2018-01-10 VC Notes

• (info page for FoD development https://wiki.geant.org/pages/viewpage.action?pageId=63965046)
• FoD v1.5 = FoD with new functionalities: rule range specification, current rule behaviour statistic graphs, multi-tenant rule control REST-API
• FoD v1.6 = FoD with automated rule proposal from RepShield
• Other FoD v1.5 pilot preparations
  • Existing user documentation (as presentation document) update currently in progress
  • Pilot evaluation survey which was of used for FoD v1.1 has to be reviewed and updated for v1.5
• Pilot UAT testing
  • Fix by Tomas for specifying port 0 has been provided, still has to be tested on testing machine before creating new rpm for UAT machine
  • Second UAT VC: feedback from pilot users:
    • LITNET tried again rule 53,0 to mitigate a short 5-20 min DDoS attack -> failed somehow and no graphs were created
    • EENET: strange DDoS attack at end of year (repeated at particular intervals), mitigation (rate-limiting) worked with a single rule, but graphs with longer time range would be desirable to easier investigate attack behaviour
    • EENET started to test REST API, e.g. nice would be possibility to reactivate a rule every week after auto-timeout
    • idea (LITNET): for single attacker IP address+port allow to block traffic to whole subnet (also bigger than /29) to mitigate e.g. scanning attacks
    • CERT meeting in Hamburg, 5-7.02.2018
• FoD v1.5 production service documents
  • Now for the future production phase of FoD v1.5 (and all further versions) all necessary PLM documents have to be prepared, e.g. CBA, service description, service design plan
  • Especially for the operative documents this will be done in close cooperation of Evangelos
  • For most PLM documents, this will be done by filling the FoD service template wiki pages (https://wiki.geant.org/display/gn42jra2/Firewall-On-Demand+%28FoD%29+Service) which David started to fill
  • Evangelos will check the service template to get acquainted with it
• FoD v1.6 (with RepShield) development/testing/pilot:
  • DDoS simulation/testing would be valuable to test viability of the approach, especially during the development/testing
  • VM for DDoS simulation/testing to be installed in Lab still pending

GARR DDoS D/M PoCs/Testing Framework

• Silvia/Nino are now working on a comprehensive Generic Multi-Domain, Multi-Tier (GEANT, NREN, institutions), Multi-Technique (RTBH, FlowSpec, Scrubbing, ...) DDoS Detection/Mitigation Architecture Proposal in combination with their diffrent PoCs (Arbor, Radware,...) they do or plan to todo (https://docs.google.com/presentation/d/1J4TRervPKm3V545uCC-LbnahOOGuEEBOQ-RvAQh4M4E/edit?usp=sharing).
• From now on everything about this is to be put into T6 wiki: https://wiki.geant.org/pages/viewpage.action?pageId=94634234 ,
• Especially time/action plan which has still to be defined in full: https://wiki.geant.org/pages/viewpage.action?pageId=94634243&src=contextnavpagetreemode
• Silvia/Nino will provisionally provide a summary document about the planning of the testing/result reporting in 1 week

GARR Arbor PoC: preliminary results:

• ARBOR's so-called profile detection seems to be incapable of detecting DDoS attacks (even to some reliable extent) out of highly dynamic and unforeseeable research network traffic in GARR
• So profile detection is disabled for now in the PoC
• Beyond that ARBOR is creating a large number of false positives
• Furthermore, alert export of ARBOR is quite limited, so far only email export seems to be realizable
• But because of the high false positive rate is not considered currently
• Remaining use of ARBOR in GARR (and so also similar research networks, including universities) may be to limit the DDoS detection to particular machines, e.g. DNS servers

• RepShield/NERD development: some performance improvements
• Silvia/Nino will check how to share alert data from their FastNetMon PoC to Warden, Václav will support them in writing/installing Warden filer script for exporting

In 2 weeks: 24.01.2018, 14:15-15:15 CE(S)T