Internet2 Network Security SIG

["Magorian, Daniel F." <>]

Yes, that's their Full Monty but the on-prem box is $100-150k if I remember, 
and if we assume that such an I2 service has 50 customers, is that the best 
expenditure of $7.5M?  

If I2 can get Arbor's essentially-unlimited cloud scrubbing service at a 
great price, shared by the members of an I2 DDoS service, and the open-source 
detection software is good enough to trust with automatically signaling more 
specific /24s to the cloud service with bgp communities, then the mitigation 
part of what the on-prem box does might not be needed.  But if you only get 3 
or whatever, then you need the on-prems to not use those up for small attacks 
that can be handled locally.

In this model, we wouldn't have to trust the detection software with 
connections to the campus edge routers, which don't change their 
advertisements during attacks, which would be needed to use bgp flowspec.  
But this way, different campuses could use different mechanisms to detect & 
divert, from the Full Monty to manual.  

Let 1000 flowers bloom...

Dan

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Steven Wallace
Sent: Thursday, October 29, 2015 3:10 PM
To: 

Subject: [Security-WG] thinking about arbor cloud ...

I was impressed, and it sounds like a combination of their on-prem, their 
cloud for larger DDoS, and peek flow for signaling upstream providers would 
be sweet, but costly for some.

We have I2 members that have automated DDoS detection and signaling to UTRS 
and/or RTBH via BPG for upstream filtering. For those of whom an on-prem 
device is not a good option, it might be useful to pursue engaging Arbor 
Cloud much the same way as UTRS, although Dan’s comment concerning detecting 
the end of the attack would need to be solved.

ssw