2016-08-24 VC notes

• Currently investigating FOD source code and third party components/libraries used
  • investigating code especially regarding port range feature
  • in github https://github.com/grnet/flowspy is a newer version than on FOD test system test-fod.geant.net (v1.2 vs. v1.1.1)
    • obviously this also includes a REST interface, even for adding rules (at least from first sightings in docs), while the installed one has no REST interface
    • still to find out which commit the installed one actually represents
  • how to proceed for the new developments:
  • Evangelos will setup another test machine where the new version can be tested independently from existing test system

• add new FOD feature: redirection of strange traffic to (e.g.) a scrubbing center (i.e. to other VRF) ?

->  add as additional FOD related question to survey

• Evangelos: Discussed potential scrubbing center solution (based on flowmon) in a short meeting with A10:
  
  • 2 solutions: DDoS defender or Deepfield; later on more advanced and seemingly with A10 devices for mitigation
• Linus: Deepfield is used in Nordunet (for traffic metric, not DDoS D/M) which is currently trying to replace it as it seems to be more orientating towards nice business analysis views; -> better really analyze the underlying technical design of any approach to compare among them

• Nino: why only testing solution from a single vendor? GARR has plans to compare solution (e.g. for washing machine) of multiple vendors, e.g. Radware, Arbor, F5; also take into account type of attacks addresses and used detection methods (e.g. netflow for port-level detection; deep packet inspection also detect application-level attacks; how to wash/redirect the traffic) as well as as needed effort -> why not perform this analysis by GARR and GEANT?

  •  -> Evangelos will discuss with superiors in GN

  • anybody who likes may distribute information/overview/diagrams about potential/proposed/planned/existing DDoS D/M approach/proof-of-concept/deployment scenario, commercial or not, to the mailing list (or to T6 wiki: DDoS Detection/Mitigation Infos and/or DDoS Detection/Mitigation Approaches/DeploymentScenarios )

• Evangelos: e.g. other DDoS D/M approach from Xanataro

• Evangelos will send proposal for GEANT-specific questions
• Based on this David will propose potential further question concerning interest on FwaaS

• internal name of the Software: NERD; external (project) name: RepShield
• working on automatic downloads of blacklists for NERD
• started to implement login via shibboleth (EduGain) -> maybe compare with EduGain integration of FOD (if needed)

• closed a couple of bugs and moved closer towards a 0.9 release
• discussed the upcoming key and config management system a bit, so closer to a design

• current FOD: v.1.1.1 installed, v1.2 in github
• FOD v2 eof 2017-04 as deliverable D8.2; including demo(s)
  • new (user) functionalities: e.g. rate limiting, statistics view
  • new management functionalities: internal logging
  • maybe first preliminary rule proposal from RepShield
• DDoS detection/mitigation pilot (v0.5) eof 2017-07 as deliverable D8.3; including demos(s)
  •  FOD with automated rule proposal from RepShield
• DDoS detection/mitigation v1 eof 2018; including demos(s)
  • more enhanced mitigation beyond BGP FlowSpec (FOD)
  • based on SDN OF/NFV (FwaaS)
  • also with integrated rule proposal from RepShield
    
    
• CT production service v1 eof 2016; in parallel to first NREN deplyments of CT server; maybe some demo how to make use of it (maybe using curl with integrated CT support)
• CT production service v2 eof 2017-10 as deliverable D8.4; including demos(s)

Foodle to find appropriate date(s): http://foodl.org/foodle/Dste-for-potential-JRA2-T6-Kickoff-57b56

Some members already filled it. Anybody else: Please fill it!

David will clarify covering of expenses for non-task members (Silvia, Albert) with Jerry