Internet2 Network Security SIG

["Dale W. Carder" <>]

Thus spake Schopis, Paul 
()
 on Thu, Oct 22, 2015 at 04:08:47PM +0000:
> Dale,
> That is is impressive. I'd go so far to say in the street vernacular it 
> "kicks ass".


What's also cool is the work Justin Azoff @ NCSA has done on
integration w/ Bro.  https://github.com/JustinAzoff/bhr-bro
So, it's a similar idea: detect, then inject flowspec upstream.
Many sites already running Bro could potentially add this on with 
minimal extra work.

There is also a web frontend thingy that we have tried as well, 
for if you do not run Bro or just want a more integrated interface
than just exabgp:  https://github.com/JustinAzoff/bhr-site
It is pretty easy to set up and has support for a whitelist.   If
you delegate the interface you can at least choose in advance how 
much of your foot you allow to be blown off by others.

In summary, there are lot of puzzle pieces here and various amounts 
of mitigation can be distributed.

Dale


 
 
> ________________________________________
> From: 
> 
>  
> []
>  on behalf of Dale W. Carder 
> []
> Sent: Thursday, October 22, 2015 11:24 AM
> To: Taylor, Scott J.
> Cc: Spurling, Shannon; D'Angelo, Cas (Samuel); Steven Wallace; 
> ;
>  Rob Vietzke; George Loftus; John Moore; Caroline Weilhamer
> Subject: Re: [Security-WG] fast track for DDoS recommendations to 
> Internet2, and a bit more...
> 
> Thus spake Taylor, Scott J. 
> ()
>  on Wed, Oct 21, 2015 at 02:36:46AM +0000:
> >
> > I’m starting to believe that the IU guys that are doing SCI-Flow (?) have 
> > the right model for DDoS mitigation as well as expressing elephant flows. 
> >  Why can’t when we detect these attacks, we program a controller to drop. 
> >  I’m also very curious to spend some more time with vendors on the 
> > BGP-Flowspec capabilities and maybe using something like that to drop 
> > traffic at our edge.  Based on what we’ve seen in CT I have to believe we 
> > could easily knock out the less sophisticated attacks.
> 
> One of our campuses is using fastnetmon monitoring a UDP-only feed
> from a mirror port on our router.  With detection in a few seconds,
> it then uses exabgp to inject a flowspec rule into our network to
> block the traffic across our AS.  As far as free goes, this is pretty
> much just off the shelf.
> 
> Dale