TNI is erop gericht een noodvoorziening te treffen voor het geval er een grootschalige DDoS-aanval plaatsvindt op de vitale infrastructuur in Nederland. Het idee achter het initiatief is dat een slachtoffer de aanval afwendt door zich tijdelijk van het mondiale internet af te sluiten en zijn diensten alleen nog levert aan klanten van ‘trusted networks’.
2. 2
?DUTCH
DATACENTER
ASSOCIATION
Marc Gauw Michiel Leenaars
• NLnet used to be a Internet Service Provider (‘80 and ’90), sold in 1996
• Since 1996 an ‘ANBI foundation’ ; mission ‘to stimulate electronic information-exchange’
• Last few years we have a special focus on cybersecurity projects, examples :
o Trusted Networks Initiative (AntiDDoS)
o Holland Strikes Back (cybersecurity congress)
o Radically Open Security (cybersecurity start-up)
o Various projecten with the NCSC (tools and scripts)
o Many donations, mostly contributing to ‘safe’ open source development.
o Many loans, e.g. to De Nationale Wasstraat (AntiDDoS)
o Partner in setting up ‘Internet.nl’ (safe internet education)
o Support of the Open Inventions Network
(open source patent defense, https://nlnet.nl/help/ )
o Participant in Digitale Infrastructuur Nederland ‘DINL:
NLnet ?
4. The problem:
DDoS-attacks could become too big or to
long-lasting to mitigate with current solutions
A last-resort solution:
Temporary disconnect your website from the
‘untrusted part of the Internet’ and remain
access from the ‘trusted part’
11. During emergency:
Raise the bridge to ‘global’ temporary
website
visitor
critical.com
‘Trusted
Internet’
‘Global Internet’
website
visitor
12. What is a Trusted Network ?
A website and/or network that commits :
1) to take technical measures to prevent DDoS
attacks, like antispoofing/BCP38
2) to secure organisational measures to quickly act
in case of attacks from its own network
3) to follow the applicable law and cooperate with
justice.
If you commit:
16. Global Internet
Feed(s)
Trusted
Routing Website visiter
via ‘trusted’
Website visiter
via ‘global’
Required :
• your own AS,
• your own IP (/24 IPv4),
• your own BGP4-router
• enough routing knowledge
Technical
Requirements
critical.com
19. Trusted
Routing Website visiter
via ‘trusted’
Website visiter
via ‘global’
In case of
emergency
In case of an attack:
- announce attacked IP-address to Trusted Networks only
- and blackhole the attacked IP-address on global internet feed(s)
- or disconnect attacked block from global internet feed(s)
Global Internet
Feed(s)
critical.com
20. Trusted Routing
Connection details
Various routings
Routes to other Networks
Routes to other Trusted Networks
IX Port +
VLAN’s
Patch-
cable
Additional
VLAN (s)& Routing
Trusted Routing
VLAN 112
Router of
Trusted Network
Internet
Exchange
to ‘global’
Global
Internet
Trusted-Routing-
Routeserver
critical.com