Early identification of malicious new .nl domain names with RegCheck

RegCheck is a system that assigns risk scores to new domain name registrations, so that .nl domain names that appear to have been registered for malicious purposes such as phishing can be identified even earlierfaster. RegCheck also dovetails with the European NIS2 Directive, which will require registries to monitor domain name registrations more closely.

In 2023, we teamed up with DNS Belgium, which was working on a similar system for the .be domain. Together we continued the development of RegCheck, making it significantly more robust, as well as more generic and therefore more suitable for use by other registries. With several other European registries expressing an interest in RegCheck, we also made preparations were also made for widening the collaboration.

RegCheck is now in use both at SIDN and at DNS Belgium. SIDN's Support Team made frequent use of RegCheck this year to initiate investigations into registrants suspected of registering domain names with malicious intentions.

We presented RegCheck at the Day of the Domain Name, and presented the project together with DNS Belgium at ICANN78 and various CENTR meetings. We also collaborated on an article for AG Connect.

Experience internet routing with Packet Run

Our PathVis project in 2022 led to a joint initiative with SIDN Fund and Bureau Moeilijke Dingen. Together, we developed Packet Run (see Figure 1), an installation that lets people experience how the internet works. Packet Run uses a marble run to make things such as data packets and routing tangible. The Moeilijke Dingen design agency designed and built the installation, and it was first shown to visitors at the Dutch Design Week (DDW).

Packet Run uses marbles to show h how data packets travel across the internet from start point to endpoint. DDW visitors were invited to nominate enter a websites at the starting station, and theafter which the routes to the siteswas were then calculated by Packet Run and modelled on the marble run. Visitors could then use the marble run to follow the route to the end station, after which the website was displayed. We spent a few days at the DDW guiding visitors around the installation and sharing our vision of the future of the internet.

Figure 1: Packet Run at the Dutch Design Week. See also the YouTube video.

The DDoS Clearing House is an automated platform for essential and other critical service providers on the internet (e.g. banks, ISPs and government bodies) to continuously share information about DDoS attacks with each other in the form of 'DDoS fingerprints'. Recipients can then use the fingerprint data to inform their own defensive preparations. Our DDoS Clearing House research was carried out as part of the EU's CONCORDIA project, in conjunction with the intended users, the Dutch National Anti-DDoS Coalition (NL ADC).

With our CONCORDIA partners, we delivered the DDoS Clearing House and concluded the technical pilot. The European Commission reviewers rated the Clearing House one of the highlights of the CONCORDIA project. NBIP will host the DDoS Clearing House in production for the NL ADC in January 2024. As a spinoff, we also delivered the DDoS testbed, which enables NL ADC members to practise defending against DDoS attacks on a small scale and at their own convenience, to supplement the twice-yearly large-scale exercises that the NL ADC organises.

We summarised our work in a 'cookbook' and a paper that we submitted to the IEEE Communications Magazine. We presented our work at various events, including the CONCORDIA Cyber Security Summit in Stockholm.

Improving the security of the NTP Pool

In combination with the DNS and the routing system, time services such as our TimeNL service form the core of the internet. They're crucial for generating and validating digital certificates, for example, as well as in the context of SIDN's services, such as timestamping registrations, DNSSEC and the Yivi key server. The NTP Pool provides a time service by means of a pool of about 4,000 servers operated by volunteers all around the world. Other important time service providers include NIST and tech giants such as Apple.

We performed a measurement study, which showed that the NTP Pool is the most popular time service on the internet. We also identified various problems with the way that the NTP Pool assigns NTP servers to clients. One is that clients in 21 countries, including Bolivia, Tunisia and Namibia are always referred to just 2 NTP servers. We proposed techniques that the NTP Pool operators could use to improve referrals and thus increase fault resilience and reduce the probability of various types of attack.

We summarised our findings in a technical report and an academic article that was accepted for the ACM SIGMETRICS conference.

