Author profile picture

Many people are online all day long. Apart from local outages, there ís almost always Internet. How special is that? And what would happen if web pages were no longer accessible? Researchers at the University of Twente are investigating the robustness of one of the cornerstones of the Internet: the so-called DNS network. Like a telephone book, this ensures that you always arrive at the correct domain when you look up an address, according to the university in a (Dutch) press release.

Scientists from the faculty of Electrical Engineering, Mathematics, and Computer Science (EEMCS) at the University of Twente are trying to find out, within the MADDVIPR project, which cyber attacks are successful and how companies can best repel them.

Every day the Internet is under attack. As you read this post, companies’ websites, servers and networks are being scanned for possible security breaches and attempts are being made to take them offline. One popular way to do that is a so-called DDoS attack (an abbreviation of distributed denial-of-service). This involves overloading a server with requests (for example, to load a page) from a large number of cooperating computers. Those requests aim to overload the server. If that happens, the server no longer has time to process requests from real visitors: the website or Internet service is then unreachable.

In 2021 and 2022, University of Twente researchers recorded an average of more than 250,000 such attacks per month. Probably the real number of attacks is a lot higher because not everything is registered. These actions often target domains of companies and institutions and critical facilities such as hospitals. A small portion of them target the so-called DNS network, a fundamental part of the Internet. Think of it as the address book that sends your computer or phone to the right server. For example, if you want to go to, a DNS server directs your phone on computer to the server with the ip address, where the Web site is hosted.

Only one or two percent of the total number of DDoS attacks target the DNS network, but successful attacks have a larger impact because it can make many domains inaccessible at once. Within the Mapping DNS DDoS Vulnerabilities to Improve Protection and Prevention (MADDVIPR) project, researchers from the University of Twente are trying to find out how often these attacks occur, whether they are successful and whether companies are taking effective countermeasures. They are collaborating with the University of California, San Diego (UC San Diego) to do so.

Monitoring the Internet

In the project, the Dutch and American scientists combine two systems. First, the researchers in Enschede have what they say is the largest measurement system in the world of the DNS system. Every day, this automatically retrieves the status of about two-thirds of the world’s domain names.

The scientists at UC San Diego have a large so-called network telescope: a network of computers connected to the Internet via “unused” IP addresses, totaling some 12 million. “All the traffic coming in there is by definition unwanted, because in fact you have nothing to do there,” says Roland van Rijswijk-Deij, adjunct professor of Measurement-based Internet Security at the University of Twente. “What we see on there are attacks and scans, computers trying to connect, listening or ‘poking’ to see if they can get through something. And because attackers often work with a false sender, some of the attack traffic also accidentally ends up in this network telescope. We monitor this ‘background noise’ as well.” The network telescope provides data on the attacks that are taking place, their intensity and which part of the DNS network is under attack. The researchers combine this data with the functioning of the DNS network.

In addition, the researchers themselves check whether domains are findable via DNS, and whether this takes longer than usual, for example. “If you combine the information about the current attacks with the performance of websites you get a picture of the effectiveness of the actions,” says Van Rijswijk-Deij.

Making infrastructure robust

There are ways to repel attacks on the DNS network or limit their impact. One of the most efficient ways to do that is to disperse the servers on which the data resides, says Van Rijswijk-Deij. “You have to have a DNS server in every part of the Internet, as it were, like a copy of an old-fashioned phone book that is everywhere,” he says.

Another technical solution is to make the same ip address available in multiple places around the world through different servers. If one of the servers goes offline then a computer automatically searches for another server with the same address. This system is called Anycast and, for example, Google uses it. The company runs a DNS service that it says processed a trillion requests a day in 2018.

Vulnerable due to cost cutting

These types of measures have been around for a long time, but that doesn’t mean every hosting company is implementing them. “Researchers like us can make recommendations for security, but the fact is that margins are low in the hosting world. And these kinds of measures cost money,” says Van Rijswijk-Deij.
To save costs, hosting parties often knock on the door of large parties who take the work off their hands for a lower price. Economically that makes sense, but it can actually make the network more vulnerable. “Over the past decade we have seen a number of parties become dominant in all kinds of parts of the Internet,” says Van Rijswijk-Deij. “Think of Amazon, Google and Cloudflare for hosting domains, but also in the Netherlands there is one party – TransIP – that manages hundreds of thousands of domain names. If one of those parties has an issue then it immediately has major consequences.” To illustrate, he cites a DDoS attack on TransIP’s DNS servers in 2021, which took that company’s customers offline. For example, the website of the Senate was offline for a short time, as well as those of municipalities and hospitals.

From hobbyists to professional criminals

There are consequences of successful attacks, but who actually has a stake in them? Who carries out these actions? Van Rijswijk-Deij outlines a diverse palette of individuals and organizations, ranging from sometimes young “hobbyists in attic rooms” who barely realize that what they are doing could lead to a prison sentence, to “professional” hacker collectives. Behind these, in turn, there are criminal motives, such as extorting organizations for money. There are also political motives at play when hackers carry out targeted attacks on essential infrastructure at the behest of a hostile state, intended to cause disruptions in society. As an example, he cites the University Medical Center Groningen whose website was unavailable or barely available at the beginning of this year. Russian hackers were responsible for this.

Van Rijswijk-Deij thinks that many people underestimate the potential of this type of attack. “‘I can go without the Internet for a few hours,’ you might think. But an unreachable hospital can be life-threatening,” he says. “Besides, you can hardly imagine how deep the Internet is in our lives, it happens in so many ways.” Communicating with friends and family becomes difficult, as well as paying digitally, and there is no longer online news coverage. Van Rijswijk-Deij predicts crowds and chaos at airports (no more online check-in), supermarkets (no more online ordering) and on the road and railroads (no more up-to-date traffic information), for example.

Will we live to see the Internet break down en masse? Van Rijswijk-Deij says that so far the Internet seems quite robust. That was also a design criterion in the early days of the Internet in the late 1960s. Still, he does not rule out a major failure. And we should be more alert to that, he thinks: “Look at the legislation: the PTT used to be obliged to arrange special telephone lines for hospitals that were always available and the electricity that enters your house is officially ‘vital infrastructure’ that is not allowed to fail. That still doesn’t apply to the Internet, which is pretty crazy.”