SIDN Labs annual review 2024: our top 10 results

New insights and technologies that make the internet more secure

Screen with progress indicator for the year 2025

The original blog post is in Dutch, this is the English translation of it.

Authors: the SIDN Labs team

At the end of each year, we produce a report on the main results achieved by SIDN Labs during the preceding 12 months, for the benefit of the users, registrants and registrars of .nl domain names, and for the wider internet community in the Netherlands. In this review of 2024, we distinguish between 2 types of research results. First, those that provide policymakers and others with new insights into the security of the internet. We've labelled those results with an 'I'. Second, results relating to the development of new technologies and the improvement of internet security, which are useful mainly to people such as DNS and network operators. Those results are labelled 'T'. Links to related blogs published during 2024 are provided for anyone who wants to read up on the technical details. The review ends with a brief summary of our plans for 2025. If you've got any feedback, we would (as always) love to hear from you.

Table 1. Our main results in 2024 (with links). Within each column, results are listed in roughly chronological order, with the earliest results first.

I1: Testing the availability of the DNS root servers

In partnership with NLnet Labs, we undertook a contract research project for the root server operatorsLink opens in new tab Verisign and ISC. The assignment was to independently verify measurements made by ICANN, apparently indicating that the root server system often failed to achieve the required level of availability.

Our measurements showed that the problems were to a large extent attributable to ICANN's measurement platform, or to the network path between that platform and the root servers. We also identified and fixed a bug in the measurement software, which made the root servers' response times appear poorer than they actually were. The root server operators were pleased with the project outcome.

This was our third study of the security and stability of the DNS root, and it emphasised that we are now regarded as experts in this field. Last year, ICANN commissioned us to investigate how re-naming the root servers was likely to affect name servers and resolvers.

I2: Improving the security of the internet's routing system

The BGP (Border Gateway Protocol) is used to route data from A to B across the 75,000-plus networks that together make up the internetLink opens in new tab. The security of the BGP is vital to the entire internet, including core systems such as the DNS. Unfortunately, however, the existing technologies used to increase BGP security don't resolve all the problems with the protocol. In 2024, we therefore added BGP security to our research portfolio.

We developed a research agenda for BGP security and built up our collaboration with the University of Twente in this field. For example, we teamed up with the university to demonstrate that the internet has a longstanding problem with 'serial hijackers': networks that persistently seek to divert traffic intended for other networks to themselves. We also showed that the networks on the paths between critical infrastructure operators in the Netherlands and Microsoft's popular mail service don't always use an important security technology called 'route origin validation'. Finally, we investigated which routing implementations support BGPsec, and how we could set up a local BGPsec testbed for experimental use. We'll be sharing our findings in a blog early in 2025.

I3: Can the Netherlands' digital infrastructure withstand a knock?

We investigated the resilience of the DNS infrastructures of 700 organisations and 6.2 million .nl domain names for the benefit of policymakers, CTOs and others. The project involved testing the relevant domains' public DNS servers to see whether 3 proven measures for boosting availability were in use. The measures we looked at were distribution of the DNS servers across multiple networks, use of multiple IP prefixes, and use of anycast.

Our results show that most organisations in the Netherlands are already using the measures, but that there's still room for improvement – in the hospital sector, for example. We've made our test software available as open-source codeLink opens in new tab, so that other organisations can check their own DNS resilience. Our findings were also presented at the ECP Annual FestivalLink opens in new tab.

I4: Multi-year analysis of phishing in .nl, .be and .ie

In collaboration with the registries for Belgium's .be domain and Ireland's .ie domain and 4 universities (Twente, Delft, Leuven and Grenoble Alps), we published a peer-reviewed article reporting a joint study of the evolution of phishing attacks in .nl, .be and .ie. Carried out in the latter part of 2023, the supporting research involved the analysis of 28,754 phishing reports issued by the security service provider Netcraft in the period 2013 to 2023. We also compared the registration and mitigation policies for .nl, .be and .ie, as input for the possible acceleration of phishing mitigation for .nl.

We went on to present the study's results at several gatherings of the operator community (e.g. RIPE, DNS-OARC and CENTR meetings) and at ACM Computer and Communications SecurityLink opens in new tab – a renowned academic conference, for which our paper was accepted.

