The Dutch Anti-DDoS Coalition is a consortium of 20 Dutch organizations from different sectors (including ISPs, banks, government agencies, and law enforcement agencies) that jointly combat DDoS attacks. To this end, they exchange knowledge, participate jointly in (research) projects and, at least once a year, practice a simulated scenario in which live DDoS attacks are used under controlled conditions.
The knowledge and experience generated by the activities of the coalition are shared within the coalition and, where possible, also outside of it. The coalition does all this with the aim of minimizing the impact of DDoS attacks and working towards a society that is resilient to DDoS attacks.
Origins and Background
Although DDoS attacks have been around for at least 25 years, they have had a much greater impact in recent years. The increasing dependence of the economy and society on services offered or facilitated via the internet means that DDoS attacks have a greater potential for disruption and economic damage. In January 2018, this became clear through a series of major attacks that included banks and government institutions.
These attacks were the direct trigger for the creation of the anti-DDoS coalition. At the time, it was expected that DDoS attacks would become an increasing problem, partly due to the explosive growth of the Internet of Things, in which all kinds of (poorly secured) devices are connected to the internet. These devices can be misused in so-called botnets, where they have been taken over by malicious parties and used to carry out DDoS attacks.
In addition, DDoS has become part of hybrid warfare.
Unique collaboration as a cooperative coalition
As a result of these developments, good resilience against DDoS attacks is more important than ever. The anti-DDoS coalition is a voluntary consortium of 20 organizations from government, business and civil society that puts the concept of cooperative DDoS mitigation into practice.
This set-up is unique in the Netherlands and Europe. For most organizations that have to deal with DDoS attacks, the emphasis is on protecting their own infrastructure, not on the collectivity of this problem and therefore not on collective solutions. In doing so, the anti-DDoS coalition is successfully putting a unique approach into practice.
The coalition uses several cooperative instruments
- the mutual exchange of knowledge and experiences
- sharing measurements of the characteristics of DDoS attacks via a so-called ‘DDoS clearinghouse’
- jointly conducting DDoS exercises
- providing information about DDoS attacks to the general public
- advancing security standards that help protect against DDoS attacks
Members of the coalition have written a paper on the concept of a DDoS coalition. You can read more about that in this post: https://www.nomoreddos.org/verhogen-van-ddos-weerbaarheid-door-het-samenwerken-in-anti-ddos-coalities-adcs/
Participation in the coalition
The core of the coalition (see image below) consists of organizations that work together through operational activities. These participants measure and share characteristics of DDoS attacks and conduct large-scale DDoS exercises together. For participants in the second category, the value of participation lies mainly in the mutual exchange of knowledge about repelling DDoS attacks.
Any organisation that can contribute to the coalition in the form of knowledge sharing, participation in research and/or operational activities can become a member of the coalition. Existing members have a say in the admission of new members. Membership is subject to an annual fee. Please contact antiddoscoalitie@ecp.nl for more information about membership.
Promoters
The anti-DDoS coalition is a partnership consisting of the following parties:
AMS-iX, ABN-AMRO, KPN, Police, SURF, Digital Trust Center, SIDN, National Cyber Security Centre, Land Registry, State Inspectorate Digital Infrastructure, SSC-ICT, University of Twente, NL-ix, Tax and Customs Administration, Logius, Dutch Banking Association, Stichting Digitale Infrastructuur Nederland, Nikhef, NBIP-NaWas (Nationale Wasstraat) and VNO-NCW.
Workinggroups
In order to work together on the various points of attention that the sharing of knowledge about DDoS requires, working groups have been set up within the coalition. Each working group deals with a specific theme related to DDoS attacks.
Specialists from various participating organisations participate in each working group. In this way, companies and organisations benefit from this bundling of knowledge in the field of DDoS control.
Working Group on Legal Affairs
This working group has a supporting role to the other working groups and deals with legal issues. Drafting legal documents and advising on possible legal risks are also part of the job description. The working group acts as a sparring partner for the members of the coalition. Sharing knowledge and exchanging information is of paramount importance to the Legal Affairs working group.
Working group Communication and Visibility
The aim of this working group is to share information from the working groups with the internet community through various channels, such as this website and those of the participating parties. This working group also stimulates communication within and between the other working groups. This working group will also take initiatives to improve visibility and communication around the topic of DDoS attacks and organizes the yearly DDoS Mitigation event.
Clearing House Working Group
The Clearinghouse working group has set up a technical system that aims to measure specific technical characteristics of DDoS attacks by means of so-called ‘DDoS fingerprints’ and exchange this information between participants. The Clearinghouse focuses on further improving the DDoS information position of coalition members and does not handle DDoS traffic itself. It is therefore complementary to, not a substitute for, existing services and organisations involved in DDoS mitigation.
The Clearinghouse working group has a number of objectives, including setting up a working prototype of the DDoS Clearinghouse in the Netherlands based on software from the University of Twente (the ‘DDoS disector’ and the ‘DDoS-DB’). The objectives also include designing, the necessary technical infrastructure and contributing to the development of Clearinghouses in Europe through the EU project CONCORDIA.
Working group Practicing
The aim of the Practice working group is to practice with DDoS attacks and to enable the coalition members to learn from them. The exercises take place, among other things, in collaboration with the National Response Network (NRN), a partnership that aims to collectively respond better to incidents in the field of cybersecurity. In this context, the various participating parties will pool their resources.
Working group Intel & Attribution
The Intel and Attribution working group aims to tackle DDoS attacks at the source. The focus is on methods to gather, enrich and analyze information in order to:
- Identify the source of an attack (attribution),
- access to information after attribution and thereby use the obtained data for mitigation and,
- exchange of threat intelligence information.
A number of sub-projects are currently being worked on. For example, work is being done on creating fingerprints via booters in collaboration with the DDoS Clearing House.
Would you like to know more about the coalition and its working groups?
Please contact us at antiddoscoalitie@ecp.nl. ECP facilitates the cooperation between the coalition parties in consultation with the various working group chairs.