Oct 21, 2020

CENIC Offering Mitigation Solutions for Volumetric Distributed Denial of Service Attacks

CENIC is now offering its members protection from Distributed Denial of Service (DDoS) attacks, which have the potential to prevent people from accessing online resources, and in the worst cases, to take institutions offline completely. A DDoS attack is a cyberattack in which the perpetrator overwhelms the target or its surrounding infrastructure with a flood of Internet traffic.

DDoS attacks are increasing in size, frequency, and duration. During the first quarter of 2020, the total number of attacks observed doubled, attack duration increased by 24%, and Amazon Web Services recorded the largest attack ever at a peak traffic volume of 2.3 Terabits per second.

CENIC’s member institutions are increasingly reliant upon network access and the COVID-19 pandemic has only increased this reliance on the network’s resiliency. The potential for a DDoS attack to have a crippling effect on our organizations motivated CENIC to conduct a pilot using cloud-based DDoS mitigation services (DMS) in 2018-19. The pilot was conducted with K12HSN, and as commercial DDoS mitigation services are expensive, participating K-12 sites were “eternally grateful” to be able to take part in the pilot. When surveyed after the project, a vast majority (92%) found the pilot effective.

CENIC’s Managed and Self-Service DMS

CENIC is able to offer DMS through its membership with Internet2. Radware offers an on-demand, cloud-based DMS at attractive rates to Internet2 members. CENIC is able to use and offer this service to CENIC associates, leveraging CENIC's high capacity, direct connections with Internet2 in Los Angeles and Sunnyvale.

CENIC’s DMS detects and mitigates volumetric attacks that operate at the network and transport layer of the Open Systems Interconnection (OSI) model. Most DDoS attacks target network infrastructure and equipment in an effort to overwhelm bandwidth and session handling capacity. In contrast, other cyberattacks such as ransomware/malware, Structured Query Language (SQL) injection, and cross-site scripting attacks that target application-layer vulnerabilities would not generally be protected by DDoS mitigation techniques. This is an on-demand service that can be initiated when an event has occurred. This is not an “always-on” service that provides continuous protection from attacks.

CENIC is offering both self-service and managed DMS to members connected to CalREN. The self-service and managed solutions differ in who is responsible for portions of monitoring and response. Traffic for both solutions will be cleaned by Radware’s DDoS scrubbing centers located in the US, which have a total capacity of 2 Tbps. Both solutions support DDoS mitigation for IPv4 and IPv6.

With the self-service solution, institutions are a tenant of the Internet2/Radware service and are responsible for their own DDoS detection and activation of mitigation scrubbing services. Tenants are downstream of CENIC as the subscriber. Tenants receive direct access to the provider Security Operations Center (SOC) to initiate scrubbing, access to a portal to review mitigation efforts and subsequent reports, and direct virtual routing and forwarding (VRF) across the Internet2 network to carry clean traffic to the tenant’s routers.

CENIC’s managed DMS will rely on CENIC's expertise to handle mitigation with Radware. CENIC has developed in-house tools to assist with DDoS detection and identification using netflow data that is continuously being ingested from backbone interfaces. This allows CENIC operations to quickly distinguish potential DDoS attacks and take appropriate actions on behalf of associates using this service.

When a DDoS attack is identified, CENIC operations will request approval from the network contact at the site before initiating mitigation. Once approved, operations will adjust routing policies to shift traffic bound for that site to Radware, with all “clean” incoming traffic coming to the site through Radware’s scrubbing servers. Clean traffic is returned over the 4-Gigabit per second connection that CENIC has established with Radware and Internet2. The service is capable of scrubbing /24 for IPv4 subnets and /48 for IPv6 subnets. After a DDoS attack has been monitored and no further occurrences have been seen for 48 hours, a post-mortem report will be generated and provided to affected associates.

CENIC’s managed DMS provides all of the technical setup to support mitigation routing, DDoS detection of volumetric attacks, activation of mitigation scrubbing services upon customer approval, and quarterly reports of mitigation activity. CENIC members who take advantage of the managed DMS will interface directly with the CENIC Network Operations Center for all DDoS related incidents. Operational procedures have been developed to handle DDoS specific events.

How Do I Get Started?

Many CENIC members are already taking advantage of CENIC’s DMS. University of California sites have opted to use the self-service solution, while K12HSN is using the managed solution. If you are connected to CalREN and you’d like to take advantage of CENIC’s DMS, contact the CENIC NOC at noc@cenic.org to discuss plans and pricing.

Related blog posts

The Easy Button for DDoS Attacks: Fast, Convenient, Cost-Effective Mitigation for CENIC Member Institutions

San Diego Community College District was able to mitigate a DNS laundering attack quickly and cost-effectively thanks to the CENIC NOC and then join CENIC’s DDoS Mitigation Service.

The Strength of Community in Research and Education Security Trends

A panel of experts addressed safeguarding academic ecosystems. The hour-long discussion tackled current threats, incident response, data privacy and mandatory reporting requirements.