Internet2 Network Security SIG

["Magorian, Daniel F." <>]

I'll ask the GEANT guy if that's the same one they use.

Hmmm.  Sounds like we may need some kind of testbed/bakeoff as a group if 
we're going to trust FOSS DDOS detectors.  Eg fastnetmon's  just packet count 
to hosts as a trigger makes me nervous, the guy could be watching 3 HD TV 
streams and suddenly he's DDoS mitigated and the subnet sent for cloud 
scrubbing.  Arbor's obviously spent a lot of time working these things out, 
which is what they charge for.

Dan

-----Original Message-----
From: Dale W. Carder 
[mailto:]
 
Sent: Thursday, October 29, 2015 5:52 PM
To: Magorian, Daniel F.
Cc: 

Subject: Re: [Security-WG] possible Arbor DDoS topology thru I2

Thus spake Magorian, Daniel F. 
()
 on Thu, Oct 29, 2015 at 07:17:45PM +0000:
>  I2 contracts with Arbor for large number of cloud scrubbing mitgations, so 
> service customers don't have to worry about 3-day/mitigation limit or using 
> up their quota.
> 
> I2 connects to Arbor at E/W Equinixes, then return traffic can use I2 
> directly and avoids haing to use GRE tunnels thru commodity ISPs.  This 
> assumes I2 pipes to service customers large enough handle extra scrubbed 
> traffic, probably generally true.
> 
> Use 3rd -party DDoS detection software (Is this same as Geant uses 
> written by Greek guys?)

I think you are referring to FoD?   https://github.com/grnet/flowspy
It is a delegated web (both human and rest) interface for injecting bgp 
flowspec routes in via netconf.  We have a installation of it running in a 
test environment and it seems pretty cool.

For FOSS detection there are various options of which fastnetmon has been 
previously mentioned.

Dale