netsec-sig - Re: [Security-WG] DDOS Mitigation
Subject: Internet2 Network Security SIG
List archive
- From: Karl Newell <>
- To: "" <>
- Subject: Re: [Security-WG] DDOS Mitigation
- Date: Fri, 6 May 2016 20:17:47 +0000
- Accept-language: en-US
- Authentication-results: internet2.edu; dkim=none (message not signed) header.d=none;internet2.edu; dmarc=none action=none header.from=internet2.edu;
- Spamdiagnosticoutput: 1:0
I haven’t looked at either of those products yet but we are planning some
testing soon. Internet2 is collaborating with the University of Arizona and
building a network attack detection and mitigation testing lab. One of the
first products we’ll be testing will be TMS. We’ll share our findings with
the group and community as they develop.
I’m hosting a Network Security BoF at the Global Summit, Tuesday 7pm. We’ll
outline Internet2’s plans regarding security in general but what I’d really
like is to hear from the community. If an Internet2 DDoS scrubbing service is
something the community is interested in please attend and let us know (or
email this list to let us know your thoughts).
I’ve been doing some work with open source tools and set up something similar
to:
https://www.nanog.org/sites/default/files/OpenSource-DDoS.pdf
Basically, fastnetmon to digest netflow/sflow/pcap and generate events for a
time series database (InfluxDB). Run an anomaly detection engine (Morgoth)
against the data and graph everything (Grafana). Still working on it and
figuring out how to scale it but initial thoughts are that it might work for
detecting events but it doesn’t provide actionable data. You have to provide
specific IPs to monitor in the fastnetmon configs and the events it generates
doesn't reference the other IP in the conversation. You’ll get alerts but
you’ll need to look elsewhere to get more information and decide on a course
of action.
We will also be testing Deepfield Defender soon which is a DDoS detection
engine running on our existing Deepfield (netflow analytics) instance.
-Karl
--
Karl Newell
Cyberinfrastructure Security Engineer
Internet2
520-344-0459
On 5/3/16, 11:27 AM,
"
on behalf of David Farmer"
<
on behalf of
>
wrote:
>Has anyone evaluated the effectiveness of Arbor TMS VS. Radware
>DefensePro for DDOS mitigation, the actual cleaning of the traffic?
>I'd be especially interested in experience regarding false positives,
>dropping good traffic? The effectiveness of auto-mittigation, do you
>have to tailor the mitigations to individual attacks, or does the
>attack traffic get cleaned without much human intervention?
>
>Anyone tested or using either product want to comment?
>
>Radware has an out of line diversion model working now. We are
>currently testing both products and planning to implement Peakflow for
>flow analysis and DDOS detection, and are deciding between TMS and
>DefensePro for 40G of mitigation, the cleaning of the traffic.
>
>Has anyone evaluated other products for flow analysis and DDOS
>detection or DDOS mitigation and traffic cleaning portions.
>
>Thanks
>
>--
>===============================================
>David Farmer
>Email:
>Networking & Telecommunication Services
>Office of Information Technology
>University of Minnesota
>2218 University Ave SE Phone: 612-626-0815
>Minneapolis, MN 55414-3029 Cell: 612-812-9952
>===============================================
- [Security-WG] DDOS Mitigation, David Farmer, 05/03/2016
- RE: [Security-WG] DDOS Mitigation, Beadles, Mark A., 05/03/2016
- Re: [Security-WG] DDOS Mitigation, David Farmer, 05/03/2016
- RE: [Security-WG] DDOS Mitigation, Beadles, Mark A., 05/03/2016
- Re: [Security-WG] DDOS Mitigation, David Farmer, 05/03/2016
- Re: [Security-WG] DDOS Mitigation, Karl Newell, 05/06/2016
- RE: [Security-WG] DDOS Mitigation, Magorian, Daniel F., 05/09/2016
- Re: [Security-WG] DDOS Mitigation, Karl Newell, 05/09/2016
- RE: [Security-WG] DDOS Mitigation, Magorian, Daniel F., 05/09/2016
- RE: [Security-WG] DDOS Mitigation, Beadles, Mark A., 05/03/2016
Archive powered by MHonArc 2.6.16.