About three years ago, Lennart Haagsma had the idea that underpins the DDoS Alerting Service. "I kept seeing reports about DDoS attacks, and I thought it would be interesting to understand more about them. So I set up a server to act as a honeypot, a sort of trap. The idea was that DDoS attackers would try to use the server for their attacks."
Connecting people and organisations in a secure digital world: that is SIDN's mission. We pursue it with the help of SIDN Fund – a foundation set up on our initiative in 2014. SIDN Fund is committed to helping build a strong internet for everyone by sponsoring projects that add to the internet's resilience, empower users or promote innovative use. Through SIDN Fund, we contribute to the prosperity and welfare of the community.
Last autumn, Lennart started to detect a lot of attacks. And other people soon became very interested in the data he was gathering. One of them was Rogier Spoor, Chair of HoneyNED, a Dutch community of honeypot users. Together, Lennart and Rogier came up with the idea of making the detection system's output available as a service.
Good data presentation
"A honeypot isn't very difficult to create. Making the data from it accessible and presenting it in a way that means something to the user was a much bigger challenge for me. I'd never done anything like that before." Overcoming that challenge quickly became expensive and time-consuming. That was when Rogier suggested approaching SIDN Fund. A grant from SIDN Fund enabled Lennart to cover the cost of the hosting and time input. "The money means that I can make the system output more user-friendly."
At the moment, only a handful of users receive data from the DDoS Alerting Service. The information helps them decide whether an incident is an attack or simply a fault. "The system has great potential for small players who can't afford commercial detection software." The aim is therefore to grow the user community as quickly as possible. Lennart realises that that won't be easy. "I'm currently looking at ways of providing automated access. But it's important to proceed carefully and get it right – I don't want to become an information source for attackers!"
The DDoS Alerting Service also provides insight into developing trends. What kinds of target are the attackers focusing on? And where? "One of the infographics available from the service is a map of the world with DDoS attack targets plotted in real time. It's proving very useful for a lot of people. In the future, I want to do more of that kind of information-sharing. However, this is another area where I need to guard against providing criminals with information that helps them avoid detection. I also want to make sure that other people can't make money by repackaging the information that I provide free of charge."
Honeypots are quite widely used in IT security, usually for catching hackers. The idea is simple enough: you deliberately set up something with weak security and then you keep a close eye on it to see whether anyone tries to exploit the vulnerability. "It's like building a house with a door that doesn't lead anywhere, and leaving the door unlocked. If someone tries to get in through the door, you know that they're up to no good."
Although he used feedback from the system in his work – Lennart is a Security Analyst at Fox-IT – the Alerting Service started out as a hobby project. He might work on it for a few hours one week, then hardly at all the next week. "Technically speaking, the system wasn't all that hard to develop. It just meant having a certain amount of cross-disciplinary know-how. It depended on knowing a bit about servers, and being able to do some programming, build a website and so on."
Focus on the internet
Lennart's DDoS Alerting Service uses honeypots in a slightly different way. "I focus on what are known as 'reflective amplification DDoS attacks'. The attacks make use of 'middle men': a lot of internet servers are sent a short query that requires a long answer. The trick is to get the answers sent to your target – the victim of the attack. The victim is swamped with answers from the servers and the data overload creates functionality issues. My honeypots are set up to look like badly configured internet servers, in the hope that attackers will find them and try to use them for their attacks."
Working with the Fund
Lennart is very positive about working with SIDN Fund. "We got along well from the start. After winning the grant, I took part in a workshop with other people who've been sponsored by the Fund. It was a fascinating experience. The great thing was that all the projects represented were really worthwhile initiatives – schemes for making the internet better and more secure. That kind of thing really appeals to me."