I5: The effectiveness of internet sanctions

We analysed DNS data to assess the effectiveness of EU sanctions against news outlets such as Russia Today. The work was undertaken in collaboration with teams from the University of Twente, the University of Illinois at Chicago, the Open Observatory of Network Interference and the University of Amsterdam.

Our findings were summarised in a peer-reviewed paper, which one of our partners presented at a conference called Free and Open Communications on the Internet. The study was a multidisciplinary effort, in which internet measurements were used in combination with expertise in fields such as European and media studies. It also illustrates how internet measurements can support policy evaluation, in this case the evaluation of EU policy.

T1: Experimenting with post-quantum cryptography for the DNS

We made an empirical evaluation of the impact of post-quantum cryptographyLink opens in new tab (PQC) on the DNS using a testbed we developed called Post-quantum Algorithm Testing and Analysis for the DNS (PATADLink opens in new tab). (In Dutch, the acronym is a light-hearted wink at a PQC algorithm known as MAYOLink opens in new tab.)

One of the important milestones we passed this year was making our testbed software available as open-source code, so that other DNS researchers and operators can experiment with the use of PQC algorithms in the DNS (to assess their performance, for example). The software includes extensions for the integration of 3 PQC algorithms (MAYO, Falcon and SQISign) within PowerDNS resolversLink opens in new tab and authoritativeLink opens in new tab DNS servers, for use in DNSSEC. It also supports the systematic and dynamic set-upLink opens in new tab of realistic DNS topologies, with features such as a root and top-level domains like .nl. Before releasing the software, we performed various experiments in our testbed, including a comparison of the signing of several zone files using 2 PQC algorithms (MAYO and Falcon) and 2 traditional algorithms (RSA and ECDSA). We'll be sharing more information about the project early in 2025.

T2: Smarter DNS management with Autocast

Autocast ('automation of anycast') is a dashboard concept for DNS operations teams such as SIDN's. It makes automated recommendations about interventions such as enabling or disabling anycast nodes or sites on the basis of much more detailed data than that used by traditional monitoring systems, including country, region and round-trip time. The input data used by Autocast is active and passive internet measurements from ENTRADALink opens in new tab and VerfploeterLink opens in new tab.

We improved insight into the round-trip times of .nl queries using ENTRADA data, and we worked with SIDN's DNS team to perform active daily measurements from .nl's production name servers. The results shed additional light on .nl's status within the DNS, and provide extra data to guide the further optimisation of .nl's name server location.

Next year, we'll open-source the Autocast dashboards and the supporting data model as an ENTRADA extension. A blog about the project is planned for early 2025.

T3: RESTful Provisioning Protocol to the IETF for standardisation

The RESTful Provisioning Protocol (RPP) is a standard for a new domain name registration API, whose development we initiated. As well as being easier for registrars to use than the traditional EPP, RPP will help domain registries by increasing scalability and improving performance and security. Being stateless, RPP is also a better fit with modern software engineering technologies such as containerisation and Kubernetes. The project is a restart of a 2012 initiativeLink opens in new tab. (That's not a typo!)

At IETF121 in DublinLink opens in new tab, we hosted a successful 'Birds of a Feather' meeting with engineers interested in RPP, including people from fellow European registries. Sufficient consensus was found to start a new IETF working group, for which we're now devising a charterLink opens in new tab with the wider community. We'll be helping to draft the protocol in 2025.

T4: Upgrading RegCheck to speed up reaction to domain name abuse

Registration Checker (RegCheck) is a machine learning system that assigns risk scores to new domain name registrations, so that potentially malicious domain names (e.g. names intended for phishing sites) can be identified at the time of registration. The system's output is then used by SIDN's support team for more proactive investigation, such as registrant checks. RegCheck also dovetails with the NIS2 Directive, which will require registries to monitor domain name registrations more closely.

During the year, we switched to a new classification algorithm based on decision trees. We also made the dashboard more user-friendly and interfaced RegCheck with Dynamics, so that SIDN's support team can use RegCheck scores to initiate registrant checks more promptly. Finally, we modernised and automated the rollout and training of RegCheck using techniques such as containerisation, so that it's suitable for use on any modern computing platform.

T5: From the lab to production with the DDoS Clearing House

The DDoS Clearing HouseLink opens in new tab is a platform for essential and other service providers (e.g. banks, ISPs and government bodies) to continuously share information about DDoS attacks with each other in the form of 'DDoS fingerprints'. Recipients can then use the fingerprint data to inform their own defensive preparations.

