden University, SIDN, KPN, TRIMM and SURF. The results of the CATRIN project will be publicly available. Another indicator of the growing traction came when the Cyber Security Council referred to the Responsible Internet as an example of how the Netherlands should be working to increase the security of digital communication networks. The Responsible Internet concept was also included in the manifesto of future research topics for Dutch-based academics working in the field of computer systems and networks. Finally, TNO, three mobile operators and three universities published a position paper entitled ‘Future Network Services’, which identified trusted, open, programmable networks as a breakthrough field, thus emphasising the relevance of 2STiC. Significant academic interest was generated as well. For example, we co-organised a workshop entitled TAURIN, at which twenty experts presented and discussed research in progress. We also published a peer-reviewed article at the CoNEXT conference, describing our P4 implementation of SCION. We regard SCION as one of the possible vehicles for realisation of the Responsible Internet, together with open programmable network equipment. In line with that vision, we developed a well-received interactive exercise for the University of Twente's Advanced Networking course. By completing the exercise, students are able to see for themselves how a SCION-based internet would increase user control over network paths.

Insight #8: sometimes it's best to transfer a project to the community

The final insight we'd like to share is that sometimes the best thing to do with a project is hand it over to the internet community. We did that for the first time this year, when we passed the baton on SPIN, our open-source system for home networks and other edge networks. SPIN is designed to protect DNS operators and other service providers against DDoS attacks mounted using hacked devices (like the Mirai attack on DNS operator Dyn in 2016), and to give users more insight into the services their IoT devices are interacting with. We decided to hand the project over to the community after releasing SPIN 1.0 in October, so that next year we can focus more on the internet infrastructure of the future and on domain name security. It was a difficult decision, not least because we regard IoT transparency as a live issue. Nevertheless, as a relatively small team, we have to be selective. We'll continue supporting SPIN for use by students and in education, for example. We added various new features to version 1.0, including 'bridge mode', where SPIN runs on a bridge instead of a router. That means SPIN can be deployed without the need to reconfigure equipment. We also improved the way SPIN visualises the internet services that an IoT device communicates with. Another initiative involved setting up a Mirai honeypot before Log4J made Mirai topical again.

Finally, we developed a prototype version of DNS Resolution Required, our idea for protecting IoT devices and other equipment more effectively against botnets and malware that circumvent DNS protection.

Our plans for 2022

In 2022, we intend to continue doing what we're good at: contributing still more to internet security by performing internet measurements and developing generic measurement methods and systems, applied for specific uses, such as operational tasks within SIDN. Our focus will remain the security of the internet's core systems. Compared with 2021, we also plan to do more work on the internet infrastructure of the future, and on domain name security. Collaboration with SIDN Fund will be built up as well -- for example by bringing together people interested in a particular theme, such as measuring the Dutch internet's cybersecurity preparedness. Finally, we'll be setting up a consultation group made up of experts from the worlds of academia and industry to give us additional feedback on our work. Specific results we aim to deliver in 2022 include:

• Measurements to shed further light on the security and evolution of the internet, e.g. in terms of centralisation, vulnerabilities and the impact of DNS-over-QUIC on .nl

• A DDoS Clearing House pilot with the National Anti-DDoS Coalition; a 'cookbook' for other coalitions; transition to production at NBIP

• An abuse detection pilot with other DNS operators, involving the use of federated learning to develop a joint ML model for phishing site detection

• Integration of LogoMotive into SIDN BrandGuard, giving internet users better protection against malicious sites and enabling BrandGuard users to protect their brands more effectively

• An attractive demonstrator of a more transparent network infrastructure (routers and paths), e.g. with a view to generating interest from prospective pilot partners

• An international workshop on a responsible internet infrastructure, e.g. at the Lorentz Centre, Dagstuhl or TAURIN2022

Acknowledgements

Development the DDoS Clearing House was funded partly through the European Union's Horizon 2020 research and innovation programme, under grant agreement 830927. Project website: https://www.concordia-h2020.eu/. UPIN and CATRIN were funded partly by the Dutch Research Council (NWO).