FoD v1.5 = FoD with new functionalities: rule range specification, current rule behaviour statistic graphs, multi-tenant rule control REST-API
FoD v1.6 = FoD with automated rule proposal from RepShield
FoD v1.5 Pilot UAT testing
Existing user documentation (as presentation document, especially regarding rule control REST API) should be extended to a proper document, e.g. to be used in future user trainings
Pilot evaluation survey which was of used for FoD v1.1 has to be reviewed and updated for v1.5
Third UAT VC: feedback from pilot users:
LITNET: https connection issues for UAT server
EENET: format restriction for names of rules?
EENET: it maybe useful to at least extend the statistics interval to 7 days (current auto expire maximum time)
EENET: are graphs continued after expiring and reactivating?
LITNET and EENET have both DDoS detections based on nfsen (mainly for UDP attacks), as well as volume-to-host threshold checking (e.g. based on Cacti), LITNET currently is investigating also into FastNetMon
LITNET (also EENET) have mostly short attacks, 5-10 min
EENET: attacks from GEANT+Nordunet link
EENET started to test REST API, e.g. nice would be possibility to reactivate a rule every week after auto timeout
idea (LITNET): for single attacker IP address+port allow to block traffic to whole subnet (also bigger than /29) to mitigate e.g. scanning attacks
issues on FoD test machines: firewall configuration was lost and had to be restored; local puppet interfered with FoD when trying to reinstall old FoD file versions
Hands-On during this VC on FoD test server:
TCP/UDP Port 0 specification tested with real traffic
allowed any length for TCP/UDP port ranges (initially it has been limited to 100 because of concerns regarding BGP FlowSpec performance)
increased setting for max length of mitigation stats from 1 day to 7 days: effect on graphs will have to be checked; ideally zooming features should be implemented
increased setting for max auto expiration time of rules from 7 days to 30 days; issues with JavaScript DatePicker have still to be investigated
added link for JSON data export of mitigation statistics
=> after further checking: resulting config updates and a new rpm with new modifications should be installed on FoD UAT server to allow pilot users to test modifications
FoD v1.5 production service documents
Now for the future production phase of FoD v1.5 (and all further versions) all necessary PLM documents have to be prepared, e.g. CBA, service description, service design plan
Especially for the operative documents this will be done in close cooperation of Evangelos
Evangelos will check the service template to get acquainted with it
FoD v1.6 (with RepShield) development/testing/pilot:
DDoS simulation/testing: configuration changes in test flowmon instance have been done: now it possible to simulate/test DDoS attacks with one of the FoD test machines as victim from anywhere, e.g. using hping3 tool
Hands-On during this VC on FoD test server:
test warden/repshield: some components were not running any more: has been fixed during VC
test flowmon instance obviously stopped exporting it's alerts to test warden since 01.12.2017; needs to be investigated
DDoS Detection/Mitigation (D/M) WG
GARR DDoS D/M PoCs/Testing Framework
GARR DDoS working-group F2F meeting took place: agreed to do a joint experimentation in the coming months.
=> test Radware washing machine with GARR user; detection systems: FastNetMon, Security Onion, a smaller Radware box and others
In next days: start Radware PoC
RepShield/NERD
RepShield/NERD development: some performance improvements
Silvia/Nino will check how to share alert data from their FastNetMon PoC to Warden, Václav will support them in writing/installing Warden filer script for exporting
T6 Code on Github
Nicole Harris still needs to grant write permission to Tomáš and Václav to publish code on GEANT github