GÉANT DDoS Cleansing and Alerting

Supporting GÉANT peering users with dynamic, fast responses to DDoS

Distributed Denial of Service (DDoS) is a large and growing problem within the networking community with a large number of NRENs reporting attacks every month.


These attacks not only damage live services for users but affect the reputation of the NREN amongst their users and consume large amounts of manpower and resources to respond to and counter them.

As the growth of botnet and other DDoS attacks increases, this workload will also increase and may begin to affect the ability of NRENs to support other activities.


Most DDoS responses can be relatively blunt tools in their operation with the risk of false positive reports and the dropping of valid traffic sources. This is a particular problem for R&E networks which have different traffic profiles compared to domestic or even business internet usage  (small numbers of very large, random traffic sources  compared to a "typical" profile of large numbers of individually relatively small traffic sources.)


Now GÉANT has developed a DDoS Cleansing and Alerting service, designed for users of GÉANT's peering services (including indirect GÉANT World Service (GWS)), which allows GÉANT to dynamically detect and mitigate these attacks.


diagrams.jpg

How it works

GÉANT has deployed A10 networks Threat Protection System (TPS) hardware within the GÉANT backbone alongside FlowMon for DDoS traffic monitoring.


Using these two tools, GÉANT can monitor traffic flowing from external ISP connections and identify traffic that appears to be part of a DDoS attack.  This traffic is then dynamically (if wished) diverted to the A10 TPS hardware which inspects and dumps DDoS data whilst passing valid data traffic. This intelligent cleansing allows for R&E traffic to continue to flow while removing DDoS.


This process occurs automatically with no NREN staff resource required.

Applicability

DDoS Cleansing and Alerting supports NRENs using GÉANT peering (including indirect GWS clients)  and so cannot protect direct ISP to NREN connections or ISP to institutional connections at the moment. However, with over 50% of identified DDoS attacks originating via GÉANT IP connections the service should reduce dramatically the impact of DDoS on NREN support staff.


The service is a no-cost option for all peering users and requires only simple registration to receive alerts from the system.


The current Firewall on Demand tool remains available to support DDoS mitigation for other users and Inter-NREN DDoS attacks.  https://www.geant.org/Networks/Network_Operations/Pages/Firewall-on-Demand.aspx