Ten years of SIDN Labs

From weblog to internet security research centre

Author: Cristian Hesselman on behalf of the whole SIDN Labs team.

The original blog is in Dutch. This is the English translation.

As well as being .nl's thirty-fifth anniversary and SIDN's twenty-fifth, 2021 is the tenth anniversary of SIDN Labs, set up on 1 December 2011. In this blog we look back on an eventful decade that saw SIDN Labs transformed from a weblog into a centre for applied technical research in the field of internet security. Our key milestones and biggest achievements are highlighted, and we reflect on the approach that's got us where we are today. We end by looking ahead to the next ten years. :-)

How it all started: the SIDN Labs weblog

SIDN Labs started in early 2011 as a weblog (see Figure 1), with the aim of making SIDN's technical expertise more widely accessible on an informal, interactive basis. Topics addressed in the early daysLink opens in new tab included DNSSEC validation, LDNS, NSEC3 and IETF meeting reports. The blogs were written by colleagues from various SIDN teams, including operations.

Screenshot of SIDN Labs website in 2011

Figure 1: SIDN Labs started as a weblog (September 2011).

SIDN Labs becomes a research programme

In December 2011 (hence the timing of this blog ;-)), we shifted the emphasis. SIDN Labs became a programme of collaborative and independent research projects. One of the first was the Privacy & Identity LabLink opens in new tab operated with the Radboud University, Tilburg University and TNO, which we helped to kick-start by co-funding three PhD students. Our early independent research projects included '.nl zone profiling' (a pre-Snowden name that we wouldn't choose today), which can now be seen as a precursor to our subsequent data analysis activities. At the same time, we redefined SIDN Labs' purpose. As well as sharing knowledge, we wanted to develop SIDN as an independent authority on internet-related technical and social themes, undertake and participate in research relating to such themes, and contribute to the improvement of SIDN's services. In that period, three colleagues from various SIDN departments devoted some of their time to SIDN Labs projects. We also set up a computer network for experimenting with new technologies and systems. Configured to operate completely separately from SIDN's production systems, the 'lab network' still remains vital to our research. Our decision to draw on various teams for our research personnel was motivated by the desire to promote new knowledge transfer and consolidate project results. Figure 2 lists the research themes we had on our radar at the end of 2011. We continue to work on several of those themes today -- although we weren't able to start work on some until much later, e.g. when new colleagues joined the team, as with the DNS algorithms and visualisations theme that we started on in about 2016 and the future internet theme that we've been researching since late 2018. A few ideas, such as DNS lookalikes and the evolution of user interfaces, have also been discontinued.

SIDN Lab program themes in 2011

Figure 2: SIDN Lab programme themes, as of 1 December 2011.

SIDN Labs becomes a separate unit

A further step in SIDN Labs' evolution was taken at the start of 2013, when we became a distinct research team. 'Borrowing' people from other departments proved not to be ideal, because their primary roles inevitably took priority and they struggled to free up enough time for research and experimentation. The first big new topic tackled by the freshly assembled team was DNS big data: promoting the security and resilience of .nl and the internet by analysing large volumes of DNS queries and responses processed by the .nl name servers. That was quite a challenge, because even then the severs were handling about 15,000 queries a second. That's 39 billion queries (and responses) a month, or 60 gigabytes of data per name server, per day. Our solution was to develop an open-source data platform called ENTRADALink opens in new tab, for which we simultaneously devised a Privacy Framework. ENTRADA was used to trace domain name abuse (e.g. phishing and botnets) in the .nl zone, and later to help prevent data breaches associated with cancelled domain names and to tackle stability risks in the DNS, for example. We've also used various other measurement tools, such as RIPE AtlasLink opens in new tab and VerfploeterLink opens in new tab to identify issues with security and stability in the DNS, as during the DDoS attacks on the DNS root in 2015. Since ENTRADA's creation, the volume of data saved on the system has grown rapidly. The Hadoop cluster we built for ENTRADA now consists of fourteen nodes and records an average of two billion queries and responses a day. Figure 3 shows the 108TB expansion rolled out in December 2016Link opens in new tab).

