Internet2 Network Security SIG

["Magorian, Daniel F." <>]

 I2 contracts with Arbor for large number of cloud scrubbing mitgations, so 
service customers don't have to worry about 3-day/mitigation limit or using 
up their quota.

I2 connects to Arbor at E/W Equinixes, then return traffic can use I2 
directly and avoids haing to use GRE tunnels thru commodity ISPs.  This 
assumes I2 pipes to service customers large enough handle extra scrubbed 
traffic, probably generally true.

Use 3rd -party DDoS detection software (Is this same as Geant uses written by 
Greek guys?)  run on-campus connected to campus edge routers, which 
automatically bgp signal to ArborCloud who then starts announcing that more 
specific /24.  Assuming campus announcements are shorter eg /16s- /22s, that 
avoids having to announce the same prefix(es) prepended from campus.  

In other words, there are 2 ways to divert:  balanced advertisements, campus 
prepended, scrubber not; and unbalanced advertisements, campus unchanged, 
scrubber longer.  The latter obviously doesn't work if most of the whole 
shorter prefix is under some kind of rotating attack, but for the usual case 
is easier.

Then as we heard, turning scrubbing off for particular prefixes is manual.

Thoughts?

Dan