First CONCORDIA Workshop on Collaborative DDoS Mitigation

        CONCORDIA logo         SIDN Labs logo         NoMoreDDoS logo


What? A workshop with the goal of bringing together DDoS research and operations, learn from each other, and discuss advancements in the field of collaborative DDoS mitigation
When? September 15th, 2022. With a drinks and networking event the afternoon / evening before (Sep 14)
Where? Villa Jongerius, Utrecht, The Netherlands

Thank you for joining us!

The First CONCORDIA Workshop on Collaborative DDoS Mitigation was a great success. We look back on an inspiring day with interesting tech talks from research and operations. In an upcoming blog, we will reflect on the workshop and summarise our findings and conclusions; it will be linked here when it is published.

Presentation slides can be found in the agenda. Scroll down for some photos taken during the workshop.

About the Collaborative DDoS Mitigation (CDM) workshop

During this workshop we will give an overview of the state of the art of collaborative DDoS mitigation. We also want to identify bottlenecks and further strengthen the community around this topic. This is important in order to proactively tackle DDoS attacks so that we can minimize disruption to the digital infrastructure of the Netherlands and Europe.

Learning from each other and networking

The workshop consists of presentations, interactive panel discussions and brainstorming sessions and brings together professionals from the DDoS research field and operations teams to learn from each other and network. The evening before the workshop we will organize a networking reception at the workshop venue.

Concluding a research project

The CONCORDIA Workshop on Collaborative DDoS Mitigation concludes our work on the DDoS Clearinghouse in CONCORDIA, a European research project that aims to strengthen Europe’s cyber security capabilities, for example in the areas of generic technologies, specific sectors and education.

The clearing house is currently in a pilot stage and will soon be used in production by the Dutch Anti-DDoS Coalition. For more information on the DDoS clearinghouse, please read one of our recent blogs.


September 14th, 2022

Time Topic/activity
16:00 Social drinks / networking at workshop venue
19:00 End of program at the venue, free to go for dinner in the city centre

September 15th, 2022

Time Topic/activity
09:00 Drop in, coffee
09:30 Opening: Introduction, objective, targeted result, agenda
Speaker: Cristian Hesselman (SIDN Labs)
09:40 CONCORDIA introduction
Speaker: Christos Papachristos (FORTH)
10:10 Collaborative DDoS mitigation and the DDoS Clearing house
Speaker: Thijs van den Hout
10:30 Coffee break
11:00 Tech talk I (operations + mitigation): DDoS mitigation at Cloudflare (tentative title).
Speaker: dr. Wouter de Vries (Cloudflare)
11:45 Tech talk II (measurements + mitigation): Anycast Agility: Network Playbooks to Fight DDoS.
Speaker: Leandro Bertholdo (University of Twente)
12:30 Lunch break
13:30 Tech talk III (measurements + detection): United We Stand: Collaborative Detection and Mitigation of Amplification DDoS Attacks at Scale.
Speaker: Daniel Wagner (DE-CIX)
14:15 Panel: Collaborative DDoS mitigation – where are we now and the way forward
Panelists: Jan-Paul Dekker (NL-IX), Karl Lovink (Belastingdienst), Wouter de Vries (Cloudflare), Lili Nemec Zlatolas (University of Maribor)
15:00 Coffee break
15:30 Discussion of main takeaways
16:00 Closing: Possibility to continue networking
Speaker: Cristian Hesselman (SIDN Labs)


The workshop will be held in Utrecht, The Netherlands. The venue is Villa Jongerius, which is within walking distance from the Utrecht central train station.

Presentation abstracts

DDoS mitigation at Cloudflare

A presentation on how DDoS mitigation is tackled at Cloudflare.

Anycast Agility: Network Playbooks to Fight DDoS

IP anycast is used for services such as DNS and Content Delivery Networks (CDN) to provide the capacity to handle Distributed Denial-of-Service (DDoS) attacks. During a DDoS attack service operators redistribute traffic between anycast sites to take advantage of sites with unused or greater capacity. Depending on site traffic and attack size, operators may instead concentrate attackers in a few sites to preserve operation in others. Operators use these actions during attacks, but how to do so has not been described systematically or publicly. This paper describes several methods to use BGP to shift traffic when under DDoS, and shows that a response playbook can provide a menu of responses that are options during an attack. To choose an appropriate response from this playbook, we also describe a new method to estimate true attack size, even though the operator’s view during the attack is incomplete. Finally, operator choices are constrained by distributed routing policies, and not all are helpful. We explore how specific anycast deployment can constrain options in this playbook, and are the first to measure how generally applicable they are across multiple anycast networks.

United We Stand: Collaborative Detection and Mitigation of Amplification DDoS Attacks at Scale

Amplification Distributed Denial of Service (DDoS) attacks’ traffic and harm are at an all-time high. To defend against such attacks, distributed attack mitigation platforms, such as traffic scrubbing centers that operate in peering locations, e.g., Internet Exchange Points (IXP), have been deployed in the Internet. In this talk, we ask the question: “Is it possible to mitigate more amplification attacks and drop more attack traffic when distributed attack mitigation platforms collaborate?” To answer this question, we collaborate with eleven IXPs that operate in three different regions. We collect network data over six months and analyze more than 120k amplification DDoS attacks. To our surprise, more than 80% of the amplification DDoS are not detected locally, although the majority of the attacks are visible by at least three IXPs. To overcome local detection limitations, we design and evaluate a collaborative architecture that allows participant mitigation platforms to exchange information about ongoing amplification attacks. Our evaluation shows that it is possible to collaboratively detect and mitigate the majority of attacks with limited exchange of information and drop as much as 90% more attack traffic locally.


If you have any questions about the workshop, don’t hesitate to contact us at


Photos taken by Mattijs Jonker

The First CONCORDIA Workshop on Collaborative DDoS Mitigation was co-funded by the European Union’s Horizon 2020 Research and Innovation programme under Grant Agreement No 830927. Project website