Renaming the DNS root: RSSAC028 study

In partnership with NLnet Labs, we investigated the impact of renaming the DNS root servers for ICANN. The current naming format is [a-m].root-servers.net, but that has certain drawbacks. For example, it creates a dependency on the .net top-level domain, and doesn't allow for DNSSEC protection. In publication RSSAC028, the Root Server System Advisory Committee (RSSAC) therefore proposed 5 alternative naming schemes, such as securing the existing root-servers.net zone with DNSSEC or creating a separate top-level domain for each root server (e.g. [a-m]).

For the study we performed for ICANN, we developed a resolver testbed to simulate the root servers as realistically as possible, and to establish the extent to which resolvers would be able to successfully obtain information from the DNS with each of the proposed naming schemes in operation. Unfortunately, our experiments showed that adoption of any of the naming schemes would entail challenges due to the behaviour of some name servers and resolvers, and in some cases due to aspects of the naming schemes' design.

With the study, we and our colleagues at NLnet Labs made an important contribution to the debate about how we can further increase the security and stability of the DNS root, which are vital for top-level domains such as .nl.

Post-quantum cryptography in the DNS

PATAD (Post-quantum Algorithm Testing and Analysis for the DNS) is a project we're running to clarify the impact of post-quantum cryptography (PQC) on DNSSEC. Unlike current algorithms, including RSA, PQC algorithms such as SQIsign and Falcon will be hard for quantum computers to crack. Although quantum computers are unlikely to be available for 10 or 20 years yet, it's important to investigate their potential impact now, because it can take several years before a PQC algorithm is widely available on the internet.

We completed a first version of our PATAD testbed, which is based on a PowerDNS server and the Falcon PQC algorithm. The testbed will form the basis for the practical tests and measurements we plan to carry out in 2024 in collaboration with the University of Twente and Radboud University. We also worked on changes to liboqs, an open-source library for PQC algorithms. We extended our DNS4ALL resolver by adding X25519Kyber768, a quantum-secure hybrid algorithm.

We presented our plans for the PATAD testbed at the Post-Quantum Cryptography Conference in Amsterdam.

Test your cloud outage readiness with Cloudburst

Cloudburst is a tool that we developed this year to simulate (public) cloud outages. The tool's straightforward control interface (see Figure 2) enables users to block their cloud service connections (e.g. connections to Google or AWS), to realistically gauge how dependent they are on those services, and how they would cope with a cloud outage. Cloudburst is intended for general use and requires little technical know-how.

https://images.ctfassets.net/yj8364fopk6s/7jIYgxxp8SBibkdXLVl6dF/70c68674946b82b983209400be4743ed/Screenshot_cloudburst.png

Figure 2: Cloudburst user interface.

We demonstrated Cloudburst at the ICT.Open conference, where visitors were able to see how a cloud service outage rendered numerous websites unavailable. We also showed Cloudburst at SIDN Inspire and the PublicSpaces conference and received an enthusiastic response.

In mid-January, we plan to publish a blog about Cloudburst, and to make the source code open, so that you can try it out yourself.

DNS2Vec: more effective AI/ML based on representation learning

Representation learning has been the basis of numerous AI/ML successes over the last 10 years, but it's largely unknown in the DNS community. We therefore started the DNS2Vec project to assess the technology's potential added value for the DNS.

Applying Word2Vec technology to our DNS data in ENTRADA, we automatically generated a list of the representations of every DNS resolver that looks up a .nl domain name. The representations appear promising in relation to various AI/ML issues, such as resolver clustering. We'll publish a blog on the topic early in the new year. Representation learning is also one of our focuses for 2024 (see 'Outlook for 2024').

Comparing phishing in .nl, .be and .ie

Together with DNS Belgium (.be) and IE Domain Registry (.ie), we investigated phishing attacks in the .nl, .be and .ie domains. Our aim was to understand the role of several phishing attack variables, such as the type of organisation targeted and the restrictiveness/openness of the registration policy.

Our analysis revealed similar phishing attack patterns in the Netherlands and Belgium. Most targets are financial service providers, typically US or Dutch/Belgian companies. By contrast, Irish phishing attacks had a relatively wide spread of targets. We believe that that's because the registration of .ie domain names is restricted to Irish-based people and organisations, and because most Irish banks also use the .com TLD.

We've described the study in a paper that we'll be submitting to the prominent ACM Conference on Computer and Communications Security in January.

