Internet2 Network Security SIG

[Brad Fleming <>]

Here’s the general flow for KanREN..

1) We dump IPFIX from our routers to Kentik.

2) Build rules in Kentik which identify traffic patterns we find suspicious.

3) Kentik fires an event to an on-network application we wrote.

a) It does some basic triage and presents the alarm in a KanREN staff portal.

4) If a human agrees with the alarm we can trigger a scrub route from the web interface.

5) Application does a netconf push to a Juniper vMX trigger box we use for RTBHR, flowspec, sBHR, and scrubbing which then signals to the core network.

Releasing the scrub route is currently a manual process. We have to watch the event in the Zenedge dashboard or simply guess when we think the event has passed. Releasing the scrub route is also done via the web interface. We can also add an event via the web interface if a Kentik rule didn’t catch something.

All of this could be automated; we’re just worried about false positives in the Kentik ruleset we created. We’re also not 100% we have the API calls correct to get status from the ZE portal. Having a human check it (or communicate with their SOC) provides some degree of final check.

We have a few members with /24 assignments from ARIN. For that reason we have to do some routing table tricks to keep those /24s in our internal route table but remove them from all the upstream transit carriers. The attached diagram kinda shows the problem; it was drawn mainly for the internal technical group at KanREN so you might see references to some communities that don’t make sense.

And of course we allow BGP-speaking members to signal scrub routes to us directly via community string which makes all the routing messes simpler by a country mile. 

If anyone is interested I can share some screenshots of our web interface.

--
Brad Fleming
Assistant Director for Technology
Kansas Research and Education Network
Office: 785-856-9805
Mobile: 785-865-7231
NOC: 785-856-9820

Attachment: zenedge routing design.graffle.pdf
Description: Adobe PDF document

On Nov 20, 2018, at 12:41 PM, Magorian, Daniel F. <> wrote:

Hello Security WG folks!

We are having issues with ZenEdge/Oracle Dyn's RapidBGP triggering of their scrubbing, and while they're figuring that out, I thought I would ask people what tools they use to trigger scrubbing of subsets of your prefixes.  

Yes, I know several folks have Arbox Peakflow boxes for on-prem scrubbing, and use these to signal Zenedge's as well.  

So does anyone have a netflow-based tool that seems to work well?

Thanks,  Dan

-----Original Message-----
From: Magorian, Daniel F.
Sent: Wednesday, October 3, 2018 10:34 AM
To:
Subject: RE: [Security-WG] What are folks' experience using Zenedge's scrubbing service....

We have the RapidBGP alerting service, and the main issue is false positives from stuff like big user downloads and high volume of inbound traffic to our Forcepoint/Websense http proxies.  They're supposed to trigger on multiple criteria not just volume, but when we complain to their tech support, they respond a few days later saying they'll adjust something or other, all very non-transparent.  They have also promised more useful stuff in the portal; right now it doesn't even know about the alerts they've sent you email about, basically broken.  Still a work in progress...  

Dan

-----Original Message-----
From: <> On Behalf Of Steven Wallace
Sent: Wednesday, October 3, 2018 10:25 AM
To:
Subject: [Security-WG] What are folks' experience using Zenedge's scrubbing service....

Greeting all,

Grateful if folks could share their experience using Zenedge’s scrubbing service. Specifically, how does engaging, and removing, the scrubbing service affect access to the hosts being scrubbed.

Is there a hit? Do users notice?

Thanks,

Steve

Attachment: smime.p7s
Description: S/MIME cryptographic signature