janet network ddos experiences - networkshop44

Janet Network DDoS Experience

23/03/2016 Janet Network DDoS Experience


Tim KiddExecutive director, Jisc [email protected]

What happened in early December

mailto:[email protected]

To set the scene…

» I will say more than we have said publicly

» There is a police investigation ongoing

» Confidentiality


Timeline

» Tuesday 1 Dec 11:15 - 1 hourAttack directed at NW institution then infrastructure

» Friday 4 Dec 13:58 - 40 minutesInitial blocks in place at 14:35 with attack blocked

» Friday 4-Dec 15:54 - 20 minutesInitial blocks at 16:02 but little impact, attack blocked at 16:16

» Monday 7 Dec 09:11 - 1 hour 10 minutesInitial blocks at 09:47 but little impact, attack blocked at 10:18

» Monday 7 Dec 11:17 - 25 minutesAttack blocked at 11:40

» Tuesday 8 Dec 09:10 - 3 hours 30 minutesBlocked at 10:10 but further problems due to defensive blocks


Engineers prepared next level of blocks to install Monday morning

Jisc website hit 11:39 coincidence?

Communication

» Declared a major incident; used web page and Twitter @JiscMI

» In accordance with major incident procedure, staff were moved from normal duties to bolster the Janet Service Desk but still more calls than we could handle


External border protection

» ≈50 routers to configure

» Blocked IP fragments to all infrastructure

» Policed TCP, UDP and ICMP to core infrastructure

» Site access link infrastructure under way


Lessons Learned

» BBC DDoS attack on 31 December caused people to think Janet was being attacked

» A malicious attack feels very different from other major incidents

» Potential misuse of public updates via Twitter – use SMS directly to nominated people

» A more nuanced response (bronze, silver, gold) and difference between Major Incident and High Impact Incident

» Accelerate the DDoS element of our security programme

» Secure the infrastructure address space23/03/2016 Janet Network DDoS Experience


Steve KennettHead of operational [email protected]

Responding to a changing threat landscape

mailto:[email protected]

Security programme

» Information security management » ISO27001» DDoS mitigation» Security X-ray» Cybersecurity intelligence» Vulnerability assessment » Phishing mitigation » Malware analysis» Digital forensics » Password managers» Web filtering


What’s changing in the threat landscape?

» Janet and customer infrastructure has now been directly targeted

» Attacks appear to be more reactive to countermeasures we deploy

» An effective attack now only requires a credit card

» The cost of launching an attack continues to drop


The challenge of dealing with large scale DDoS

» Requires coordinated action between customer and Janet operations:

› Impacts the weakest link between where attacks enter Janet and the target system

› Depending on scale can disrupt customer, regional or even national infrastructures

› Once customer access link capacity is overloaded you have limited options

› Providing advice on likely duration and impact of event(s)

› Multiple internet connections do not necessarily help depending on nature and sophistication of attack

› Asymmetry of costs between attackers and defenders


Impact of mitigation (I)

» We have to detect attacks in order to apply mitigation –reactive function

» Traffic will have to be re-routed to apply mitigation

» Some traffic latency will be introduced

» Mitigation is not 100% effective – some ’attack’ traffic will still get through

» Can create false positives – blocking genuine traffic

» Legitimate traffic flows look similar to large scale DDoS –improved awareness and coordination required


Impact of mitigation (II)

» Greater automation is required to free up resources, control costs and support response time

» Mitigation capacity is expensive to deliver and operate

» Organisations under persistent attack can be kept in mitigation -but capacity is limited

» Arms race in capacity terms is likely

» System complexity



Questions?

jisc.ac.uk


Tim Kidd

Executive director, Jisc technologies

[email protected]

http://www.jisc.ac.uk/

http://www.jisc.ac.uk/

janet network ddos experiences - networkshop44

Education