ENTRADA expansion with 108TB of storage
Figure 3: ENTRADA expansion with 108TB of storage space, December 2016.
https://images.ctfassets.net/yj8364fopk6s/HLKeqb2nnBS7MtPn9wZxE/015a2ec27baec5b7f1c692db91a99a78/Fig_3_ENTRADA-uitbreiding_met_108TB_aan_opslagruimte.jpg

Long-haul projects

At the start of 2017 and the end of 2018, we expanded our activities with two long-haul projects: SPIN and 2STiC.

SPIN

SPIN is an open-source systemLink opens in new tab for internet edge networks (e.g. home networks), which we developed to increase the security and transparency of the Internet of Things (IoT). The trigger for setting up the project was the major outage that hit DNS operator DynLink opens in new tab in October 2016. Dyn's problems were caused by DDoS attacks mounted using hundreds of thousands of IoT devices infected by the Mirai botnetLink opens in new tab. SPIN was conceived as a way of preventing such attacks at source by blocking devices that exhibit abnormal network behaviour. SPIN also boosts IoT transparency by enabling users to see what servers their IoT devices communicate with, often invisibly. See the system architecture illustration in Figure 4.

Jelte Jansen presents SPIN during 'Holland Strikes Back' conference in October 2017
Figure 4: SPIN presentation at the Holland Strikes Back conference, October 2017.

In 2019, router manufacturer EmbeddLink opens in new tab integrated SPIN into its software, and we published a production-grade version for OpenWRT for use by other router manufacturers. We ourselves took SPIN forward as a measurement tool, e.g. for educational useLink opens in new tab.

2STiC

At the end of 2018, we teamed up with three universities and four internet operators to start the 2STiCLink opens in new tab research programme. Our goal was a joint research centre dedicated to the development of new technologies that enhance the reliability of the internet infrastructure. We were motivated by the belief that it is strategically important for the Netherlands and Europe to have expertise in the field, in order to protect the digital autonomyLink opens in new tab of individuals, organisations and society as a whole. Digital autonomy matters, because the internet is likely to become more and more important to society, for instance by enabling essential servicesLink opens in new tab such as smart energy networks, intelligent transport systems, 5G networks and remote-controlled barrages and flood defencesLink opens in new tab. The relevance of the initiative was emphasised by TNO's position paper on Future Network ServicesLink opens in new tab, published last month. Using a hands-on approach involving testbeds and experimentation, 2STiC is exploring both internet extensions and clean-slate architectures, such as SCIONLink opens in new tab. Within that model, open programmable networks serve as important enablers. Figure 5 shows the programmable switch in our lab, which is connected to the 2STiC P4 networkLink opens in new tab.

Figure 5: The P4 programmable switch in our lab.

SIDN Labs today

We now have a highly-motivated team of twelve experts dedicated to a single goal: contributing to ongoing improvement of the reliability of the internet's infrastructure, for the benefit of the Netherlands, Europe and the wider world.

We pursue that goal by carrying out pioneering applied technical research in three fields:

  • Network security: large-scale internet measurements (e.g. using RIPE Atlas and ENTRADA) identify and resolve issues affecting the security and resilience of the internet's core systems (e.g. DNS and NTP).

  • Domain name and IoT security: developing and evaluating algorithms and tools for detecting and tackling cybercrime that involves the use of domain names and IoT devices, such as phishing, fake webshops, DDoS attacks and data breaches.

  • Secure future internet: developing and piloting mechanisms for a trustworthy future internet featuring greater digital autonomy for individuals, organisations and society as a whole.

Table 1 lists our main achievements in each field over the last few years. Much of the work in question has been showcased at influential international scientific conferences, such as the Internet Measurement Conference. A full list of publications is available on our website.

Theme

Key-result

Netwerksecurity

DNSSEC roll-over monitorLink opens in new tab: tools used to monitor .br, .se and .dk during DNSSEC key and algorithm rollovers

DNS anycast engineering measurements: tools such as Anteater en Anycast2020 and their use by SIDN's operations team

Measurements exposing centralisation of the internet infrastructure, including the DNS, NTP, IXP vendors, CAs;

Monitoring of security incidents, such as the DDoS attack on the DNS root in 2015 and the tsuNAME vulnerability

Time.nlLink opens in new tab, our NTP service for the internet community, and its use by SIDN and many others

