“Nothing like this is being done anywhere else.”

Joint attack response drills by Dutch Anti-DDoS Coalition

DDoS attacks are getting bigger and more complex. So much so that reactive, independent responses often prove inadequate. We’ve therefore linked up with a group of partner organisations to form the Dutch National Anti-DDoS Coalition. Coalition members share DDoS attack characteristics and related intelligence via a DDoS clearing house. Practice drills are also held to enable members to test their attack-readiness. The drill organisers are Karl Lovink, Technical Lead at the Dutch tax authority’s Security Operations Centre, and Marc Groeneweg, Infrastructure and Security Architect at SIDN. “We can press the ‘red button’ at any moment.”

Why is a joint response to DDoS attacks so important?

Lovink: “DDoS attacks affect everyone. It’s never just one target that suffers. If, for example, an attack takes out DigiD, people can’t log in on the tax authority’s website. Or, if Ziggo goes down, their customers can’t register domain names. A collective problem demands a collective response. And, between us, we have a huge amount of expertise. By sharing our knowledge and coordinating our activities, we can improve our resilience and the whole country benefits.”

Karl Lovink
Karl Lovink, Technical Lead at the Dutch tax authority’s Security Operations Centre

Are joint drills organised in other countries as well?

Lovink: “As far as I know, nothing like this is being done anywhere else. One particularly unusual feature of our coalition is the involvement of both public and private organisations. I think maybe it’s a cultural thing: in the Netherlands, we’re used to working together in our common interest.”

What’s the purpose of doing DDoS drills?

Groeneweg: “We really learn a lot from each other. In both technical and organisational terms. How is one organisation able to successfully mitigate an attack, while another one struggles? What’s the best way to set up a response team? What disciplines should be represented? What’s the most efficient way to organise the work?”

Lovink: “It’s also very important to build up a network. We make a point of organising fringe activities linked to the drills, so that everyone can get to know each other. That makes for better communication and coordination in the event of an attack. In an emergency, there’s no time for introductions. Eight large organisations are now taking part in the drills. And, judging by the level of interest, I think the number’s going to go on rising. The means we need to carefully evaluate each drill to make sure we’re ready for the next one.

What roles do you play in the drills?

Lovink: “A number of roles are defined for each drill. A number of people drawn from across the various member organisations are assigned to Team Red. Team Red carries out the attack. Defence is down to Team Blue. Their job is mitigating the attack. Then we have an Observers’ Team, which goes around and evaluates what’s happening. Marc and I both act as coordinators. Each participating organisation appoints a coordinator.”

Groeneweg: “We coordinate the drill, check how the teams are working together and make sure that all the necessary preparations are made. We can also press the ‘red button’ at any moment to end the drill if one of the participants is experiencing difficulties.”

Marc Groeneweg
Marc Groeneweg, Infrastructure and Security Architect at SIDN

How much pressure do the drills place on the organisations involved?

Lovink: “You could compare it to a normal maintenance window, when the tax authority’s services are temporarily unavailable. Quite far-reaching impact, in other words. While it’s in progress, customs officers can’t clear containers, businesses can’t submit tax returns, and so on. We try to minimise the inconvenience by doing the drills in the middle of the night, during a predefined window. The timing’s announced a year in advance. It has to be that way to get everyone onside.”

Groeneweg: “The effect on SIDN isn’t so severe. Ours services are reduced a little, but the Domain Name System certainly isn’t affected, and the consequences for our Domain Registration System are modest. People using .nl domain names won’t notice anything, and neither will registrars.”

If the drills have so much impact, don’t you have problems in terms of getting support?

Groeneweg: “For SIDN, drills like this are integral to our primary processes, which are vital to the whole country. So support isn’t an issue.”

Lovink: “It’s a similar story at the tax authority. The IT staff are really keen on the drills; we never have a shortage of volunteers. Also, none of our drills have overrun the change window, and that makes it easier to win support. Joint activities of this kind also drive exciting new partnerships, like our collaboration with SIDN Labs. People enjoy that side of things.”

How do you prepare for a drill?

Groeneweg: “As soon as one drill is over, we start preparing for the next. What can we do to improve collaboration? Are any new forms of attack on the rise, which we ought to simulate? Have we implemented all the lessons learnt from the last drill? The coordinators meet every two weeks. And all the other consortium members are in regular contact — to talk about new developments, for example.”

What kind of attack infrastructure is needed to run a drill?

Groeneweg: “We do the drills in a controlled environment. We built a completely new infrastructure to make that possible.”

Lovink: “We aim to simulate reality as accurately as possible. However, we only use our own systems, whereas real attackers use botnets. In that respect, the drills aren’t like real attacks. A botnet would be harder to control. On top of which, using a botnet would be computer intrusion. To compensate, Team Blue isn’t allowed to mitigate by blocking specific IP addresses. Otherwise, the drill would be over in no time. There wouldn’t be much point in doing that in a real attack anyway, because attack addresses are often spoofed.”

What do you get out of running a drill?

Groeneweg: “After each drill, all the participating organisations hold an evaluation session. We consider what we’ve learnt and how we can improve our networks. The biggest thing is that each organisation really gets to know its own network. What’s normal behaviour and what’s abnormal? What should we be looking out for? That kind of insight is incredibly valuable.” Lovink: “In the future, we’d like to convert the lessons learnt from these drills into response recommendations. We’re also planning to share the recommendations with a wider audience through www.nomoreddos.org. Because it’s only by working together that we can make the internet more secure.”