Over forty researchers from the Netherlands and the United States met in Utrecht on Thursday 24 October to exchange knowledge and experiences in the field of research on the detection of and defense against Distributed Denial of Service (DDoS) attacks. ‘All the big names in the field of DDoS from the Netherlands and the US are here today,’ noted participant Jair Santanna, Assistant Professor at the University of Twente.
The Netherlands Organisation for Scientific Research (NWO), together with the Dutch National Cyber Security Centre and the US Department of Homeland Security, have been conducting a joint research program into cyber security since 2013. Within this program, a total of thirteen projects have been awarded in three rounds, in which American and Dutch researchers are jointly conducting research.
The meeting on 24 October focused on three of the projects that were granted in the 2018 round, which was dedicated to the subject of DDoS. In addition to the presentations about these joint projects, there were also eight presentations on DDoS studies conducted either in the Netherlands or in the United States.
PhD student Raffaele Sommese presented the MADDVIPR project, in which his host institution University of Twente cooperates with the American Center for Applied Internet Data Analysis. ‘The ultimate goal of this project is to pinpoint vulnerabilities that could be the target of DDoS attacks to administrators who manage Domain Name Systems, say the Internet’s phone directory.’ In his presentation, he addressed the problem of so called orphan domain names: when you no longer pay for a certain internet domain, that should be removed from the DNS. But too often that does not happen, and then such a domain can easily be misused for malicious content. Project leader Anna Sperotto: ‘This joint project is in fact a formalisation of an existing long-term collaboration. We have a lot of knowledge and data about DNS systems, and our American colleagues know everything about DDoS attacks. So in this project, we complement each other seamlessly.’
Internet of Things
Carlos Hernandez Ganan from Delft University of Technology, together with his American project partner Damon McCoy from New York University, gave a presentation about their MINIONS project. This project is aimed at DDoS attacks that are conducted via poorly secured Internet of Things devices, such as surveillance cameras. The Dutch part of the research focuses on the automatic detection of infected devices and on effective strategies to encourage users to clean their devices from these infections. In the meantime, American researchers are focusing on the business models behind the attacks. Both researchers knew each other's work, but had never collaborated before. ‘As soon as we saw the call for this program, we contacted each other. Writing a proposal together was merely throwing a soft ball then.’ In the meantime, a lively exchange of students has arisen, and the research has already produced some good results in its first year.
The third NWO/NCSC/DHS project presented during the workshop was the PAADDoS project by Aiko Pras from the University of Twente and John Heidemann from the University of Southern California. Their research focuses on so-called anycast systems as a defence mechanism. In an anycast network, multiple servers at multiple locations represent the same IP address. If a certain IP address is targeted by a DDoS attack, in an anycast network only those servers that are closest to the attacker will be bothered by it, and the service will remain accessible because the traffic is being rerouted through others servers. ‘We use a tool called Verfploeter to map out how information is currently routed over the internet,’ Heidemann said. ‘Remarkably enough, traffic still very often travel through places where it has no business of being. For example, it is quite a challenge to keep European internet traffic within Europe.’
When researching DDoS, having access to the right data and in the right quantities is a big challenge, says Jair Santanna. ‘There are a lot of people here today who have their hands on a lot of data. This type of meetings is particularly useful for learning from others, for teaching others what you are doing yourself, and for exploring how you could work together.’
This workshop was organised in close cooperation with NWO and the University of Twente and sponsored by SIDN.
Text: Sonja Knols, Ingenieuse
Photo: Sjoerd van der Hucht