Page History

• (info page for FOD development https://wiki.geant.org/pages/viewpage.action?pageId=63965046)
• Testing of new FOD features on FOD test machines
  • goal in the upcoming weeks
    • is to fully test the port range feature developed by Tomáš, as well as the graphs statistics module and REST API by GRNET,
    • eventually also on the first test machine which is close to production as it is connected with the production network
    • and for the first test machine it has to be investigated how the new FOD and its modules can be deployed suitable for and according to GEANT installation techniques/procedures (e.g. puppet usage)
  • issue with conflict of names of graphs module still unsolved; Tomáš will investigate further
  • issue with port specification: list of ports/port ranges don't work any more; Tomáš will investigate respective user input parsing code

• Fastnetmon testing at GARR:
  • Silvia and Nino are still working at there proposal for multi-domain use of fastnetmon where fastnetmon is used at institution side and can signal to upstream for mitigation based on local decision of
  • Actually they cooperate with other colleagues and also a range of users (with different operating/management requirements) in GARR to create a full POC together with them in GARR
  • Silvia/Nino still may send Tangui preliminarily draft of their proposal so than Tangui can get a idea and can compare both solutions
• FlowMon DDoS Defender detection + A10 box mitigation testing
  • A10 will provide a special reporting module which allows provision of statistics after the end of an attack
  • The testing may check for consistency of statistics during and after attack (for later integration into extended FOD)
  • Some weeks ago simple configuration change rendered FlowMon + DDoS Defender into serious crash which was not recoverable by reboot; has still to be investigated by FlowMon
• Deepfield detection + A10 box mitigation testing
  • Serious bug exists which prevents Deepfield from actual DDoS detection even 20 minutes after the attack
  • Some issues with the GUI exist
  • Current limitation which allow only one type of mitigation action to be applied to a simple subnet
  • => Deepfield promised to fix these issues
• CORSA NSE7000 testing
  • not yet started; but box is already in the lab
• DDoS D/M Survey:
  • Poll for ddos@geant.org mailing list will end in 1-2 weeks, Evangelos will send final mail;
  • Up to now 20 answers from 19 different NRENs: general evaluation of answers:
    • balanced number of answers from managers, network engineers, and security engineers
    • FOD is is very well known to the (answering) NRENs
    • Most of answering NRENs are using netflow-based DDoS detection
    • GEANT-provided scrubbing center solution is desired by most of the answering NRENs (73.7%)
    • Further collaboration with other NRENs desired: experience sharing (33.3%) or even common development (38.9%)

• Student work started which is trying to tag/classify ip addresses/hostnames according to
  • their general type, e.g. VPN
  • and their attack behaviour

• New Foodle poll for F2F meeting exists, but answer may be hard if place of meeting not know (because of unclear voyage duration)
• So, first the potential locations have to be found. Candidates currently are:
  • Garching near Munich (LRZ)
  • Prague: possible
  • Rome: possible, preferably after Summer (e.g in June, May)
  • Stockholm
  • Cambridge: possible
• For each of these potential location everyone should check how long travel might potentially be for she/him

Short introduction; In detail information is given at Malaga meeting