Internet2 Network Security SIG

[David Farmer <>]

My issue wasn't really about the size of the network you or I have, but the size of threat(s) we all face.

An attack in the 3G or less scale is available on demand for less the $50 and many of these attacks are occurring at any moment.

Attacks in the 3-30G scale are fairly common (or "normal"), they are seen on the Internet on a daily or weekly basis, but for attacker with modest motivation and resources, attacks on this scale are not hard to achieve.  The 10G Steve quoted is in the middle of this range.

Attacks in the 30-300G scale are clearly severe, while probably not seen on a daily basis, they are seen regularly, at least on the lower half of this scale.  They do require a highly motivated attacker and significant resources, but these are clearly creditable threats for most of our institutions.  And attack of this scale are being seen against our community.

Attacks at 300G+ are maximal creditable threats, rare and given the resources necessary are probably not realistic to be seen or defended against by our community.  However, it probably only a matter of time for this scale of attack to be an issue.

On 9/8/15 10:53 , Frank Seesink wrote:

While I understand Dave’s view, our reality is a bit different.  Truth is what constitutes a “trivial” vs. “normal” (odd word choice) vs. “severe” vs. “extreme” attack level is relative.  One size does not fit all.  Maybe in Minnesota 3-30G is “normal”, but here in WV DDoS attacks >10G can start impacting services.  I would call that anything BUT “normal”.  But our regional network doesn’t have the capacity some of our compatriots have.  I envy our neighbors with their 100G+ backbones, but I have to be the voice for those of us coming from smaller institutions/networks.

Maybe a wording to reflect that variability would be in order.  I understand a 10G mitigation service might not be of interest to the larger schools/networks, but we also don’t want to make it such that we only have vendors who bring higher cost/large scale solutions.

On Sep 8, 2015, at 11:37 AM, David Farmer <> wrote:

While technically accurate, saying grater that 10G doesn't sufficiently describe what we need.

I think grater than 100G might be better if you want to keep it simple.  Otherwise, I'm thinking a out quantify attack levels as follows; 3G or less is trivial, 3-30G is a normal, 30-300G severe, 300G+ extreme (world class).

Recent attacks on our community were estimated in the 90G range this is the planing minimum I'm thinking about.  I'm not expecting to handle that without impact but I'm expecting to be able to deal with it. 

Hope that helps.

-- 

===============================================

David Farmer                          Email:

Office of Information Technology

University of Minnesota    

2218 University Ave SE         Phone: +1-612-626-0815

Minneapolis, MN 55414-3029   Cell: +1-612-812-9952

===============================================

On Sep 1, 2015, at 10:34, Steven Wallace <> wrote:

Paul suggested that the vendor presentations would be more focused if we shared our requirements. Below is what I think is generally representative of our interests/requirements. IU is currently in discussions with Incapsulate, so it should be easy for me to reach out to them for the first webinar. These will be recorded, so less critical for everyone to attend, however if there are specific areas of interested, or questions, let me know so that can be addressed.

Please provide any input for the following, as it will convey to the vendor the topics we wish them to address.

thanks,

steven

Describe how your service addresses the following attacks against a university or regional network (will offer pointers to descriptions of each):

• DDoS attacks that result in a high volume of inbound traffic (greater than 10Gb/s) and disrupt both the targeted services as well as the operation of the network itself.
• persistent DDoS attacks against key services or infrastructure (DNS, key web server, VPN, etc.)

Solutions we’re interested in, but will welcome a more expansive response:

• capability to host a services remotely always and/or during an attack
• capability to detect and alert of an attack
• capability to scrub traffic
• capability to work with major ISPs to coordinate mitigation 
• DNS services
• layer 7-aware firewall/scrubbing 

Please include details such as:

• mechanisms supported for announcing prefixes for a scrubbing service (e.g., BGP signaling)
• attack/service dashboard
• on-boarding process
• capacity
• how are SSL sessions proxied (who supplies keys, etc.)

Frank Seesink
Telecommunications Network Specialist III
West Virginia Network (WVNET)
304.293.5192 x241

-- 
================================================
David Farmer               Email: 
Office of Information Technology
University of Minnesota   
2218 University Ave SE     Phone: 1-612-626-0815
Minneapolis, MN 55414-3029  Cell: 1-612-812-9952
================================================