Internet2

close
Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID

Your organization not listed? Create a local account to use Internet2 services.

Create SiteID

DDoS Mitigation Service

overview

Internet2 DDoS Mitigation Service

Internet2 is pleased to offer a cloud-based volumetric Distributed Denial of Service (DDoS) Mitigation Service procured on behalf of the community from a commercial service provider.

Community Effort

After the community encouraged Internet2 to obtain a DDoS Mitigation service, members of the Security Working Group developed requirements for a cloud-based DDoS service to be used in an RFP for the service. The RFP responses were reviewed and rated by a community technical team and then Internet2 negotiated with three high ranking providers. When creating the business model for the service, Internet2 consulted with the Network Architecture, Operations and Policy Program Advisory Group (NAOPpag) as well as a group of regional representatives. A group of technical leaders from the pilot group has met with Internet2 and the service provider to delve into the technical details.

How Does the Service Work?

DDoS Mitigation Service Subscribers procure 1G of clean pipe capacity while being allowed to burst into the available capacity provided by Internet2 on the clean pipe (up to 10G initially). The Subscriber will direct attack traffic to the DDoS Mitigation Service provider, and the clean traffic will be carried back on the Subscriber’s existing Internet2 connection.

A Subscriber will be allowed to offer the service to its downstream members (e.g., a regional could offer the service to a university). Downstream members (e.g., a university or a K-12 district) have the option to obtain the same direct access services from the provider by choosing the Tenant option, with an associated fee structure.

For an additional fee, the provider also offers a Monitoring service for those Subscribers or Tenants without on-premise appliances for attack detection. With the Monitoring service, netflow records are sent to the service provider’s analytics appliance and the provider is able to notify the Subscriber or Tenant of the need for mitigation.

 

features

Internet2 is providing a cloud-based volumetric Distributed Denial of Service (DDoS) Mitigation Service procured from a commercial service provider. The model being used allows members that subscribe to the service to be able to direct attack traffic to the DDoS Mitigation Service provider, and carry the clean traffic back via a VLAN on their existing Internet2 connection. Each Subscriber can offer the service to their downstreams. If any downstream would like to have direct access to the Security Operations Center (SOC), the downstream can become a Tenant of the Subscriber.

The features available to Subscribers and Tenants are:

  • Direct access to the Security Operations Center (SOC) of the provider to initiate mitigation
  • Access to a portal to review mitigation efforts and subsequent reports
  • A direct VLAN across the Internet2 network to carry clean traffic to the Subscriber’s routers 

For an additional fee, the provider offers a “Monitored Router” service available for those Subscribers or Tenants without on-premise appliances for attack detection. With the Monitoring service, netflow records are sent to the service provider’s analytics appliance and the provider is able to notify the Subscriber or Tenant of the need for mitigation. 

fees

To speak with someone about the DDoS Mitigation Service Pilot or to request a quote, please email DDoSService@internet2.edu.

 

participate

Internet2 staff are available to discuss your DDoS Mitigation Service needs.

Internet2's DDoS Mitigation Service is available to:

Please contact DDoSService@internet2.edu for more information.

faq

How will the DDoS Mitigation service work?

The model being used allows a member to subscribe to the service in 1G increments of clean pipe capacity while being allowed to burst into the available capacity on the clean pipe (up to 10G initially). Currently this bursting will have no additional cost, unless it becomes a regular occurrence for a Subscriber, or Internet2 incurs additional costs. A key to the success of this model is the ability of the community to share in the aggregate amount of “clean pipe” capacity. The service provides scrubbing for commodity traffic and R&E traffic including both IPv4 and IPv6 traffic and includes coverage of unlimited assets/IP addresses. Clean traffic will be returned on your Internet2 connection that is provisioned during service onboarding.

Who is eligible to subscribe to the service from Internet2?

The model is to offer this service to R&E Network members and connectors and the pricing model will favor this group procuring the service and then sharing costs among its members. However, like all Internet2 services it will also be made available to any Internet2 member institution wishing to procure the service directly. Each entity that procures the service will be referred to as a Subscriber.

What are Subscribers and Tenants?

A Subscriber is the organization that contracts for the DDoS Mitigation Service. A tenant is a downstream of the Subscriber, either a regional or higher education institution, that is interested in having direct access to the provider Security Operations Center (SOC) to initiate scrubbing, access to a portal to review mitigation efforts and subsequent reports and a direct VLAN across the Internet2 network to carry clean traffic to the Tenant’s routers. There is an additional fee for each Tenant.

What features are provided to Subscribers?

Each Subscriber will have:
  • Direct access to the Security Operations Center (SOC) of the provider to initiate mitigation
  • Access to a portal to review mitigation efforts and subsequent reports
  • A direct VLAN across the Internet2 network to carry clean traffic to the Subscriber’s routers

What features are provided to Tenants?

Each Tenant will have:
  • Direct access to the Security Operations Center (SOC) of the provider to initiate mitigation
  • Access to a portal to review mitigation efforts and subsequent reports
  • A direct VLAN across the Internet2 network to carry clean traffic to the Subscriber’s routers

How was the DDoS Mitigation Service Provider selected?

Working with a group from the Security Working Group, Internet2 developed requirements for a cloud-based DDoS service. Internet2 then issued an RFP and solicited responses from six providers. The RFP responses were reviewed by a community technical team. Based on the ratings of that team, Internet2 negotiated with three high ranking providers.

How was the business model for the service created?

Internet2 gathered input on the proposed business models from the Network Architecture, Operations and Policy Program Advisory Group (NAOPpag) and also convened a group of regional representatives to review the proposed business models.

My organization already has DDoS mitigation tools on-site, does it make sense to obtain this service, too?

The service is being modeled to allow those members who already have DDoS mitigation tools on-site to also include this cloud-based solution.

If a connector or R&E Network Member procures the services, is it acceptable for them to offer it to their downstream members?

Yes, in fact, Internet2 encourages Connector/Network Members to, at least initially, subscribe to the service (i.e., become a Subscriber) on behalf of themselves as well as their own members (downstreams).

If a connector or R&E Network Member procures the services, is it possible for the downstream members to build a VLAN and have access to the SOC?

Yes, the Subscriber enrolls its downstream members as Tenants of the Subscriber. A Tenant will have (a) direct access to the provider Security Operations Center (SOC) to initiate scrubbing, (b) access to a portal to review mitigation efforts and subsequent reports and (c) a direct VLAN across the Internet2 network to carry clean traffic to the Tenant’s routers. There is an additional fee for each Tenant.

How will the DDoS Mitigation Service be configured?

A VLAN will be created between the Subscriber and the DDoS Mitigation Service provider. The Subscriber will provide a list of potential prefixes to the provider and a BGP session will be created between the Subscriber and the provider.

How will the DDoS Mitigation service work?

The service provides scrubbing for commodity traffic and R&E traffic including both IPv4 and IPv6 traffic and includes coverage of unlimited assets/IP addresses. Based on the prefix that the Subscriber indicates needs to be scrubbed, the provider announces a more specific route to the internet drawing all traffic for the prefix to their scrubbing center. They scrub the traffic and return the clean traffic to the Subscriber via a VLAN on your Internet2 connection that is provisioned during service onboarding.

Are there any options for detection, or is this only mitigation?

This service is a cloud-based volumetric DDoS Mitigation service. The provider does have a “Monitored Router” service available for those Subscribers or Tenants without on-premise appliances for attack detection. With the Monitoring service, netflow records are sent to the service provider’s analytics appliance and the provider is able to notify the Subscriber or Tenant of the need for mitigation. There is an additional fee for this service.