Supported by the GlobalNOC at Indiana University

Indiana GigaPOP NOC Support - DDoS Mitigation (Scrubbing) Service Procedure

Keywords: attack, DDoS, DDoS Attack Mitigation, I-Light, Indiana GigaPOP, mitigation, notifications, scrubbing, scrutinizer

Indiana GigaPOP will implement a DDoS Mitigation (Scrubbing) Service via Internet2.  The service is provided by Zenedge to Internet2 Network Participants and their members.  All Indiana GigaPOP Members may take advantage of this service.

There are four key components to the service.

*Service Desk task items displayed in the highlighted areas below.

Detection 

Indiana GigaPOP has implemented Scrutinizer, a NetFlow analytic tool by Plixer. Scrutinizer provides the Indiana GigaPOP with the ability to analyze netflow data with a sampling rate of 1:100 packets. The software includes algorithms to detect patterns in traffic flows, one of those algorithms provide the capabilities to detected DDoS attacks against an IP address or a network. Scrutinizer will notify the Indiana GigaPOP NOC when the DDoS algorithm detects an attack.  An example of the alert to be received from "Scrutinizer" via Nagios to AlertMon is below:

  • [INSERT ALARM HERE in place of the above email notification]  

A "DDoS Red Alarm" (Critical - On-call) or "DDoS Yellow Alarm" (Minor - Round Robin) will be generated via AlertMon indicating a possible attack.  A "DDoS Red Alarm" will be received when four or more possible attacks are detected within a 15 minute time frame to one IP or targeted host.  A "DDoS Yellow Alarm" is received when three or less possible attacks are detected within a 15 minute time frame to one IP or targeted host. The IP netblock along with the entity will be displayed within the alarm description.  Upon the first DDoS alarm that is raised, the Service Desk will conduct the following for each:

  • DDoS Red Alarm - Critical (On-call engagement IS necessitated)
    • Identify the IP Netblock (Engineering will assist if SD is unable to identify.)
    • Create an INC for the affected Member
    • Create a TASK and assign Engineer
    • Engage Engineer
    • Send an email using the "Member XXXX [IP] DDoS Attack Mitigation Service Investigation" template  *Additional notifications sent, will be dependent upon the Engineers findings during their investigation.  The Service Desk will send notifications following the below SOP.
  • DDoS Yellow Alarm - Minor (On-call engagement is NOT necessitated, only Round Robin)
    • Identify the IP Netblock (Engineering will assist if SD is unable to identify.)
    • Create an INC for the affected Member
    • Create a TASK and assign Engineer via Round Robin
    • Send an email using the "Member XXXX [IP] DDoS Attack Mitigation Service Investigation" template
    • Bump INC as makes sense to check back in on Engineers findings
    • Send additional notifications following the below SOP

Indiana GigaPOP and I-Light IP Addressing information is located here.

In the event that multiple DDoS alarms are raised via Alertmon indicating a possible attack for one Member but the IP netblocks are different, then a separate INC should be created for each IP netbock and a TASK created/assigned to Engineering following SOP for criticality of alarm (Red Alarm versus Yellow Alarm).  Additionally, a separate notification should be sent to the Member identifying each IP netblock following SOP. 

*If 5 or more DDoS alarms are raised via Alertmon within a 30 minute period for one Member but the IP netblocks are different, create one INC (pulling in each event thereafter) and TASK assigning then engaging Engineering for further advisement if not already engaged following SOP.*

Notification

Notifications consist of three phases.  The notification and template used and sent via the Service Desk will be dependent upon whether or not the member being attacked is for Indiana GigaPOP or I-Light.  *An additional notification will be sent to members when an attack lasted less than the defined time.

  • A DDoS Attack is detected.
    • Members will receive a notification an attack has occurred.
    • The Service Desk will use the email template "Member XXXX [IP] DDoS Attack Mitigation Service Investigation"
  • Indiana GigaPOP Engineers activated mitigation (scrubbing) in response to an attack.
    • Members will receive a notification mitigation (scrubbing) has occurred.
    • The Service Desk will use the email template "Member XXXX [IP] DDoS Attack Mitigation Service (initiated)"
  • A DDoS Attack has subsided.
    • Members will receive a notification when an attack has subsided.
    • The Service Desk will use the email template "Member XXXX [IP] DDoS Attack Mitigation Service (ended)"
  • *A DDoS Attack was short-lived - lasted less than fifteen (15) minutes.
    • Members will receive a notification when an attack was short-lived.
    • The Service Desk will use the email template "Member XXXX [IP] DDoS Attack Mitigation Service (short-lived)"

Following the closure of the Engineering TASK, the Service Desk is required to send a final notification to the Member using either the "ended" or "short-lived" email template.  Additionally, the two (2) PDF reports provided via Engineering should be attached to the email that is sent to the Member.  The Service Desk will then hold the Incident (INC) open for 48 hours from the time the FINAL notification was sent to the Member to allow for response time.

Members who detect or suspect a DDoS threat that is undetected by the Indiana GigaPOP and control their own BGP configuraiton, may initiate mitigation (scrubbing). Indiana GigaPOP asks that members who initate mitigation (scrubbing) on their own, also notify the Indiana GigaPOP NOC.  Members who do not control their own BGP configuration and suspect a DDoS threat, may contact the Indiana GigaPOP NOC and request an Engineer to assist.

Mitigation

Indiana GigaPOP Engineers or members who control their own BGP configuration, can trigger mitigation (scrubbing) of prefixes up to /24 for IPv4 or /48 for IPv6 by modifying their BGP announcements to add a BGP community tag to the specific prefix.  Please refer to the Indiana GigaPOP BGP Communities documentation.  Members can inquire with Indiana GigaPOP Engineers through the NOC for status of DDoS threats.  Zenedge provides a portal which will indicate both clean and attack traffic.  Most importantly, when the attack traffic has subsided and the Indiana GigaPOP Engineers or members can withdraw the additional BGP announcement.

Please be aware, adding the BGP community to prefix annoucement triggers two actions within the Indiana GigaPOP routing policies.  These actions occur simultaenously.  Please use cautiously.

  1. Suppress prefix to Commodity Transit and Commodity Peer Networks.  Prefixes tagged with the DDoS BGP Community that equal normal announcements will be suppressed to Commodity Transit and Commodity Peer Networks.  Prefixes tagged with the DDoS BGP Community that are longer than normal annoucements will not suppress the normal announcement, instead only advertise the more specific prefix to Internet2/Zenedge.
  2. Announce prefix to Internet2/Zenedge DDoS Mitigation (Scrubbing) Service.  Prefixes announced to Internet2/Zenedge will force traffic from Commodity Transit and Commodity Peer Networks to ingress through Zendge, to Internet2, to Indiana Gigapop.

Reporting

Indiana Gigapop and I-Light are working on a method to convey DDoS attack occurrances to members.  Due to the more sensitive nature of the information, publicly posting reports would be the last option.  More information on where to access reports of DDoS attacks will be available soon.


Your request has been completed.