Helping NRENs defend against DDoS and other malicious attacks
Distributed Denial of Service (DDoS) is a severe and growing problem throughout the R&E Community. The impacts on time sensitive research can be major and DDoS can often be used to mask other malicious attacks. GÉANT has implemented a range of services to help NRENs and the wider community mitigate against DDoS. By delivering such services centrally across the GÉANT backbone it is possible to leverage the skills, expertise and facilities of GÉANT.
To help NRENs and their users, GÉANT has implemented two key technologies
- Firewall on Demand
- Remote Triggered Blackholing
Firewall on Demand
Firewall on Demand (FoD) is a powerful system which allows authorised users, via a web portal, to quickly create and disseminate firewall filters based on traffic flows to or from their designated address space. This system allows NRENs to filter and block malicious traffic flows from within the GÉANT backbone giving NRENs unprecedented power and control.
FoD’s key features are:
- Precision – specific malicious flows can be targeted
- Speed – Time to disseminate/withdraw firewall filters is sub 10 seconds
- Convenience – NREN users can use web portal themselves, or make request by phone or e-mail.
- Simplicity – The web portal uses intuitive, non-vendor specific GUI-based wizard to configure router firewall filters.
FoD is powered by standards-based flowspec technology as specified in RFC 5575.
The ability for NRENs to extend their control of traffic across the GÉANT backbone is a uniquely powerful feature of the partnership between NRENs and GÉANT.
For more information on Firewall on Demand, download the FoD userguide.
Firewall on Demand User Guide.pdf
Remote Triggered Blackholing (RTBH)
Remote Triggered Blackholing (RTBH) is a mechanism used mainly to defend against D(D)oS. Although quite coarse and much less sophisticated than the Firewall on Demand as it completely isolates a host, it can be effective in case of D(D)oS.
For the moment GÉANT accepts and blackholes IPs with masks (/32, /128) when these are tagged with the community 20965:0008.