Skip to Content.
Sympa Menu

netsec-sig - [Security-WG] possible Arbor DDoS topology thru I2

Subject: Internet2 Network Security SIG

List archive

[Security-WG] possible Arbor DDoS topology thru I2


Chronological Thread 
  • From: "Magorian, Daniel F." <>
  • To: "" <>
  • Subject: [Security-WG] possible Arbor DDoS topology thru I2
  • Date: Thu, 29 Oct 2015 19:17:45 +0000
  • Accept-language: en-US

I2 contracts with Arbor for large number of cloud scrubbing mitgations, so
service customers don't have to worry about 3-day/mitigation limit or using
up their quota.

I2 connects to Arbor at E/W Equinixes, then return traffic can use I2
directly and avoids haing to use GRE tunnels thru commodity ISPs. This
assumes I2 pipes to service customers large enough handle extra scrubbed
traffic, probably generally true.

Use 3rd -party DDoS detection software (Is this same as Geant uses written by
Greek guys?) run on-campus connected to campus edge routers, which
automatically bgp signal to ArborCloud who then starts announcing that more
specific /24. Assuming campus announcements are shorter eg /16s- /22s, that
avoids having to announce the same prefix(es) prepended from campus.

In other words, there are 2 ways to divert: balanced advertisements, campus
prepended, scrubber not; and unbalanced advertisements, campus unchanged,
scrubber longer. The latter obviously doesn't work if most of the whole
shorter prefix is under some kind of rotating attack, but for the usual case
is easier.

Then as we heard, turning scrubbing off for particular prefixes is manual.

Thoughts?

Dan






Archive powered by MHonArc 2.6.16.

Top of Page