First CONCORDIA workshop on collaborative DDoS mitigation

First CONCORDIA workshop on collaborative DDoS mitigation

Tech talks, captivating discussions, and networking to advance the field

On September 15, 2022, we held the First CONCORDIA Workshop on Collaborative DDoS Mitigation. The goal of the workshop was to discuss advances and bottlenecks in collaborative DDoS mitigation, and to strengthen the community engaged with this topic. We welcomed 35 experts from industry, government, and academia, who explored the topic based on four talks and a plenary panel discussion. Key takeaways included the importance of sharing DDoS metadata at various levels in the network, and that a proactive approach to DDoS defence can take many forms. In this blog, we review those takeaways, take a closer look back at the workshop, and discuss the next steps.

Collaborative DDoS mitigation

We define collaborative DDoS mitigation as any activity that improves the collective DDoS resilience of a group of organisations and that comes on top of the existing DDoS mitigation strategies and facilities that individual organisations need to have in place, such as scrubbing services.

We distinguish three types of joint activity in collaborative DDoS mitigation: operational, organisational, and legal activities. Examples of operational activities include the sharing of DDoS metadata, knowledge, and tools, and practising with drills and cyber ranges. An example of an organisational activity is holding working group meetings; an example of a joint legal activity is the collaborative drafting of legal documents, such as waivers for DDoS drills.

Goal, audience, and agenda

We organised the workshop with the goal of discussing and advancing the topic of collaborative DDoS mitigation from the research and operations perspectives.

At the workshop, we welcomed 35 attendees from industry, government, and academia, including 10 researchers from six CONCORDIA partners and many members of the Dutch Anti-DDoS Coalition. They engaged in lively discussions based on the agenda that we had put together, which consisted of four technical presentations (three by outside speakers, one from CONCORDIA), a panel, and a CONCORDIA overview talk. The feedback we received was positive throughout.

The workshop took place in Utrecht, the Netherlands. It was organised by the CONCORDIA partners working on the DDoS Clearing House (see below), and was hosted and coordinated by SIDN Labs.

Building blocks for collaborative DDoS mitigation

We set up an agenda with four technical presentations to provide the audience with an overview of the three major building blocks for collaborative DDoS mitigation: DDoS handling strategies, DDoS measurements, and the sharing of DDoS metadata.

The first presentation was on the DDoS Clearing House, which we developed together with colleagues from SURF, Telecom Italia, University of Twente, FORTH, and the University of Zurich. The DDoS Clearing House is a platform that enables organisations to share information about the DDoS attacks they handle with each other. The talk covered DDoS measurements (through DDoS fingerprints) and the sharing of metadata (through the DDoS-DB), and introduced the concept of collaborative DDoS mitigation.

Next, Wouter de Vries, Systems Engineer at Cloudflare, covered Cloudflare’s DDoS mitigation strategy and provided insight into the current approach taken by a large-scale commercial DDoS mitigation operator.

Leandro Bertholdo, PhD candidate at the University of Twente, then presented his work titled “Anycast agility”, which introduced playbooks for deployment on anycast networks to lessen the impact of DDoS attacks. The talk covered both DDoS mitigation strategies utilising the playbooks, and DDoS measurements. In the final tech talk, Daniel Wagner, researcher at Germany’s largest commercial internet exchange DE-CIX, presented his recent paper “United We Stand”, which reveals that internet exchange points (IXPs) can detect many more DDoS attacks when they exchange information with each other than they can individually. His presentation covered DDoS measurements and the sharing of DDoS metadata.

Prior to the technical talks, Christos Papachristos from research institute FORTH introduced CONCORDIA, the Horizon 2020-funded project in which we developed the DDoS Clearing House.

Plenary panel discussion

We concluded the workshop with a panel discussion, featuring four panellists with backgrounds in DDoS operations (Wouter de Vries, Cloudflare), academia (Dr Lili Nemec Zlatolas, University of Maribor), internet infrastructure software development (Benno Overeinder, NLnet Labs), and government (Karl Lovink, SOC Lead at the Dutch Tax and Customs Administration). After the panel discussion, we discussed the final takeaways and conclusions in a plenary session. The key takeaways from the session are outlined below.

Takeaway 1: Exchange of DDoS metadata at multiple levels

The first key takeaway was that the sharing of metadata about DDoS attacks is possible between organisations that operate at different levels in the internet infrastructure. The advantage is that it broadens their view of the DDoS landscape: instead of viewing the landscape from their own, narrow perspective, they are able to view it from a multi-point perspective.

During the workshop, we found that the data sharing can take place not only between organisations (endpoints) through the DDoS Clearing House, but also between endpoints and upstream providers, such as ISPs and IXPs. For example, DE-CIX’s talk showed that their DDoS Exchange Point (DXP) enables IXPs to share DDoS metadata, which results in the detection of DDoS attacks that would otherwise be missed. Another way to share metadata would be between endpoints and network operators, using a protocol such as DOTS, which is being developed within the IETF.