Community service

We're contributing to the security of the internet infrastructure, not only with our research, but also, for example, through our work with the Internet Engineering Task Force (IETF), our education activities, and our involvement with expert committees. Our community contributions in 2023 were:

• Expert committees: our team member Thijs was appointed to the Advisory Board of SIDN Fund, mainly in recognition of his technical expertise. Cristian joined the Cyber Security Council.

• IETF: we presented the draft of RESTful EPP, which is widely supported by CENTR members. The document is an update to our 2012 proposal. We also contributed to an Internet Draft on a research agenda for post-quantum DNSSEC.

• Embedded researchers: we seconded 4 of our team members, each for 1 day a week, to various universities for joint research and teaching: Delft University of Technology (Gio), University of Amsterdam (Ralph) and the University of Twente (Moritz en Cristian).

• Education: we coordinated and taught courses on Advanced Networking and Security Services for the IoT at the University of Twente. We also gave guest lecturers at Radboud Universiteit and Leiden University.

• MSc students: in 2023 a total of 6 MSc students did their theses under our supervision, 3 of them on the basis of internships at SIDN Labs. (If you're interested in doing something similar, contact Elmer or check https://www.sidnlabs.nl/afstuderen.)

• Workshops: we co-organised and moderated the Collaborative DDoS Mitigation Event on behalf of the Dutch National Anti-DDoS Coalition. We also organised a workshop entitled Operationalizing machine learning models for DNS security for the AI Student Association at Radboud University.

Outlook for 2024

Our plans for 2024 are outlined below in relation to our 3 research lines: domain name security, infrastructure security and emerging internet technologies. By way of example, 2 projects in each research line are briefly described.

Domain name security

RegCheck: 1 or 2 additional European registries will be joining our partnership with DNS Belgium. We'll run a pilot to investigate the possibility of sharing RegCheck findings with registrars, and of using registration-related information held by registrars as process input. Finally, we intend to assess RegCheck's potential for use within SIDN as a tool for automatically initiating registrant investigations for subsequent Support Team review and decision-making (e.g. on sanctions such as cancellation).

DNS2Vec: the preliminary results of our 2023 study indicate that the application of representation learning to DNS data could yield valuable results. Next year, we plan to take forward the definition of a number ofseveral use cases, such as the detection of disrupted rogue resolvers, and to investigate how we can use them in our research projects.

Infrastructure security

Autocast: autocast (automation of anycast) is an observability platform for SIDN's DNS operations team, which will provide them with action-orientedactionable observations, such as low-performance alerts and advice about scaling back or adding .nl anycast locations. As input, Autocast makes use of the DNS data that we gather using ENTRADA. In 2024, we'll extend our first prototype and make it more generic, so that it's suitable for other DNS operators and other protocols, such as NTP.

BGPsec testbed: we'll build a testbed for studying the operational performance of BGPsec: a security extension to BGP, the internet’s routing protocol. BGP is responsible for finding paths across the internet, e.g. for reaching DNS servers. Unfortunately, however, BGP is vulnerable to various forms of attack, involving such as the diversion of data to malicious sites, for example. BGPsec secures BGP information and can prevent many attacks, but has yet to catch on.

Emerging internet technologies

PATAD: we'll be pressing ahead with development of our PATAD testbed and performing various measurements to determine the impact of PQC algorithms on both SIDN and the DNS community. For example, we'll be looking at how quickly we can sign the .nl zone file with a PQC algorithm, and how much additional computing power will be required by resolvers. We'll also continue working with our partners on a research agenda for PQC and DNSSEC.

SCION-NL: we plan to connect the SCION-NL testbed to the larger (but nevertheless fairly small) SCION internet. We built SCION-NL in partnership with SURF and the University of Amsterdam in 2023 to enable experimentation with the SCION internet architecture. The testbed makes it easier for us to give interested researchers and organisations in the Netherlands access to SCION technology.

Season’s greetings!

We'd like to thank all our SIDN colleagues and our research partners in the Netherlands and beyond for working with us to achieve so much in 2023. We look forward to an equally successful – or even more successful – 2024! In the meantime, our very best wishes for the festive season.

The SIDN Labs team