Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] Proposed Internet2 DDoS Mitigation Strategy

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] Proposed Internet2 DDoS Mitigation Strategy


Chronological Thread 
  • From: "Montgomery, Douglas (Fed)" <>
  • To: "" <>
  • Subject: Re: [Security-WG] Proposed Internet2 DDoS Mitigation Strategy
  • Date: Sun, 25 Sep 2016 18:13:50 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:kLdKrRV42K734XGxGbPNIrFMyenV8LGtZVwlr6E/grcLSJyIuqrYZhSBt8tkgFKBZ4jH8fUM07OQ6P+wHzFbqs/c+Fk5M7VyFDY9wf0MmAIhBMPXQWbaF9XNKxIAIcJZSVV+9Gu6O0UGUOz3ZlnVv2HgpWVKQka3ZkJJIbG/AYPZkt62y/H35JL7YgNUiSC7bK8oahi6sE+Z4tIbipZ4K7ogjwTGinpOZ+lMw250fxSekwuqtemq+5s2uQFXve4u8MtNS7S+N4g/ULNcBS9uc0446Iyh/U3PShaA41MaU34K1BVPHV6Wv1nBQp7tv36i5aJG0y6AMJiuQA==
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Steve,

We are working with a DHS S&T project to try to understanding that status of anti-spoofing deployments (CAIDA measurement project) and understanding the technical and operational barriers to deployment in various scenarios.

The Arbor report cited in this thread notes ~44% deployment of anti-spoofing filters.   It turns out that we find that it is enlightening to actually periodically test and measure the extent to which networks apply anti-spoofing filters.   It would be interesting to ask this community if they are already participating in the CAIDA spoofer measurement project.   One can look at the measurements from the CAIDA project below:


You can join the spoofer project measurements below:


If the R&E community has widely deployed anti-spoofing filters – I would be interested what mechanisms are being used?  ACLs, uRPF (of various flavors), etc.   We have been receiving pushback from large T1 ISPs about performance impacts of BCP38/BCP84 like mechanisms, with some claiming up to a 50% drop in maximum packet processing rates on high speed interfaces.   We are doing some of these measurements on lower end devices and see a 10%-20% impact on maximum packet processing rates.

So I would find it interesting to know what technical mechanisms folks in this community are using for anti-spoofing filtering and if there are issues / concerns in the operation / management of these mechanisms?

dougm
— 
Doug Montgomery, Mgr Internet & Scalable Systems Research at  NIST/ITL/ANTD


From: <> on behalf of Steven Wallace <>
Reply-To: <>
Date: Saturday, September 24, 2016 at 3:33 PM
To: <>
Subject: Re: [Security-WG] Proposed Internet2 DDoS Mitigation Strategy

Hi doug,

Generally Internet2 members apply BCP38. The NSF even requires it before they award network-related grants. It’s always worth bringing up, but most have this configured.

steve


On Sep 24, 2016, at 12:57 PM, Montgomery, Douglas (Fed) <> wrote:

Karl,

The Arbor report that you cite notes the significance  of reflection / amplification attacks in observed volumetirc DDoS attacks.   I notice the attached strategy document does not address preventative use of anti-spoofing techniques.   Is this because these are already widely implemented in the I2 community, viewed as not viable, or something else?

dougm
— 
Doug Montgomery, Mgr Internet & Scalable Systems Research at  NIST/ITL/ANTD


From: <> on behalf of Karl Newell <>
Reply-To: "" <>
Date: Saturday, September 24, 2016 at 1:12 PM
To: "" <>
Subject: [Security-WG] Proposed Internet2 DDoS Mitigation Strategy

I have attached the proposed Internet2 DDoS Mitigation Strategy.  The intended audience is CIO/CTO level and will be circulated after we receive feedback from the community.  Please take a look and let us know if you have any comments or questions.  For those attending TechX there is a DDoS Mitigation BoF on Wednesday; we’ll review the document and have a general discussion around DDoS mitigation.
 
Cheers,
Karl
 
--
Karl Newell
Cyberinfrastructure Security Engineer
Internet2
520-344-0459




Archive powered by MHonArc 2.6.19.

Top of Page