2017-02-22 VC notes

• https://docs.google.com/presentation/d/1krZgQarDQ23BWZt_EnCbPZZE7BRI6TOPI23kM7ig2sk/edit?usp=sharing
• ->
  • RepShield should allow to search events by category, especially DDoS (for FOD)
  • RepShield should receive NSHaRP events, especially ons regarding DDoS (for FOD)
  • RepShield could differentiate different score values based on different time intervals (e.g. 1hour, 1week, 1month)
  • open questions, especially regarding FOD rule proposal:
    • How could suspect IP address effectively and accurately aggregated to prefixes for FOD rules (depending on the scalability regarding number of FlowSpec Rules in a Router)
    • How could in future further information gained about suspect IP addresses by monitoring their activity with statistics of FOD ALLOW rules feed back to RepShield and its calculated score
    • Is RepShield also useful for proposing firewall rules for envisioned SDN/NFV-based FwaaS (as successor of FOD) - maybe based on/being compatible with vendor solutions from, e.g., Corsa, A10, Radware; how would it have to be extended for that (also regarding feedback from FwaaS)
    • In Future: RepShield Distributed, e.g., per NREN, exchanging local reputation score values (to overcome issues of legal/organizational/privacy policies)

• (info page for FOD development https://wiki.geant.org/pages/viewpage.action?pageId=63965046)
• David tested and evaluated existing REST API:
  • short documentation of test for FOD REST API https://wiki.geant.org/display/gn42jra2/REST+API
  • querying, creating and modifying of FOD rules work, deletion of rules has issue
• Tomáš is further concentrating to realize the statistics feedback functionality for FOD users based on SNMP.

• GARR is still studying this complex product with may functionalities (mainly behaviour analysis based on thresholds)
• -> In general: complex configuration/customization (thresholds), depending on local set-up

Fastnetmon testing at GARR:

• The learning phase of the RadWare POC at GARR is progressing.
• Issue with fastnetmon is that it has to be configured according to local set-up, e.g. bandwidth of monitored links and other thresholds which normally only a local admin knows about
• -> Silvia/Nino prepared a draft of a scenario for multi-domain use of fastnetmon in GEANT community where fastnetmon is used at institution side and can signal to upstream for mitigation based on local decision (e.g. via FOD).
• They will work out that draft in the T6 wiki

A10+Flowmon DDoS Defender POC at GEANT:

• FlowMon DDoS Defender module of FlowMon for detection of DDoS attacks works fine.
• But issues with signalling the A10 box the correct mitigation exists, as currently used script on A10 box for this has to many limitations and restrictive assumptions only valid in regulated, commercial company networks
• Script will have to expanded with help of A10
• Also issues with feedback/statistics for NSHaRP about mitigated traffic (especially regarding TCP packets with zero window size)

Waiting for Deepfield POC at GEANT
Also planned POC of CORSA filter box

DDoS D/M Survey:

• Tomáš forwarded the survey invitation to responsible person in CESNET. Waiting for answer;
• Evangelos checked with Mark Johnston (SA1) whether it would be useful to sent invitation to APM list -> Yes
• Evangelos will sent invitation to APM list
• Evangelos will also send invitation to ddos@lists.geant.org

• user-stories for CT have been defined in text-form
• now actual presentation has to be prepared

• New Foodle poll for F2F meeting exists, but answer may be hard if place of meeting not know (because of voyage duration)
• So, first the potential locations have to be found. Candidates currently are:
  • Garching near Munich (LRZ)
  • Prague
  • Rome ? (Silvia/Nino have to check)
  • Stockholm ?