October 28, 2019
Written by Jair Santanna, first researcher to investigate DDoS attacks at the University of Twente, Assistant Professor, member of Cyber Security Next Generation, and creator of the technical solutions in the DDoS Clearing House, which is the main element of the Dutch Coalition Anti-DDoS Attacks.
Disclaimer. This is not a novel solution, it is straightforward to deploy, and it is extremely efficient if the users of your online service or infrastructure could be centralised (ex. online services meant for citizens of a country).
The “hidden window isolation” analogy. Imagine you have a house with one big door, several guards and one hidden window. Consider that at a given moment, a huge crowd of people intentionally blocks your door. This act will deny the ability of your friends to enter your house. This is exactly what a Distributed Denial of Service (DDoS) attack is. In this analogy "the house" is your online service under attack, "a large number of people” are the infected or misused machines controlled by a hacker, and “your friends” are the legitimate users who want to access your online service. In this situation, there is a very easy solution (instead of hiring extra guards): to convince your friends to enter via the hidden window. This is a very simple solution, right? Well, this is only possible if you can (somehow) isolate the window so that only your friends can access it. Technically speaking, it is possible, easy to deploy, and was done by Logius against DDoS attacks on the 18 October 2019.
Logius. Logius is the provider of digital services to the Dutch Ministry of the Interior and Kingdom Relations. It is best known for its DigID service, which is an identity management platform used by government agencies of the Netherlands. This is used to verify the identity of Dutch residents on the Internet. In 2018, Logius created a proof-of-concept to defend against DDoS attacks using that “hidden window isolation idea.” While the majority of DDoS attacks come from machines distributed all over the world, Logius noticed that the vast majority of users (>80%) accessing their services use known Internet Service Providers (ISP): KPN, Tele2+T-Mobile, and Vodafone+Ziggo+LibertyGlobal. Then Logius (with help from a handful ISPs) established what they called the Quality Peering Platform (KwaliteitsPeering Platform -- KPP).
The Logius Quality Peering Platform (KPP). The main idea behind this solution is to isolate the access for the majority of users of Logius services (Dutch residents), as in the “hidden window” analogy. Besides, Logius leaves the general “public entry” to the rest of the world (in case someone abroad would like to access the service). Technically speaking this was done using BGP community “no-export”, which in general terms guarantees that only users within the ISPs connected to the KPP will access the isolated path towards the service (“the isolated hidden window”). Again, remember: DDoS attacks come from all over the world, and so an attack will mainly hit “the door”, not “the window.” A piece of evidence for this statement is based on our analysis of almost 900 DDoS attacks publicly available at ddosdb.org (the biggest public database with DDoS attacks). In this analysis (in the worst-case scenario), attacks involving infected/misused devices within the Netherlands (207 attacks) represent less than 1.2% of the power of attacks. In other words, in the worst-case scenario, while 98.8% of the attack will hit “the door”, the other 1.2% will be hitting “the window”.
Unbiased, public and successful test. Although the Logius KPP proof-of-concept was deployed and (somehow) tested in 2018, only now, in 2019, has it been tested in public. In the early morning of 19 October 2019 there was a nationwide DDoS exercise involving organisations, including Logius. Each of the organisations involved had the chance to test their capabilities against DDoS attacks (sometimes in collaboration with third-party DDoS protection companies). For Logius, this was the right opportunity to test the KPP, and I was subsequently invited to coordinate the assessment of the KPP. While the attack was strongly hitting “the door”, it did not affect “the friends” accessing it via “the window”. In technical words, while Logius services were affected for the rest of the world, users within ISPs part of the KPP did not notice any increase in latency. The measurements are publicly available via the RIPE atlas platform (https://atlas.ripe.net/measurements), which was used for measuring the KPP. By mid-November, a report explaining all of the technical details will be made available. Are you interested?
Future directions and similar initiatives. As the tests were a great success, Logius intends to make the KPP a permanent solution. It means that, eventually, “the window” will become “hidden and isolated” to “the friends” while “the door” will be left to “the rest of the Internet”. The main difference between the Logius KPP and other very similar solutions (ex: the Trusted Networks Initiative and the Dutch Continuity Board) is that KPP is meant to be a permanent solution and not as a last-option temporary solution. Note that this is only possible given the type of users accessing Logius services (mainly Dutch residents). An important remark is that the KPP does not exclude the need for additional protection (possibly from third-party organisations, for example, the National DDoS Scrubbing Center—NaWas). Remember that in our analysis, we observed 1.2% of one DDoS attack coming from the Netherlands. It means that a tailored attack coming 100% from infected machines in the ISP’s part of the KPP (although unlikely to happen) requires additional protection (“an extra guard”).
Call to action. Finally, I would like to emphasise that DDoS attacks are one of the oldest cyber threats. These appeared immediately after the Internet was created and are still increasing in frequency and power. The damage to Dutch society is already in the range of millions of euros per year. Therefore, I would like to start a discussion about the following question: Why do other national services (especially the critical ones) not want to consider deploying a similar solution like the one from Logius Quality Peering KPP (permanently)? This simple and effective type of solution would make their services more resilient against DDoS attacks, and the entire of society would benefit from it. Do you agree with me?