Internet2 Network Security SIG

[Nick Buraglio <>]

This code works well, the install is a little less documented than it should be but we have docs that will soon be published that make it a lot more straightforward and user friendly. A bit of history: Justin's stuff is a fork / rewrite from an older, less feature rich project that I helped write. The exaBGP pieces are available here https://github.com/JustinAzoff/bhr-client-exabgp. With that in mind, there is also a project that GEANT has been working on for quite some time, details are worth reading and available in this paper: https://www.terena.org/activities/tf-csirt/meeting44/Firewall%20on%20Demand_Las_Palmas.pdf  In addition to the GEANT project, the last time I talked to them, Cloudflare has been using some custom Flowspec BGP to protect their resources from the massive DDoS activity they see as well. 

I suspect that there will be work done at some point as another fork of the bhr-* project that will expand it into a more SP focused toolkit and potentially add in some OpenFlow 1.3 support. As of now its purpose is mostly focused on protecting a site or campus. If anyone is interested in talking more about it jet let me know and I can do my best to answer questions. 

nb

---
Nick Buraglio
ESnet Network Engineering Group (AS293)
Lawrence Berkeley National Laboratory

+1 (510) 995-6068

On Thu, Oct 22, 2015 at 12:48 PM, Dale W. Carder <> wrote:

Thus spake Schopis, Paul () on Thu, Oct 22, 2015 at 04:08:47PM +0000:
> Dale,
> That is is impressive. I'd go so far to say in the street vernacular it "kicks ass".


What's also cool is the work Justin Azoff @ NCSA has done on
integration w/ Bro.  https://github.com/JustinAzoff/bhr-bro
So, it's a similar idea: detect, then inject flowspec upstream.
Many sites already running Bro could potentially add this on with
minimal extra work.

There is also a web frontend thingy that we have tried as well,
for if you do not run Bro or just want a more integrated interface
than just exabgp:  https://github.com/JustinAzoff/bhr-site
It is pretty easy to set up and has support for a whitelist.   If
you delegate the interface you can at least choose in advance how
much of your foot you allow to be blown off by others.

In summary, there are lot of puzzle pieces here and various amounts
of mitigation can be distributed.

Dale

> ________________________________________
> From: [] on behalf of Dale W. Carder []
> Sent: Thursday, October 22, 2015 11:24 AM
> To: Taylor, Scott J.
> Cc: Spurling, Shannon; D'Angelo, Cas (Samuel); Steven Wallace; ; Rob Vietzke; George Loftus; John Moore; Caroline Weilhamer
> Subject: Re: [Security-WG] fast track for DDoS recommendations to Internet2, and a bit more...
>
> Thus spake Taylor, Scott J. () on Wed, Oct 21, 2015 at 02:36:46AM +0000:
> >
> > I’m starting to believe that the IU guys that are doing SCI-Flow (?) have the right model for DDoS mitigation as well as expressing elephant flows.  Why can’t when we detect these attacks, we program a controller to drop.  I’m also very curious to spend some more time with vendors on the BGP-Flowspec capabilities and maybe using something like that to drop traffic at our edge.  Based on what we’ve seen in CT I have to believe we could easily knock out the less sophisticated attacks.
>
> One of our campuses is using fastnetmon monitoring a UDP-only feed
> from a mirror port on our router.  With detection in a few seconds,
> it then uses exabgp to inject a flowspec rule into our network to
> block the traffic across our AS.  As far as free goes, this is pretty
> much just off the shelf.
>
> Dale