02 March 2018

A simple and robust solution for protecting critical infrastructures against DDoS attacks

Blogpost-image_paper-3

Blog by Henk Steenman, CTO AMS-IX

In a digitally connected country such as the Netherlands, Internet connectivity is essential to consumers as well as the business community. As Technical Director of the AMS-IX (Amsterdam Internet Exchange), I find it unacceptable that the recent DDoS attacks of late January / early February managed to disrupt a number of critical infrastructures in the Netherlands. In particular, the impact on society and the public discussion resulting from that relatively small-scale attack gave me cause to take action and propose that AMS-IX builds and maintains a robust, simple and cost-effective technical solution.

During the weekend of January 27 / 28 and the following days, services of a number of critical infrastructures (various banks and the tax authority in the Netherlands) were undermined by a DDoS attack. Generally speaking, combating DDoS attacks is a complex matter, but the impact on critical Dutch infrastructures, intended for use by Dutch end users, can be limited in a fairly easy way.

Before we dive into the details, I would like to point out that for some time there has been talk of implementing general measures to fight DDoS attacks, especially attacks on infrastructures critical to the Dutch economy. Although several initiatives have been launched in recent years (such as the Trusted Networks Initiative and its successor Dutch Continuity Board). For various reasons, they have not been able to offer a broadly supported and above all effective solution – in other words: something that actually works.

Interconnection critical infrastructure and end-users

Image 1 (Eng)   All Clear
The Internet exists thanks to interconnection: it is a network of interconnected networks. Normally, a critical infrastructure accesses the Internet through its Internet Service Provider (ISP).

Image 2 (Eng)   D Do S Attack

In the event of a DDoS attack, most of the traffic comes from the ‘general’ Internet, even if the attack has been initiated by a user connected to a Dutch ISP. With this type of DDoS attack, the effects can mainly be seen on the internet-facing services of the critical infrastructure.

Image 3 (Eng)   Ams Ix

By separating the direct interconnection between Dutch providers of critical infrastructures and providers of Internet access to Dutch end-users from interconnection with the rest of the Internet, the impact of a DDoS attack from the Internet on critical infrastructures for Dutch users can be mitigated.

To additionally remove DDoS traffic originating from the networks of Dutch ISPs, DDoS mitigation systems such as the Nationale Wasstraat (NAWAS) can be used, as well as other solutions present on the same infrastructure.

This is a robust, simple and cost-effective technical solution. The only requirement is the creation of the physical connections and fine-tuning the protocols (BGP) that determine the routing between the participants and the rest of the Internet. However, for IT-driven organizations such as financial service providers that offer all their services online, this should be easy. For Dutch ISPs, it is simply business as usual.

It is, of course, important to remember that in addition to setting up this reasonably simple technical solution, commercial relationships between different parties may need to be adapted or implemented. But that is entirely up to the parties themselves; AMS-IX has no influence on or involvement in this.

More than just DDoS mitigation

The proposed direct link between critical infrastructures and Dutch ISPs is not something that should only be used in case of a DDoS attack. As far as AMS-IX is concerned, this should be a permanent link, because it provides better and more stable connectivity between the various parties.

AMS-IX Plug-and-Play

AMS-IX offers the infrastructure required to carry out the defined concept. In fact, we already use the existing robust physical infrastructure. And providing interconnection between different parties is exactly what we have been providing for 20 years - our core business. AMS-IX is one of the world’s largest internet exchanges for good reasons and has recently been labeled ‘critical infrastructure’ by the Dutch Ministry of Economic Affairs & Climate and the Ministry of Justice and Security.

Four reasons why AMS-IX is the ideal party to set this up

1. AMS-IX is a ‘not-for-profit’ organization, set up to improve Internet interconnection in the Netherlands (*)
2. AMS-IX is neutral in the sense that we are not affiliated with any of our affiliated networks, nor with any of the data centers to which we provide our services or the government
3. AMS-IX has extensive experience with the operational management of one of the world’s largest interconnection nodes
4. Connecting to AMS-IX is very simple. We are present in 14 of the most prominent data centers in Amsterdam, and also in a large number of data centers in the Netherlands through our partners.

(*) ‘Not-for-profit’ but also ‘not-for-loss’. Generally speaking, AMS-IX is profitable and financially very healthy. After the required reservations and investments in the platform have been made, to facilitate continuous growth and meet capacity demand, remaining profit is always returned to customers in the shape of price reductions.

18 April: editorial update by Henk:

After re-addressing the above matter. AMS-IX has received, seen and read many other proposals and initiatives from both non-commercial and commercial parties. AMS-IX is now in constructive conversations with all these parties. For now, it is too premature to give you an update. But we will surely keep you informed.