Internet2 Network Security SIG

[Karl Newell <>]

No, we didn’t plan for a webex so there won’t be the equipment for it.  We’ll get the meeting notes out to the group after GS.

Karl

--

Karl Newell

Cyberinfrastructure Security Engineer

Internet2

520-344-0459

From: <> on behalf of "Magorian, Daniel F." <>
Reply-To: "" <>
Date: Monday, May 9, 2016 at 7:45 AM
To: "" <>
Subject: RE: [Security-WG] DDOS Mitigation

Karl, we're very interested in an I2 solution to DDoS but won't be at the global summit.  Will there be a webex for the Wg meeting?   Thanks.   Dan



Sent with Good (www.good.com)

---

From: <> on behalf of Karl Newell <>
Sent: Friday, May 6, 2016 4:17:47 PM
To:
Subject: Re: [Security-WG] DDOS Mitigation

 

I haven’t looked at either of those products yet but we are planning some testing soon.  Internet2 is collaborating with the University of Arizona and building a network attack detection and mitigation testing lab.  One of the first products we’ll be testing will be TMS.  We’ll share our findings with the group and community as they develop.

I’m hosting a Network Security BoF at the Global Summit, Tuesday 7pm.  We’ll outline Internet2’s plans regarding security in general but what I’d really like is to hear from the community. If an Internet2 DDoS scrubbing service is something the community is interested in please attend and let us know (or email this list to let us know your thoughts).

I’ve been doing some work with open source tools and set up something similar to:
https://www.nanog.org/sites/default/files/OpenSource-DDoS.pdf


Basically, fastnetmon to digest netflow/sflow/pcap and generate events for a time series database (InfluxDB).  Run an anomaly detection engine (Morgoth) against the data and graph everything (Grafana).  Still working on it and figuring out how to scale it but initial thoughts are that it might work for detecting events but it doesn’t provide actionable data.  You have to provide specific IPs to monitor in the fastnetmon configs and the events it generates doesn't reference the other IP in the conversation.  You’ll get alerts but you’ll need to look elsewhere to get more information and decide on a course of action.

We will also be testing Deepfield Defender soon which is a DDoS detection engine running on our existing Deepfield (netflow analytics) instance. 

-Karl


--
Karl Newell
Cyberinfrastructure Security Engineer
Internet2
520-344-0459







On 5/3/16, 11:27 AM, " on behalf of David Farmer" < on behalf of > wrote:

>Has anyone evaluated the effectiveness of Arbor TMS VS. Radware
>DefensePro for DDOS mitigation, the actual cleaning of the traffic?
>I'd be especially interested in experience regarding false positives,
>dropping good traffic? The effectiveness of auto-mittigation, do you
>have to tailor the mitigations to individual attacks, or does the
>attack traffic get cleaned without much human intervention?
>
>Anyone tested or using either product want to comment?
>
>Radware has an out of line diversion model working now.  We are
>currently testing both products and planning to implement Peakflow for
>flow analysis and DDOS detection, and are deciding between TMS and
>DefensePro for 40G of mitigation, the cleaning of the traffic.
>
>Has anyone evaluated other products for flow analysis and DDOS
>detection or DDOS mitigation and traffic cleaning portions.
>
>Thanks
>
>--
>===============================================
>David Farmer               Email:
>Networking & Telecommunication Services
>Office of Information Technology
>University of Minnesota
>2218 University Ave SE        Phone: 612-626-0815
>Minneapolis, MN 55414-3029   Cell: 612-812-9952
>===============================================