Skip to Content.
Sympa Menu

netsec-sig - RE: [Security-WG] thinking about arbor cloud ...

Subject: Internet2 Network Security SIG

List archive

RE: [Security-WG] thinking about arbor cloud ...


Chronological Thread 
  • From: "Magorian, Daniel F." <>
  • To: "Schopis, Paul" <>, Steven Wallace <>, "" <>
  • Subject: RE: [Security-WG] thinking about arbor cloud ...
  • Date: Fri, 30 Oct 2015 15:21:40 +0000
  • Accept-language: en-US

Well, there's no question in my mind that the Arbor on-prems triggering the
cloud scrubbing would be more seamless single-vendor-wise than some
open-source software acting as trigger whose algorithms we might or might not
trust.

But OARnet can put out a PO and buy all 27 for themselves, whereas even if
the prices dropped to say $50k/prem box in some I2-coordinated group buy
Quilt-style, you aren't going to get 100% coverage of the say 50 subscribers
to an I2 DDoS service.

But that may not be needed, as long as I2 can get Arbor's
essentially-unlimited cloud scrubbing service at a great price shared by the
members, then maybe there could be 3 recommended detection/diversion
mechanisms low/medium/high cost, and if someone wanted to roll their own,
that would work too.

Dan

-----Original Message-----
From: Schopis, Paul
[mailto:]

Sent: Friday, October 30, 2015 8:33 AM
To: Magorian, Daniel F.; Steven Wallace;

Subject: RE: [Security-WG] thinking about arbor cloud ...

Dan,
In Ohio where 27 K-12 ITC sites have deployed they got substantial discounts
on the appliance and service. I would think with greater numbers they would
be willing to go deeper.

________________________________________
From:


[]
on behalf of Magorian, Daniel F.
[]
Sent: Thursday, October 29, 2015 3:35 PM
To: Steven Wallace;

Subject: RE: [Security-WG] thinking about arbor cloud ...

Yes, that's their Full Monty but the on-prem box is $100-150k if I remember,
and if we assume that such an I2 service has 50 customers, is that the best
expenditure of $7.5M?

If I2 can get Arbor's essentially-unlimited cloud scrubbing service at a
great price, shared by the members of an I2 DDoS service, and the open-source
detection software is good enough to trust with automatically signaling more
specific /24s to the cloud service with bgp communities, then the mitigation
part of what the on-prem box does might not be needed. But if you only get 3
or whatever, then you need the on-prems to not use those up for small attacks
that can be handled locally.

In this model, we wouldn't have to trust the detection software with
connections to the campus edge routers, which don't change their
advertisements during attacks, which would be needed to use bgp flowspec.
But this way, different campuses could use different mechanisms to detect &
divert, from the Full Monty to manual.

Let 1000 flowers bloom...

Dan

-----Original Message-----
From:


[mailto:]
On Behalf Of Steven Wallace
Sent: Thursday, October 29, 2015 3:10 PM
To:

Subject: [Security-WG] thinking about arbor cloud ...

I was impressed, and it sounds like a combination of their on-prem, their
cloud for larger DDoS, and peek flow for signaling upstream providers would
be sweet, but costly for some.

We have I2 members that have automated DDoS detection and signaling to UTRS
and/or RTBH via BPG for upstream filtering. For those of whom an on-prem
device is not a good option, it might be useful to pursue engaging Arbor
Cloud much the same way as UTRS, although Dan's comment concerning detecting
the end of the attack would need to be solved.

ssw



Archive powered by MHonArc 2.6.16.

Top of Page