Selected Publications

For a list of all my publications, click here, or visit my Google Scholar profile.

Snowshoe spam is a notoriously hard to detect form of spam e-mail. Senders of this type of spam spread the load of sending mail over tens or hundreds of hosts, in order to remain below the detection radar of classic spam blacklists. In this paper, we show how we can leverage active DNS measurements combined with machine learning to detect domains crafted for snowshoe spam. Our results show that we can detect snowshoe spam domains up to 180 days earlier than they appear on existing blacklists.
In Proceedings of IEEE/IFIP Network Operations and Management Symposium (NOMS 2018), Taipei, Taiwan, 23-27 April 2018., 2018.

In this paper we study the role of domain name registrars in deployment of the Domain Name System Security Extensions (DNSSEC). We find a number of significant hurdles to deployment of DNSSEC as a consequence of a general lack of implementation at large registrars or poor implementation choices at those registrars that do support DNSSEC.
In ACM Internet Measurement Conference 2017 (IMC 2017), London, United Kingdom, 1-3 November 2017., 2017.

This paper provides an end-to-end view of the state of the DNSSEC ecosystem. It covers both DNSSEC-signed domains and a survey of DNSSEC validation by DNS resolvers. The paper paints a bleak picture of the state of DNSSEC deployment, with just over 1% of domains in .com, .net and .org signed and just over 12% of the observed DNS resolvers correctly validating DNSSEC signatures.
In Proceedings of the 26th USENIX Security Symposium (USENIX Security ‘17), Vancouver, BC, Canada, 16-18 August 2017., 2017.

In this work, we study the impact of a switch to elliptic curve cryptography on the performance of DNSSEC-validating DNS resolvers.
In IEEE/ACM Transactions on Networking, Volume 25, Issue 2, April 2017., 2017.

In this paper we present OpenINTEL: a large-scale high-performance active measurement infrastructure for the DNS.
In IEEE Journal on Selected Areas in Communications (JSAC), Volume 34, Issue 7, May 2016., 2016.

This paper establishes ground truth for the amplification attack potential in 70% of all DNSSEC-signed domains. The paper demonstrates that DNSSEC-signed domains have an average amplification factor that is 6 to 12 times higher than that of unsigned domains.
In Proceedings of the ACM Internet Measurement Conference 2014 (IMC 2014), Vancouver, BC, Canada, 5-7 November 2014., 2014.


Ph.D. Candidates

I am daily supervisor of the following Ph.D. candidates in our group:

All Ph.D. candidates I supervise are advised by prof. dr. ir. Aiko Pras

Master Students


  • Caspar Schutijser (planned August 2018)
    External project at SIDN Labs on IoT Security.
  • Gijs Rijnders (planned August 2018)
    From Eindhoven University of Technology, working on DNS IoC detection using privacy-enhancing technologies.


  • Olivier van der Toorn (2017, co-supervisor)
  • Tho Le (2017)thesis
  • Romanos Dodopoulos (2015)thesis
  • Kaspar Hageman (2015)thesis
  • Sean Rijs (2014)report
  • Gijs van den Broek (2012)paper
  • Niels Monen (2011)report
  • Boudewijn Ector (2009)thesis (in Dutch)

Bachelor Students


I am currently not supervising any bachelor students. If you are a bachelor students enrolled in the CS, EE or BIT curriculum at the University of Twente and looking for a bachelor assignment, feel free to contact me.


  • J.J. Yu (2017)
  • Breus Blaauwendraad (2017)thesis (best paper in track)
  • Eva van den Eijnden (2017)thesis
  • Jeroen Vollenbrock (2016)thesis (best paper in track)
  • Remy Bien (2014)


  • Zilverling room 5098, University of Twente, Enschede, NL
  • Thursday 9:00h-16:00h (email for appointment)