DDoS Mitigation Service

FAQ

How does the DDoS Mitigation service work?

The DDoS mitigation service provides scrubbing for commodity traffic and R&E traffic including both IPv4 and IPv6 traffic. Clean traffic will be returned on your Internet2 connection.

Who is eligible to subscribe to the service from Internet2?

The pricing model for the DDoS service will favor procurement of the service by a Connector or Regional Network and they, in turn, will share costs among their members. However, like all Internet2 services it will also be made available to any Internet2 member institution wishing to procure the service directly. Each entity that procures the service will be referred to as a Subscriber.

What are Subscribers and Tenants?

A Subscriber is the organization that contracts for the DDoS Mitigation Service. A Tenant is a downstream of the Subscriber, either a regional or higher education institution, that is interested in having direct access to the provider Security Operations Center (SOC) to initiate scrubbing, access to a portal to review mitigation efforts and subsequent reports and a direct VRF across the Internet2 network to carry clean traffic to the Tenant’s routers. There is an additional fee for each Tenant.

What features are provided to Subscribers?

Each Subscriber will have:
-Direct access to the Security Operations Center (SOC) of the provider to initiate mitigation
-Access to a portal to review mitigation efforts and subsequent reports
-A direct VRF across the Internet2 network to carry clean traffic to the Subscriber’s routers
-The ability to offer services to Tenants and Subtenants

What features are provided to Tenants?

Each Tenant will have:
-Direct access to the Security Operations Center (SOC) of the provider to initiate mitigation
-Access to a portal to review mitigation efforts and subsequent reports
-A direct VRF across the Internet2 network to carry clean traffic to the Subscriber’s routers
–

How was the DDoS Mitigation Service Provider selected?

In 2016, working with a subgroup of the Security Working Group, Internet2 developed requirements for a cloud-based DDoS service. Internet2 then issued an RFP and solicited responses from six providers. The RFP responses were reviewed by a community technical team. Based on the ratings of that team, Internet2 negotiated with three high ranking providers and one was chosen to provide the service beginning in 2017. In 2018, the original DDoS provider was acquired and the service was set to end-of-life in early 2020. During the last half of 2019, Internet2 and one of the other three high-ranking providers negotiated a new DDoS Mitigation Service agreement to provide continued service to the community.

How was the business model for the service created?

Internet2 gathered input on the proposed business models from the Network Architecture, Operations and Policy Program Advisory Group (NAOPpag) and also convened a group of regional representatives to review the proposed business models.

My organization already has DDoS mitigation tools on-site, does it make sense to obtain this service, too?

Because this service is cloud-based, it may make sense for members who already have on-site DDoS mitigation tools to also include this solution in their overall DDoS mitigation strategy.

If a Connector or R&E Network Member procures the services, is it acceptable for them to offer it to their downstream members?

Internet2 encourages Connectors/Network Members to, at least initially, subscribe to the service (i.e., become a Subscriber) on behalf of themselves as well as their own members (downstreams). Each downstream that has its own publicly registered Autonomous System Number (public ASN) and does not choose the option to be a Tenant is considered to be a Subtenant of the Subscriber, with associated fees. A Subtenant will not have access to the SOC or the DDoS Portal. Subtenant fees are waived for any organization eligible to receive USF E-Rate funds such as K-12 schools and Public Libraries.

If a Connector or R&E Network Member procures the services, is it possible for the downstream members to have access to the Scrubbing VRF and the provider’s SOC?

Yes, if the downstream becomes a Tenant. A Tenant will have (a) direct access to the Security Operations Center (SOC) of the provider to initiate mitigation, (b) access to a portal to review mitigation efforts and subsequent reports and © direct VRF across the Internet2 network to carry clean traffic to the Subscriber’s routers. There is an additional fee for each Tenant.

How will the DDoS Mitigation Service be configured?

A VRF will be created between the Subscriber/Tenant and the DDoS Mitigation Service provider. The Subscriber/Tenant will provide a list of prefixes to the provider and a BGP session will be created between the Subscriber and the provider.

How will the DDoS Mitigation service work?

The service provides scrubbing for commodity traffic and R&E traffic including both IPv4 and IPv6 traffic. Based on the prefix that the Subscriber indicates needs to be scrubbed, the provider announces a more specific route to the internet drawing all traffic for the prefix to their scrubbing center. They scrub the traffic and return the clean traffic to the Subscriber via a VRF on the Subscriber’s Internet2 connection that is provisioned during service onboarding.

Are there any options for detection, or is this only mitigation?

This is a cloud-based volumetric DDoS Mitigation service and, at this time, we don’t have a service that provides detection.