In the end the internet will be a better place
An AMS-IX Story
Erik Bais
Owner of A2B Internet
Q: Erik, many thanks for having us. Tell us, what is this project about?
First, many thanks for giving me the opportunity. Let’s get to the essence of The Naughty Port: It is all about predicting from which networks a possible DDoS-attack comes from and then route that bad/naughty traffic to a separate small port. We predict this by looking at how many incorrectly configured servers are present in a certain network. When there are more servers that are incorrectly configured, the higher the chance is that these will be misused during a DDoS-attack.
Q: Why is it important to know how many servers are configured incorrectly?
Let me try to give a little bit of background about DDoS-amplification attacks. Because this is essential in our Naughty Port approach to mitigate DDoS attacks.
Simplified, a DDoS-attack is amplified through various techniques turning a small attack into a much larger attack. You can compare a DDoS attack with a flash-mob at a retail store. Typically, a store has a certain capacity of regular people (let’s say 200 customers) to the store. If someone is organising a flash-crowd to that store with 5000 people, the entry and the store itself get over-crowded and the legitimate customers can’t even get into the store or purchase anything because the store is not designed for that kind of traffic.
If you look at network traffic behaviour and that is what we have done with our Naughty Port Project, we scout where the flash-mob could come from and we can even predict where they are originating from. Let’s say a specific neighbourhood or part of a city. By redirecting those flash-mobs from certain bad or ‘Naughty’ neighbourhoods, into a strict access path you can eliminate their intent and keep the regular customers happy.
And that is what we are also doing with our project. I also would like to point out that: naughty doesn’t necessarily means bad... they might be unaware that they are even participating in a DDoS until someone tells them.
Q: What do you expect from ISPs and the whole community?
The solution is to inform ISPs that they have a problem in their network and that the ISP community is expecting them to inform their customers, to shut down or patch those vulnerable servers/ devices. Because it is also incorrectly configured IP camera’s or DSL routers that can also be used as a reflective DDoS device, it is not only vulnerable servers / PC’s.
By creating a rating system per network (AS number) we can show peers how they are scoring and if they have a high rating (higher meaning more naughty), they should do their homework. This approach of closing the vulnerable devices will stop them being abused by an attacker and thereby reducing the potential impact of DDoS-attack. If you take away the infected devices, you take away the ammunition of the DDoS cannon.
The goal is to make sure networks become aware of their part in this ecosystem and if they automate their abuse handling towards their customers, this can be solved. And in the meanwhile, we need to make better decisions whom we peer with on an Internet Exchange to provide a safe and secure environment for all our customers.
In the end the internet will be a better place and it will also reduce the amount of capacity ISP’s need to purchase to carry this unwanted DDoS traffic across their backbone.
Q: Can you say something about how DDoS-attacks are evolving?
DDoS-attacks by itself, are nothing new under the sun… but with the current kind of attacks we need to approach this different than we did in the past. The solution is not adding thicker pipes, more capacity or more boxes. Some ISPs have already reported DDoS-attacks of 1+ Tbps. Most ISP’s cannot grasp the idea of that kind of capacity.
Q: What do you expect from ISPs and the whole community?
The solution is to inform ISPs that they have a problem in their network and that the ISP community is expecting them to inform their customers, to shut down or patch those vulnerable servers/ devices. Because it is also incorrectly configured IP camera’s or DSL routers that can also be used as a reflective DDoS device, it is not only vulnerable servers / PC’s.
By creating a rating system per network (AS number) we can show peers how they are scoring and if they have a high rating (higher meaning more naughty), they should do their homework. This approach of closing the vulnerable devices will stop them being abused by an attacker and thereby reducing the potential impact of DDoS-attack. If you take away the infected devices, you take away the ammunition of the DDoS cannon.
The goal is to make sure networks become aware of their part in this ecosystem and if they automate their abuse handling towards their customers, this can be solved. And in the meanwhile, we need to make better decisions whom we peer with on an Internet Exchange to provide a safe and secure environment for all our customers.
In the end the internet will be a better place and it will also reduce the amount of capacity ISP’s need to purchase to carry this unwanted DDoS traffic across their backbone.
Subscribe to our newsletter
Got a question?
© 2025 - Amsterdam Internet Exchange Terms of Use Mailing list code of conduct General Terms and Conditions Privacy Statement Email Disclaimer Cookie policy
Trade register: 34128666