Internet2 Network Security SIG

[Brad Fleming <>]

Kentik offers an on-net collector which catches the data then builds a secure tunnel back to the Kentik cloud. Their service comes with some language about data retention which was good enough for us; however, we’re not a state agency with policies surrounding such data.

Costs for their service are based on number of frames per second of raw flow data your router is sending; NOT the number of frames being samples through the box.. number of frames per second of flow / UDP data the router is dumping toward the collector. They’ve been willing to work pretty hard on discounts in our experience; however, YMMV.

We never compared to Peakflow but we used to use InMon Traffic Sentinel, run from our own VMWare compute. It was a little faster at identifying problems but rule creation was very arduous and lacked the features of Kentik. In the end we chose Kentik even with it’s higher cost. 

--
Brad Fleming
Assistant Director for Technology
Kansas Research and Education Network
Office: 785-856-9805
Mobile: 785-865-7231
NOC: 785-856-9820

On Nov 20, 2018, at 3:12 PM, Magorian, Daniel F. <> wrote:

Thanks Brad and Mark:

 

Having just had a particularly nasty set of false positives autotriggered by RapidBGP, the concern to have a person in the loop is starting to come into focus!

 

So we have no experience with Kentik Detect.  I assume it is a cloud analytics service that you set up vpn tunnels to and send your netflow over; is anyone concerned about sending your netflow to those kind of folks in CA, even tunneled?   Looks easy enough to get started; how much does it cost after the trial period?   

 

I assume folks use it to look at your peering data and a bunch of other analytics off the routers, not just DDoS.

 

So did anyone do an actual detection and triggering comparison of Arbor Peakflow Virtual vs Kentik vs FastNetMon?    Or did everyone get started with one and then stick with that?

 

Dan

 

From:  <> On Behalf Of Brad Fleming
Sent: Tuesday, November 20, 2018 3:20 PM
To: 
Subject: Re: [Security-WG] What tools do people use to trigger Zenedge/Oracle Dyn's scrubbing service?

 

Here’s the general flow for KanREN..

 

1) We dump IPFIX from our routers to Kentik.

2) Build rules in Kentik which identify traffic patterns we find suspicious.

3) Kentik fires an event to an on-network application we wrote.

           a) It does some basic triage and presents the alarm in a KanREN staff portal.

4) If a human agrees with the alarm we can trigger a scrub route from the web interface.

5) Application does a netconf push to a Juniper vMX trigger box we use for RTBHR, flowspec, sBHR, and scrubbing which then signals to the core network.

 

Releasing the scrub route is currently a manual process. We have to watch the event in the Zenedge dashboard or simply guess when we think the event has passed. Releasing the scrub route is also done via the web interface. We can also add an event via the web interface if a Kentik rule didn’t catch something.

 

All of this could be automated; we’re just worried about false positives in the Kentik ruleset we created. We’re also not 100% we have the API calls correct to get status from the ZE portal. Having a human check it (or communicate with their SOC) provides some degree of final check.

 

We have a few members with /24 assignments from ARIN. For that reason we have to do some routing table tricks to keep those /24s in our internal route table but remove them from all the upstream transit carriers. The attached diagram kinda shows the problem; it was drawn mainly for the internal technical group at KanREN so you might see references to some communities that don’t make sense.

 

And of course we allow BGP-speaking members to signal scrub routes to us directly via community string which makes all the routing messes simpler by a country mile. 

 

If anyone is interested I can share some screenshots of our web interface.

--
Brad Fleming
Assistant Director for Technology
Kansas Research and Education Network
Office:  785-856-9805
Mobile:  785-865-7231
NOC:    785-856-9820

 

 

 

Dan, OSHEAN may be one of those employing Kentik - if you're interested in hearing how OSHEAN integrated Kentik into an automated detection and scrubbing architecture with Akamai let us know. 

 

Attached is an Akamai brief on our implementation, while it does not highlight Kentik, Kentik's analytics engine drives the code we've developed that detects an attack on the OSHEAN network and members.

 

Thanks - Mark

 

Mark Montalto - Vice President

617-827-6928

 

Attachment: smime.p7s
Description: S/MIME cryptographic signature