Internet2 Network Security SIG

["Schopis, Paul" <>]

You're raising a very important point. I think we are a little too focused on 
the volumetric aspects of this. Indeed, the more successful attacks we saw 
last spring were successful not because of the size but because the attacker 
correctly ascertained the type of firewall being used and was able to 
undermine its generic configuration. We saw this pattern repeated at public 
non-HE entities, i.e. state/k-12. In most cases it only took 2-3 Gbps to 
crash the underpowered firewall and take the targeted DC off-line. 



-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Mike Scarpellino [RCI]
Sent: Tuesday, September 08, 2015 3:37 PM
To: 

Subject: Re: [Security-WG] seeking input for providing DDoS vendors 
background for the webinars

Depending on the nature of the attack, even 1Gbps is enough to saturate a 
single server.  10G sounds anemic to me.  I am also led to understand that 
the "mega" attack threshold is on the order of 100+ Gbps, and that those are 
still pretty rare, in terms of frequency-- maybe only one or two per year 
against some LARGE targets.

One of our industry partners quoted stats from their internal studies saying 
that the average attack size in 2014 was around 30Gbps, and shows about a 10% 
growth year over year.  I would suggest 30Gbps to 50Gbps as a good starting 
point, allowing room for growth.

On 09/08/2015 02:35 PM, David Farmer wrote:
> And , I'll was was trying to say is I'm not sure 10G is "big" enough.
>
> On 9/8/15 12:08 , Steven Wallace wrote:
>> Great than 10G is means “big”, and it is intended to set the lower bound.
>>
>> ssw
>>
>>> On Sep 8, 2015, at 12:47 PM, Schopis, Paul 
>>> <
>>>  
>>> <mailto:>>
>>>  wrote:
>>>
>>> I think the 10+ is adequate for the now but will grow quickly. As a 
>>> practical matter I am not aware of any service that offers 100G 
>>> capacity currently, but that is quick changing environment. The 
>>> threat vector would intuitively, at least, be restricted to capacity 
>>> (i.e. if I have 20G from vendor X it would not be more than that) 
>>> but I suppose in widely distributed attacks we wouldn’t really know 
>>> how much is falling on the floor before we see it.
>>> *From:*
>>> <mailto:>
>>> [mailto:]*On
>>>  Behalf Of*Frank 
>>> Seesink *Sent:*Tuesday, September 08, 2015 11:53 AM *To:*David 
>>> Farmer *Cc:*Steven Wallace; 
>>> 
>>>  
>>> <mailto:>
>>> *Subject:*Re: [Security-WG] seeking input for providing DDoS vendors 
>>> background for the webinars While I understand Dave’s view, our 
>>> reality is a bit different.  Truth is what constitutes a “trivial” 
>>> vs. “normal” (odd word choice) vs. “severe”
>>> vs. “extreme” attack level is relative.  One size does not fit all.  
>>> Maybe in Minnesota 3-30G is “normal”, but here in WV DDoS attacks 
>>> >10G can start impacting services.  I would call that anything BUT 
>>> “normal”.  But our regional network doesn’t have the capacity some of our 
>>> compatriots have.
>>>  I envy our neighbors with their 100G+ backbones, but I have to be 
>>> the voice for those of us coming from smaller institutions/networks.
>>> Maybe a wording to reflect that variability would be in order.  I 
>>> understand a 10G mitigation service might not be of interest to the 
>>> larger schools/networks, but we also don’t want to make it such that 
>>> we only have vendors who bring higher cost/large scale solutions.
>>>
>>>     On Sep 8, 2015, at 11:37 AM, David Farmer 
>>> <
>>>     
>>> <mailto:>>
>>>  wrote:
>>>     While technically accurate, saying grater that 10G doesn't
>>>     sufficiently describe what we need.
>>>     I think grater than 100G might be better if you want to keep it
>>>     simple.  Otherwise, I'm thinking a out quantify attack levels as
>>>     follows; 3G or less is trivial, 3-30G is a normal, 30-300G severe,
>>>     300G+ extreme (world class).
>>>     Recent attacks on our community were estimated in the 90G range this
>>>     is the planing minimum I'm thinking about.  I'm not expecting to
>>>     handle that without impact but I'm expecting to be able to deal with 
>>> it.
>>>     Hope that helps.
>>>
>>>     -- 
>>>     ===============================================
>>>     David Farmer                        
>>> Email:
>>>     
>>> <mailto:>
>>>     Office of Information Technology
>>>     University of Minnesota
>>>     2218 University Ave SE         Phone: +1-612-626-0815
>>>     Minneapolis, MN 55414-3029   Cell: +1-612-812-9952
>>>     ===============================================
>>>
>>>
>>>     On Sep 1, 2015, at 10:34, Steven Wallace 
>>> <
>>>     
>>> <mailto:>>
>>>  wrote:
>>>
>>>         Paul suggested that the vendor presentations would be more focused
>>>         if we shared our requirements. Below is what I think is generally
>>>         representative of our interests/requirements. IU is currently in
>>>         discussions with Incapsulate, so it should be easy for me to reach
>>>         out to them for the first webinar. These will be recorded, so less
>>>         critical for everyone to attend, however if there are specific
>>>         areas of interested, or questions, let me know so that can be
>>>         addressed.
>>>         Please provide any input for the following, as it will convey to
>>>         the vendor the topics we wish them to address.
>>>         thanks,
>>>         steven
>>>         Describe how your service addresses the following attacks against
>>>         a university or regional network (will offer pointers to
>>>         descriptions of each):
>>>
>>>           * DDoS attacks that result in a high volume of inbound traffic
>>>             (greater than 10Gb/s) and disrupt both the targeted services
>>>             as well as the operation of the network itself.
>>>           * persistent DDoS attacks against key services or infrastructure
>>>             (DNS, key web server, VPN, etc.)
>>>
>>>         Solutions we’re interested in, but will welcome a more expansive
>>>         response:
>>>
>>>           * capability to host a services remotely always and/or during an
>>>             attack
>>>           * capability to detect and alert of an attack
>>>           * capability to scrub traffic
>>>           * capability to work with major ISPs to coordinate mitigation
>>>           * DNS services
>>>           * layer 7-aware firewall/scrubbing
>>>
>>>         Please include details such as:
>>>
>>>           * mechanisms supported for announcing prefixes for a scrubbing
>>>             service (e.g., BGP signaling)
>>>           * attack/service dashboard
>>>           * on-boarding process
>>>           * capacity
>>>           * how are SSL sessions proxied (who supplies keys, etc.)
>>>
>>>
>>> Frank Seesink
>>> Telecommunications Network Specialist III West Virginia Network 
>>> (WVNET)
>>> 304.293.5192 x241
>>> 
>>>  
>>> <mailto:>
>>
>
>
> --
> ================================================
> David Farmer               
> Email:
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SE     Phone: 1-612-626-0815
> Minneapolis, MN 55414-3029  Cell: 1-612-812-9952 
> ================================================


-- 
Michael Scarpellino           | OIT Telecommunications Division
Consulting Telecom Analyst    | 110 Frelinghuysen Rd, Piscataway, NJ 08855
Manager, Network Architecture | Phone:  848/445-7513 fax:732/445-2968