Domain name and IoT security

Algorithms for fighting cybercrime, used by SIDN, e.g. for reducing fake webshops, detectiing potential data breaches and SIDN BrandGuardLink opens in new tab

Data storage and retrieval systems ENTRADALink opens in new tab (passive DNS measurements) and DMAPLink opens in new tab (crawler) used by SIDN with privacy-by-design approach

Tools to help our support team tackle cybercrime, such as DEX and COMAR

Large-scale measurement study of cyber crimi in gTLDs, as input for evaluation of ICANNs new gTLD programme

Tools for increasing the security and transparency of the IoT, such as SPINLink opens in new tab and DRR

Secure future internet

The Responsible Internet a vision of the internet of the future, developed jointly with our research partners

Our P4-implementatie van SCION, a potential architecture for realisation of the Responsible Internet

CATRINLink opens in new tab, a research project jointly developed with universities and industrial partners, for which an NWOLink opens in new tab grant of 1.9 million euros was obtained to develop a prototype of the Responsible Internet

Table 1. Key results from recent years.

With the release of SPIN v1.0 in October 2021, we passed the IoT security baton to the internet community, so that we can focus more on domain name security and the secure future internet. We nevertheless continue to support SPIN, e.g. for educational purposesLink opens in new tab.

Visualisation of our research

Figure 6 visualises the topics we've blogged about since 2015. Each node represents one of the seven most prominent words in our blogs (as identified using TF-IDFLink opens in new tab). The size of a node reflects the number of blogs in which the corresponding word was prominent. The thickness of the lines connecting the notes reflects the extent to which the relevant terms were used in conjunction. Popular topics have included DNS, DDoS, anycast, internet, IoT, domain and SCION. It seems we do indeed write a lot about internet infrastructure! :-)

Figure 6: Visualisation of our blogs since 2015 (click through, takes about ten seconds to load).

Our working methods

Our evolution from a weblog to an expertise centre was achieved on the basis of five working principles. We are pleased to share them so that other organisations can make use of them for developing their own research teams (preferably, of course, in line with our first principle ;-))

  1. Open, generic results: we make our results (e.g. software and papers) public and generally applicable, so that they can be used to improve internet security by others as well. For example, ENTRADA is used by the registries for .nz, .be and .ch, while br, .se and .dk use our DNSSEC tools to monitor their key and algorithm rollovers. Our results are also used within SIDN, as with tools such as Anteater (used by our operations team) and DEX (used by our support team). We opted for an open and generic approach because it is consistent with SIDN's public role and the responsibilityLink opens in new tab of a ccTLD operator to serve the community.

  2. Collaboration: we work closely with the academic world and the operational community so that expertise and resources can be combined to maximise impact. For example, the 2STiC programme brings together experts from the academic and operational worlds to undertake research on future internet infrastructures. The universities involved (University of Twente, University of Amsterdam and Delft University of Technology) focus mainly on developing new knowledge in their specialist fields (e.g. internet measurements and open programmable networks), while the operators (SURF, AMS-IX, NDIX, NLnet Labs and SIDN) provide testbeds, operational expertise and so on.

  3. Experimentation: we study internet security and stability by performing large-scale measurements and we experiment with new systems by developing prototypes (e.g. DRR), running focused pilots (e.g. for the detection of fake webshops) and operating testbeds (e.g. the DDoS Clearing House). A lab network that is completely isolated from SIDN's production systems plays a vital part in such work, enabling research and operations to each proceed at their own speed. We focus on the lower technology readiness levelsLink opens in new tab (TRLs), between roughly TRL2 and TRL6, and we accept that projects may fail.

  4. Long-term projects: we're willing to do projects with long time horizons, e.g. because they require major infrastructural changes, as with SPIN for IoT devices and router modifications for the Responsible Internet and SCION. SIDN allocates financial resources to such projects because it believes that contributing to continuity in fields of strategic importance for the Netherlands and Europe, such as digital autonomy, is consistent with its public role. It is often harder for universities to do that, because they typically operate on the basis of a four-year funding cycle.

