Radware DDoS Mitigation Alert Analysis
By Adair Thaxton - Internet2 Cyberinfrastructure Security Engineer
Internet2 is in the process of renewing our DDoS mitigation service contract with Radware. Since we originally signed on with Radware in December 2019, 12 Internet2 Connectors have used the Radware service to protect more than 100 of their member institutions.
DDoS Alert Trends
The Internet2 Security team has been examining the DDoS alerts we receive from Radware, and we have noticed a few trends. The biggest trend has been amplification attacks using NTP and DNS, so please make sure your servers are patched!
Grade-level assessments at the beginning and end of the school year can always make school systems a target. In the case of one school system, the students were particularly averse to the concept, so they queued up a series of stressers, which aimed ICMP and UDP network floods at several IP addresses in the school system. ICMP BlackNurse attacks were specifically used, while the UDP floods were common amplification and fragmentation floods.
Mitigating Threats Together
After analyzing the alerts each week, we sometimes contact the network administrators of record for the affected hosts, in the hopes of getting some context. We are mostly interested in what they observed at the Connector level and at the member level. If you experience a DDoS attack, we may reach out to you!
Radware has also reached out to the network administrators and offered to put additional protections in place. In most cases, once they see an attack, they seem to have created a custom attack profile for it. The custom attack profiles are created quickly and can allow for some additional data analysis on our end.
For the school system that had been under attack, Radware offered to add a rate limit on the affected ports. However, a rate limit isn’t always a fail-proof plan, as malicious traffic could hit the ceiling on the rate limit and legitimate traffic could be blocked! In this case, our recommendation to the network engineers was to create an ACL at their edge permitting traffic sourced from known-good DNS and NTP servers, and blocking or rate-limiting all other sources. That wouldn’t solve the problem with the TCP-based attack flows, but it would certainly help! This school system also provided us with our highest-known attack bandwidth – 235 Gbps! While Internet2 has 400 Gbps backbone links, our Connectors may not, and it’s a safe assumption that a school system definitely doesn’t.
Refining Radware Alerts
We are also engaged with Radware to try to refine the alerts we are receiving and to better understand the knobs available in their portal regarding these notifications. If your organization is receiving too many alerts or too few alerts, you may want to review those options in the portal, or reach out to us at DDoSService@internet2.edu for assistance!