Internet2 Network Security SIG

["Magorian, Daniel F." <>]

Well, there's no question in my mind that the Arbor on-prems triggering the 
cloud scrubbing would be more seamless single-vendor-wise than some 
open-source software acting as trigger whose algorithms we might or might not 
trust.  

But OARnet can put out a PO and buy all 27 for themselves, whereas even if 
the prices dropped to say $50k/prem box  in some I2-coordinated group buy 
Quilt-style, you aren't going to get 100% coverage of the say 50 subscribers 
to an I2 DDoS service. 

But that may not be needed, as long as I2 can get Arbor's 
essentially-unlimited cloud scrubbing service at a great price shared by the 
members, then maybe there could be 3 recommended detection/diversion 
mechanisms low/medium/high cost, and if someone wanted to roll their own, 
that would work too.

Dan

-----Original Message-----
From: Schopis, Paul 
[mailto:]
 
Sent: Friday, October 30, 2015 8:33 AM
To: Magorian, Daniel F.; Steven Wallace; 

Subject: RE: [Security-WG] thinking about arbor cloud ...

Dan,
In Ohio where 27 K-12 ITC sites have deployed they got substantial discounts 
on the appliance and service. I would think with greater numbers they would 
be willing to go deeper.  

________________________________________
From: 

 
[]
 on behalf of Magorian, Daniel F. 
[]
Sent: Thursday, October 29, 2015 3:35 PM
To: Steven Wallace; 

Subject: RE: [Security-WG] thinking about arbor cloud ...

Yes, that's their Full Monty but the on-prem box is $100-150k if I remember, 
and if we assume that such an I2 service has 50 customers, is that the best 
expenditure of $7.5M?

If I2 can get Arbor's essentially-unlimited cloud scrubbing service at a 
great price, shared by the members of an I2 DDoS service, and the open-source 
detection software is good enough to trust with automatically signaling more 
specific /24s to the cloud service with bgp communities, then the mitigation 
part of what the on-prem box does might not be needed.  But if you only get 3 
or whatever, then you need the on-prems to not use those up for small attacks 
that can be handled locally.

In this model, we wouldn't have to trust the detection software with 
connections to the campus edge routers, which don't change their 
advertisements during attacks, which would be needed to use bgp flowspec.  
But this way, different campuses could use different mechanisms to detect & 
divert, from the Full Monty to manual.

Let 1000 flowers bloom...

Dan

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Steven Wallace
Sent: Thursday, October 29, 2015 3:10 PM
To: 

Subject: [Security-WG] thinking about arbor cloud ...

I was impressed, and it sounds like a combination of their on-prem, their 
cloud for larger DDoS, and peek flow for signaling upstream providers would 
be sweet, but costly for some.

We have I2 members that have automated DDoS detection and signaling to UTRS 
and/or RTBH via BPG for upstream filtering. For those of whom an on-prem 
device is not a good option, it might be useful to pursue engaging Arbor 
Cloud much the same way as UTRS, although Dan's comment concerning detecting 
the end of the attack would need to be solved.

ssw