In April, the Dutch National Anti-DDoS Coalition (NL ADC) adopted the DDoS Clearing House for production use at NBIP. Over the last few years, we've led the underlying research and the development of the Clearing House, working closely with SURF, the University of Twente and other partners. Our article about the DDoS Clearing House was accepted for the respected peer-reviewed technical journal IEEE Communications MagazineLink opens in new tab. A new NL ADC Intel and Attribution Working GroupLink opens in new tab will use DDoS fingerprints for intelligence and attribution purposes.

Community contributions

As well as undertaking research, we contribute to the safety of the internet infrastructure by sharing our expertise through internet expert groups and university research teams, for example. Our team members' various contributions in 2024 are listed in Table 2.

Table 2. Community contributions made by SIDN Labs in 2024.

Role

Team member

Research partner / organisation

Technical expert

Maarten en Marco

RPP Working Group, IETF

Caspar, Elmer, Ralph

PQC in DNS, IETF

Marco

Internet.nl

Thijs

SIDN Fund

Moritz

ICANN RSSAC caucus

Cristian

Cyber Security Council (representing the scientific community)

Working Group Co-Chair

Moritz

DNS Working Group, RIPE

Thymen

R&D Working Group, CENTR

Embedded researcher

Giovane

Delft University of Technology

Moritz, Cristian

University of Twente

Ralph

University of Amsterdam

Lecturer

Giovane

Delft University of Technology

Cristian

University of Twente

PhD supervisor

Moritz en Cristian

University of Twente

M.Sc. supervisor

Moritz, Ralph, Caspar and Thymen

Radboud University (students: Damianos and Alessandra), University of Amsterdam (Lisa) and Universität Münster (Pascal), TU Delft (Nathan)

Team development

Lisa Bruder joined our team in November. Having read Security and Network Engineering at the University of Amsterdam, Lisa did her thesis research under the supervision of Ralph and Moritz. We're very pleased to have her on the team.

Research plan for 2025

Our research plans for 2025 are outlined below in relation to our 3 research lines: domain name security, infrastructure security and emerging internet technologies. For 2025, we also have a new work field: research infrastructure operations, which will involve activities relating to the management and continuous improvement of our research network.

Infrastructure security

We plan to continue developing Autocast by adding an Observability Dashboard to an Anycast Control Centre for SIDN's DNS team and similar teams elsewhere, to facilitate tasks such as improving anycast platform catchments. In relation to BGP security, we'll be investigating how we can increase the resilience of the RPKI. To that end, we'll measure the connectivity of the publication points and evaluate best common practices, for example. In connection with NTP, we plan to study the (in)accuracy of existing internet time synchronisation, about which good information is currently lacking. Another focus will be the further specification and testing of RPP, with a view to addressing the problems associated with EPP's scalability.

Domain name security

In 2025, we plan to build on the success of RegCheck and our first foray into representation learning by using DNS query information to enhance RegCheck. We'll also investigate the scope for using information from our DMAPLink opens in new tab web crawler to speed up the identification of phishing sites and other malicious websites. A follow-up to our phishing study is in the pipeline too, this time taking in .eu and .br as well as .nl .ie and .be. Finally, we intend to build up internal collaboration with the Business & Support Department by carrying out a joint study of domain name cancellations.

Emerging internet technologies

In partnership with SURF and the University of Twente, we'll carry out tests to identify any new but as yet unstandardised PQC algorithms that could be suitable for DNSSEC, with a view to feeding the findings back to NIST and the wider community. To support that work, our PATAD testbed will be extended. The results and the associated analysis are to be published in 1 or more peer-reviewed papers or tech reports.

Research infrastructure operations

We're planning to relocate our research infrastructure to the Nikhef research institute in Amsterdam. The move has various advantages, including an AS of our own, which we can use to independently install and experiment with BGPsec software. The DNS query data we use for our research will be stored at SURF, the operator of the Netherlands' research and educational network. We'll make the data accessible on our servers at Nikhef via a high-speed link with SURF.

Best wishes for 2025!

We'd like to thank all our SIDN colleagues and our research partners in the Netherlands and beyond for working with us to achieve so much in 2024, and we look forward to further fruitful collaboration in 2025.

The SIDN Labs team