Also, the attendees felt that the sharing of DDoS metadata (e.g. through the DDoS Clearing House or the DXP) was most useful for stable and recurring attack signatures and DDoS attacks of a relatively long duration. The attendees agreed that shorter or more dynamic DDoS attacks are too unpredictable to make the sharing of DDoS characteristics useful at the time of mitigation.

Figure 2: A snapshot of the panel discussion

Takeaway 2: Operational measures are just as important as technology

In our work within CONCORDIA and the Dutch Anti-DDoS Coalition, we have often found that operational and organisational measures, such as clear role assignment during incidents, is just as important as, if not more important than, developing the required technology. The importance of such measures was considered during the plenary discussion at the workshop, from which it became apparent the other attendees took the same view as us.

A particularly interesting topic of discussion was the question of how DDoS mitigation could actually be made proactive, or whether it was in fact inherently reactive. One way to proactively tackle the problem of DDoS attacks that we identified is to address the problem at its source: by improving the security of protocols and encouraging their deployment. For example, we can advise network operators to apply the best practices described in BCP 38 and RFC 3704, which urge the implementation of ingress filtering to prohibit internal devices sending internet packets with spoofed IP addresses, which is one of the most prominent enablers of DDoS attacks on the internet[1].

Another proactive and collaborative mechanism we discussed was holding DDoS mitigation drills, as the Dutch Anti-DDoS Coalition does. The coalition has found that drills are very effective in improving an organisation’s readiness for DDoS attacks and do lead to improved mitigation during an actual attack. The drills are therefore a proactive, operational measure for improved DDoS mitigation.

Finally, education about malware, software updates, and DDoS in general was felt to be an important means of improving DDoS resilience and minimising attack opportunities. For example, cybersecurity programs at universities could cover those topics so that the next generation of engineers is appropriately trained.

Takeaway 3: On-premises, hybrid, or cloud-based mitigation?

During the panel discussion, we touched upon the topic of the centralisation of DDoS mitigation in big commercial cloud-based providers such as Cloudflare and Akamai. Some attendees observed that DDoS mitigation lends itself well to centralisation because such services require an infrastructure that can handle large volumes of traffic for typically relatively small amounts of time. That makes investment in DDoS mitigation capability unattractive to individual organisations, whereas outsourcing to cloud-hosted mitigation service providers is increasingly affordable.

Other attendees were more cautious about concluding that centralised DDoS mitigation was preferable and brought up various issues. One being vendor lock-in, which is the phenomenon of increasing dependency on a particular DDoS mitigation vendor, leading to the service user being unable to change vendors or stop using the vendor’s services. Some attendees pointed out that lock-in had more subtle effects as well. For example, it might be easy for a service user to change DDoS mitigation providers, but not to stop outsourcing DDoS mitigation altogether. In a way, cloud-based DDoS mitigation poses a greater risk of “service lock-in” than of vendor lock-in.

Another issue raised by the audience was the dependency on American DDoS mitigation vendors. For example, what would happen if, at some point in the future, data security, privacy, or other cornerstones of the GDPR were endangered by American legislation? Smaller, but similarly competent European scrubbing services such as NBIP’s NaWas could be a more desirable solution for some organisations. There was considerable consensus in the room that Europe would need similar services of its own, but set up in a ‘European way’, for instance by federating multiple DDoS mitigation providers.

What’s next?

The key takeaways, as described above, are a starting point for further improvements in the field of collaborative DDoS mitigation. The workshop highlighted a significant amount of research on the topic of (collaborative) DDoS detection and mitigation, which is rarely implemented in production. By gradually implementing promising research in practice, we can improve the DDoS resilience of the internet and lessen the impact of DDoS attacks on our digital society.

CONCORDIA will come to an end at the end of 2022, and we feel that the workshop was a great way to wrap up our contribution to the four-year project. Before the end of the year, we have a few more activities planned: a demo at the CONCORDIA Open Door event, writing a cookbook with all our lessons learnt over the years, and transferring the DDoS Clearing House to a production network operated by the Dutch Anti-DDoS Coalition.

Based on the discussion, the key takeaways, and the feedback we received, we are confident that the first workshop on collaborative DDoS mitigation was a great success. We look forward to inviting you to the second workshop on collaborative DDoS mitigation next year!

Check out the slides

To check back on the event, the agenda, and photos, visit our website.

Acknowledgements

We would very much like to thank everyone who attended the First CONCORDIA Workshop on Collaborative DDoS Mitigation, in particular our speakers and panellists: Wouter de Vries, Leandro Bertholdo, Daniel Wagner, Karl Lovink, Lili Nemec Zlatolas, and Benno Overeinder.

This work was partly funded by the European Union’s Horizon 2020 Research and Innovation Programme under Grant Agreement No 830927. Project website: https://www.concordia-h2020.eu/.

(By Thijs van den Hout (SIDN Labs), Cristian Hesselman (SIDN Labs, University of Twente))


[1] https://www.cloudflare.com/learning/ddos/glossary/ip-spoofing/