The Netherlands' Trusted Networks Initiative is an alternative means to stop DDoS attacks

Linda Musthaler
By | December 11, 2014

Posted in: ISP DDoS Protection

While visiting the Hague Security Delta in The Netherlands last week, I learned about an interesting initiative that's being tested to provide trusted computing among select organizations. Known as the Trusted Networks Initiative, it is being touted as an alternative "last resort" means to fend off DDoS attacks. The idea is to close off the untrusted part of the Internet, which would automatically cause any DDoS attack to fail. Of course, many other aspects of Internet traffic would fail as well. That's the downside, and why this approach is considered a last resort.

This concept is being tested in The Netherlands because it is the most wired country in Europe. For example, 11 of the 15 undersea cables that connect the Americas to Europe converge in The Netherlands. The Amsterdam-based Internet Exchange AMS-IX is Europe's largest exchange in terms of connected Autonomous System Numbers (ASNs). AMS-IX's Internet traffic has increased 13-fold in the past 8 years, with 30% growth over just the past year.

In addition, the NL-ix Internet Exchange is a shared and distributed Dutch infrastructure in 30+ datacenters where ISPs, carriers, telcos, content providers, media companies, VoIP operators and other large Internet players can set up peering connections and exchange mutual Internet traffic at almost no costs. These peering connections are vital in making the Trusted Networks Initiative work.

Parties that want to participate in the initiative must adhere to the Trusted Network Standard, which describes security measures to be taken by participants. In return for doing so, they can be awarded the Trusted Network certificate. Entities holding this certificate can use the Trusted Routing service of NL-ix.

The Trusted Routing service is only for registered Trusted Networks and can be used as a combination of NL-ix's Trusted Internet Exchange with its Premium Peering services to guarantee access to the majority of the large end user access networks.

When a DDoS attack occurs which cannot be mitigated in any other way, participants can individually choose to only exchange traffic on the Trusted IX, optionally in combination with dedicated Premium Peering VLANs. This ensures that the participants can maintain and uphold the critical connectivity between important applications and the local access networks during such attacks independently from traffic with the untrusted part of the Internet

This is a bottom-up solution that a company executes for itself. It basically chooses when and if to block all communication from the general Internet and only maintain connections with its peers on the trusted network. By definition, this would block out the DDoS traffic that is limited to use of the general Internet.

If this seems like an extreme case, consider that it is a good alternative for those times when a DDoS attack may grow so large or pervasive that it overwhelms other defenses a company has in place. At least it allows an entity to keep critical parts of its connections alive so that some semblance of business can be maintained during an attack.

For more information about this unique initiative, check out

You May Also Be Interested In: