Can this 'national DDoS radar' plan help fight off attacks on Dutch critical systems?

After a wave of denial-of-service attacks on banks, Netherlands security experts are proposing a new approach.
Written by David Meyer, Contributor

Video: Firm finds kill switch after massive memcached DDoS attacks

A team of cybersecurity researchers has come up with a proposal to help the Netherlands ward off the threat of distributed denial-of-service (DDoS) attacks.

Their concept is to create a "national DDoS radar system" that could, in extreme cases, see Dutch networks disconnected from the outside world.

The Netherlands was earlier this year hit by a wave of DDoS attacks that took out banks such as ABN Amro and ING Bank, along with the Dutch Taxation Authority. Although some initially pointed to the Russians as the culprits, police ended up arresting a local 18-year-old.

The attacks alarmed researchers working at or associated with the University of Twente.

"We were starting to worry about DDoS attacks and their scale, and then the attacks happened on the banks in the Netherlands," Jeroen van der Ham, a guest researcher at the university, told ZDNet.

"They had a very big effect and that worried us. We were so surprised as we've had these kinds of attacks before, and these attacks didn't seem that big in comparison, but they did have this big effect.

Related: How to build a successful career in cybersecurity (free PDF)

"So we thought, 'This can't go on like this. Something has to happen'."

Van der Ham noted that Dutch internet service providers (ISPs) and DDoS mitigation services had previously talked about whipping up a united front against such attacks, but "apparently it didn't have much effect".

The researchers' proposal, outlined in an open letter that was published on Thursday, calls for "a proactive and collaborative DDoS mitigation strategy for the country's critical infrastructure, which resolves around providers of critical services continually collecting information on potential and active DDoS sources and automatically sharing this information with other providers".

The "proactive" part is not happening now. When critical service providers get hit, they send the traffic they're receiving to a commercial service that filters out the bad from the good -- DDoS attacks work by flooding target systems -- and they often don't talk to other critical service providers about what's going on.

"Part of the solution should come from the ISPs and the DDoS mitigation services, but also the vital infrastructure in the Netherlands -- the banks, the [tax authority], the energy infrastructure companies," said van der Ham.

"They should be involved as they are mostly the targets. They can gather the information on the DDoS attack profiles and share that information, then the ISPs can do something with this."

The Dutch Payments Association, which includes the country's banks among its membership, certainly seems keen on the idea.

"The Dutch payments industry, including banks, has been working closely together for many years in several public-private partnerships to fight cybercrime. The call for nationwide cooperation to prevent and mitigate DDoS-attacks fits this strategy very well," a spokesperson told ZDNet via email.

One particularly eyebrow-raising part of the proposal reads: "The DDoS radar also helps reaching a collective decision on when to incrementally and temporarily disconnect Dutch networks from the global internet in case of extremely large DDoS attacks and subsequently enforce this decision in collaboration with the former Trusted Networks Initiative and the Dutch Continuity Board."

As van der Ham notes, this step would be a "very drastic measure [that] should only be taken in very extreme cases".

"What we see is that it could be that an attack on a vital service is so enormous that no DDoS mitigation service could actually stop it," he said.

"Then you have no other choice but to cut off that service from the rest of the internet and limit access to users from the Netherlands, otherwise everything stops working. At least it would still work nationally.

See also: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness

Van der Ham argued that DDoS mitigation is best handled on a national level.

"But for proactive measures where you're scanning for DDoS sources and networks that allow spoofed traffic, you really need an international strategy to deal with these problems," he added, suggesting that international coordination is already brewing with the development of internet-of-things security certifications. The European Union's new NIST Directive may also help, he said.

The parties involved in the Dutch DDoS issue are already planning to meet for discussions in the next few months. "What we aim to do with this open letter is to try to set the ambition of that meeting a little higher than it would have been," van der Ham said.

He added that the researchers are also calling on the government to "promote this idea and make sure something actually happens".

The Dutch government's cybersecurity spokeswoman had not replied to a request for comment at the time of writing.

Previous and related coverage

DDoS mystery: Who's behind this massive wave of attacks targeting Dutch banks?

The attackers and their motives for concerted attacks on Netherlands finance institutions remain unknown.

Microsoft's Windows 10 breaches data protection law, say Dutch regulator

Because of Microsoft's approach users lack control of their data, says privacy watchdog.

Mass surveillance: New law must be put to public vote, say Dutch

Activists think next year's vote will convince politicians to make major changes to a new mass-surveillance law.

Dutch spies tipped off NSA that Russia was hacking the Democrats, new reports claim

Netherlands intelligence penetrated Russia's US election hackers and alerted US counterparts, sources say.

Rabobank, IBM aim to use cryptographic pseudonyms for GDPR

With IBM Research, Rabobank has come up with an interesting twist to GDPR compliance.

Editorial standards