  5. Intersectoral expertise: while the skillsets of some of our team members have an academic bias, others lean towards the operational or engineering side, or are more intermediate. As a whole, the team therefore occupies a position -- and functions as a bridge -- between the academic and operational communities. Every team member has their own (international) network, and their finger on the pulse of topical social and technical issues in their field. Each of them works on two themes simultaneously, to provide diversity and promote the cross-fertilisation of ideas. We also have a flat organisational structure, with management only facilitating and providing high-level guidance. We encourage students to do their MSc theses with us to our mutual benefit.

On to 2031

While our tenth anniversary is a good moment to look back, it's also a good moment to look ahead. In the coming years, we plan to address topics that increase trust in the internet so that individual, commercial and institutional users can confidently increase their reliance on it, even for safety-critical applicationsLink opens in new tab such as intelligent transport systems. In that context, one of the challenges is to increase the internet's 'responsibility', a characteristic that is also relevant for other layers of our digital infrastructureLink opens in new tab, such as apps, operating systems and storage systems (see Figure 7). We are helping to make the internet more responsible through our work on internet infrastructure security (top two rows in Table 1) and our more recent work on the Responsible Internet, aimed at promoting infrastructural transparency and empowering users (bottom row in Table 1). By doing so, we hope to contribute to turning the tide of waning individual, organisational and social digital autonomy, which is an urgent social problemLink opens in new tab. Working in tandem with SIDN Fund, we also intend to address major internet-related problems at higher levels of the digital infrastructure, such as black box algorithms, diminishing data autonomy (as with data for user identification) and generic data exchanges (e.g. involving security data), disinformation and the consolidation of public valuesLink opens in new tab. SIDN Labs will concentrate mainly on the internet infrastructure, while SIDN Fund tackles end user issues.

Infographic showing the challenges for our digital infrastructure (vertical) and the different layers of our digital infrastructure (horizontal).
https://images.ctfassets.net/yj8364fopk6s/1zpipuv7yUtlfdyEyzU4iG/56ade664eef5807a0fa8d2f3ce520a18/Fig_7_Uitdagingen_en_lagen_van_digitale_infrastructuur.png

Figure 7: Challenges to the digital infrastructure (vertical) and the various layers of that infrastructure (horizontal). From: "Future Computer Systems and Networking Research in the Netherlands: A ManifestoLink opens in new tab", October 2021.

As indicated in Figure 7, one of the challenges ahead is ensuring that the internet remains manageable despite its increasing size and complexity. Systems that manage networks and services on a semi-automatic basis have great potential in that regard. For example, machine learning algorithms can help operations teams dynamically activate and deactivate virtualised name servers in line with DNS traffic volumes and anycast catchmentsLink opens in new tab (see also our vision of the registry of the future). We have already developed a testbed for such algorithms, and we plan to start experimenting next year. On the organisational front, we're planning to start working with an external consultation group to provide additional feedback on our research directions and methods. The idea is for the group to be made up of independent experts from academia and the internet industry.

Our team

Finally, the road from weblog to expertise centre could never have been traversed without a close team whose members pull together professionally and enjoy hanging out together, whether it's around the canteen football table or at the ice rink (Figure 8).

The SIDN Labs team on the ice, during a team outing
Figure 8: SIDN Labs on ice :-)

The achievements of the last decade also owe much to various former colleagues, MSc students and research partners. We would therefore like to thank the following for their contributions and collaboration:

  • Former colleagues João Ceron, Joeri de Ruiter, Victor Reijs, Ricardo de Oliveira Schmidt, Antoin Verschuren and Miek Gieben

  • MSc students Christian Scholten, Thijs van den Hout, Erwin Janssen, Robin de Heer, Joost Prins, Metin Açıkalın, Thijs Brands, Caspar Schutijser, Mick Cox, Sjors Haanen, Jan Harm Kuipers, Maarten Aertsen, Lars Bade, Xander Lammertink, Auke Zwaan and Moritz Müller

  • Our partners, including AFNIC, AMS-IX, Argeweb, CAIDA, ETH Zürich, Grenoble Alps University, ICANN, InternetNZ, NCSC, NBIP, NDIX, Dutch Payments Association, NLnet Labs, OpenProvider, the Dutch government, Radboud University, Realtime Register, SURF, Delft University of Technology, Thuiswinkel Waarborg, University of Twente, University of Amsterdam, University of California, University of San Diego, University of Southern California, University of Passo Fundo, University of Zurich.

On to 2031! :-)