Internet2 Network Security SIG

["Beals, Damon G" <>]

At Indiana University, we use ipfix flow data from our routers, and send it 
to a Plixer Scrutinizer collector.  We have rules setup in Scrutinizer that 
ID DDos and other strange traffic.  The Plixer sends us email when it finds 
suspect traffic.  We then take a look at the email and at the traffic via 
Plixer, to determine if we need to activate scrubbing.  Scrubbing is manual 
process we have to make router config changes to tag the route to the 
Gigapop, to active the scrubbing.

Over all we are happy with our Plixer appliance, but we have not looked into 
having the Plixer automatically create blocks or activate scrubbing.  Just 
too many false positives.  And most of our DDOS that are detected are for 
short periods of time less then 15 minutes, just enough to kick that student 
playing Xbox off of the network.

https://www.plixer.com/products/scrutinizer/

Damon Beals
Principal Network Engineer
Indiana University
317.274.7946

________________________________________
From: 

 
<>
 on behalf of Magorian, Daniel F. 
<>
Sent: Tuesday, November 20, 2018 13:41
To: 

Subject: [Security-WG] What tools do people use to trigger Zenedge/Oracle 
Dyn's scrubbing service?

Hello Security WG folks!

We are having issues with ZenEdge/Oracle Dyn's RapidBGP triggering of their 
scrubbing, and while they're figuring that out, I thought I would ask people 
what tools they use to trigger scrubbing of subsets of your prefixes.

Yes, I know several folks have Arbox Peakflow boxes for on-prem scrubbing, 
and use these to signal Zenedge's as well.

So does anyone have a netflow-based tool that seems to work well?

Thanks,  Dan

-----Original Message-----
From: Magorian, Daniel F.
Sent: Wednesday, October 3, 2018 10:34 AM
To: 

Subject: RE: [Security-WG] What are folks' experience using Zenedge's 
scrubbing service....

We have the RapidBGP alerting service, and the main issue is false positives 
from stuff like big user downloads and high volume of inbound traffic to our 
Forcepoint/Websense http proxies.  They're supposed to trigger on multiple 
criteria not just volume, but when we complain to their tech support, they 
respond a few days later saying they'll adjust something or other, all very 
non-transparent.  They have also promised more useful stuff in the portal; 
right now it doesn't even know about the alerts they've sent you email about, 
basically broken.  Still a work in progress...

Dan

-----Original Message-----
From: 

 
<>
 On Behalf Of Steven Wallace
Sent: Wednesday, October 3, 2018 10:25 AM
To: 

Subject: [Security-WG] What are folks' experience using Zenedge's scrubbing 
service....

Greeting all,

Grateful if folks could share their experience using Zenedge’s scrubbing 
service. Specifically, how does engaging, and removing, the scrubbing service 
affect access to the hosts being scrubbed.

Is there a hit? Do users notice?

Thanks,

Steve