Dutch Anti-DDoS Coalition: lessons learned and the way forward

Dutch Anti-DDoS Coalition: lessons learned and the way forward

Increasing the Netherlands’ DDoS resilience together, part III of III

In parts I and II of this blog series, we introduced the concept of the Dutch Anti-DDoS Coalition and described the status of one of its pillars, the DDoS clearing house. Today, we’ll discuss the lessons we’ve learned and how we see the way forward. This will be the last blog in the current series, but we expect to get back to you all soon with news on the DDoS clearing house pilot.

Did a lot, learned a lot (six lessons learned)

The DDoS clearing house is a key project for the Dutch Anti-DDoS Coalition. Although the system is not in operation yet, we’ve already learned a lot from our work. Those lessons are summarised below and we’ll flesh them out further as part of the DDoS clearing house “cookbook” that SIDN, SURF and the UT will be developing in the CONCORDIA project.

  • The need for a DDoS clearing house is widely recognised. We learned that from the feedback we received on our talks (e.g. at the One Conference and the CONCORDIA Open Door Event). That is also illustrated by the partners’ investments in the initiative. For example, all partners have assigned substantial personnel capacity (both technical and legal) and NCSC-NL, NBIP, SURF and the Dutch Payments Association have jointly funded a systems architect to further flesh out the overall architecture illustrated in Figure 3.

  • The value of the coalition goes beyond sharing DDoS fingerprints. For example, the members of the Dutch Anti-DDoS Coalition spotted the opportunity to collaboratively simulate network and application-level DDoS attacks and practise responding to them. Such activities fit naturally with the clearing house because of its cross-organisational nature and because it helps to increase the Netherlands’ DDoS resilience. The partners carried out a practice drill in October of 2019, which involved launching previously approved DDoS attacks on each other’s infrastructures to learn how their systems and teams would respond.

  • An anti-DDoS coalition is a crucial organisational vehicle for providing continuity. We identified this early on because we had to develop and maintain various work products such as a website, iterations of the clearing house’s data sharing agreement, procedures and waiver agreements for DDoS exercises, and the rules of engagement for coalition members (e.g. membership rules). That’s why we organised the coalition into several working groups, such as a technical working group to develop the clearing house software. A legal working group is particularly important for developing new versions of the data sharing agreement along with new versions of the pilot, which are crucial for speeding up the development and deployment of the clearing house.

  • Start with a small trusted group, then grow (trust scaling). We started the development of the clearing house with ten partners. Keeping the group small facilitated the development of mutual trust, for instance through frequent face-to-face meetings. As a result, the group was confident that it could reach consensus on the technical direction, and therefore opted for unanimous decision-making in our current “governance model” (formalised as part of the data sharing agreement). That had the advantage of enabling us to make decisions quickly in the early stages, although a model based on unanimous decision-making will not scale up to an organisation with tens of partners. Our future challenge is to scale up trust, which means we’ll need to transition from a model where the ten service providers trust each other on a person-to-person basis (personal trust) to a model with a larger group of organisations that trust the clearing house and its procedures and governance mechanisms (impersonal trust [Gommans15]). The UT, SURF and SIDN will investigate scaling trust to a European level in the CONCORDIA project, inspired by the Dutch Anti-DDoS Coalition.

  • Keep the initial data sharing agreement crisp, simple and scalable. The data sharing agreement needs to clearly articulate the purpose of the first iteration of the pilot, which is to assess the usefulness and effectiveness of the clearing house by experimenting with exchanging DDoS fingerprints across different organisations and sectors. It also needs to cover other legal aspects (e.g. liability, security, PII and governance), but only in outline. That is important in order to keep the data sharing agreement simple and scalable and allow for technical experimentation. A future challenge will be to evolve the data sharing agreement so that its simplicity and scalability continue to be appropriate for subsequent pilot iterations.

  • Multidisciplinary working in the early stages is even more important in a heterogenous cross-sector collaboration like the Dutch Anti-DDoS Coalition. For example, tech folk need to provide guidance to legal experts on the concept of a DDoS fingerprint and highlight the purpose and nature of the data exchange (collaboration and experimentation) because not all legal experts have the same level of technical expertise. That is important for minimising legal uncertainty, which helps the avoidance of conservative legal constructs (cf. [Silva19]). Similarly, early discussions with operational teams are important for understanding how they work. For example, we learned that the ops teams wanted to be able to create minimal fingerprints (e.g. just indicating suspected origin and protocol type) by hand through a UI or a command line tool, because even the DDoS dissector might fail under a severe DDoS attack.

What’s up for 2020?

Our goal for 2020 is to further flesh out the organisational structure of the coalition and to carry out further DDoS exercises with the consortium members. In addition, we will set up the second iteration of the pilot, in which the ten service providers automatically generate fingerprints, distribute them, and their ops teams use them to write filtering rules for their infrastructures.

Our short-term aims for the clearing house are to get the data sharing agreement signed (four partners have signed already) and incrementally improve the dissector, DDoS-DB and converter software based on the requirements we developed (e.g. to use the converter as a DDoS detector that automatically forwards the traffic to a scrubbing centre).

In addition, SURF, SIDN Labs and the UT will write a first version of the DDoS clearing house cookbook as part of the CONCORDIA project, using this blog as their starting point and incorporating our lessons learned in 2020. They will also set up a second clearing house instance (ddosdb.eu), specifically to carry out research in CONCORDIA, for instance on clustering fingerprints and further improving their accuracy, automatic generation of mitigation rules and sharing fingerprints with edge network security systems such as SPIN. They will use the data sharing agreement we developed to accommodate the work and make it available within CONCORDIA.

Conclusions so far

Our intermediate conclusion is that setting up a national anti-DDoS coalition has already demonstrated its added value, for example in terms of the community of organisations that emerged from it and the large-scale DDoS drills that we’re carrying out together.

At the same time, developing and setting up a national clearing house is a challenging and sometimes tough undertaking because of the complexity of the work, which is often the result of non-technical factors such as working in heterogeneous partnerships, managing expectation regarding the technological readiness level of the pilot and evolving the data sharing agreement with different iterations of the pilot. Nonetheless, the seventeen partners in the Dutch Anti-DDoS Coalition continue to firmly support the clearing house concept, as does the wider Dutch and European operator community.

Overall, we’re highly motivated and confident that we’ll attain our goals for 2020 and that we’ll also get the clearing house deployed, thus tangibly helping the Netherlands to handle DDoS attacks on a cooperative basis.

Acknowledgements

SIDN, SURF and the University of Twente were partly funded by the European Union’s Horizon 2020 Research and Innovation program under Grant Agreement No 830927. Project website: https://www.concordia-h2020.eu/

References

[Silva19] K. e Silva, “Mitigating botnets: Regulatory solutions for industry intervention in large-scale cybercrime”, Ph.D. thesis, Tilburg University, the Netherlands, Dec 2019

[Gommans15] L. Gommans, J. Vollbrecht, B. Gommans – de Bruijn, C. de Laat, “The Service Provider Group Framework; A framework for arranging trust and power to facilitate authorization of network services”, Future Generation Computer Systems, Vol. 45, pp 176-192, Mar 2015, http://www.delaat.net/pubs/2015-j-2.pdf

(By Cristian Hesselman (SIDN and University of Twente), Remco Poortinga-van Wijnen (SURF), Gerald Schaapman (NBIP) and Remco Ruiter (Dutch Payments Association))