DDoS Mitigation Service
FAQ
The DDoS mitigation service provides scrubbing for commodity traffic and R&E traffic including both IPv4 and IPv6 traffic. Clean traffic will be returned on your Internet2 connection.
The pricing model for the DDoS service will favor procurement of the service by a Connector or Regional Network and they, in turn, will share costs among their members. However, like all Internet2 services it will also be made available to any Internet2 member institution wishing to procure the service directly. Each entity that procures the service will be referred to as a Subscriber.
A Subscriber is the organization that contracts for the DDoS Mitigation Service. A Tenant is a downstream of the Subscriber, either a regional or higher education institution, that is interested in having direct access to the provider Security Operations Center (SOC) to initiate scrubbing, access to a portal to review mitigation efforts and subsequent reports and a direct VRF across the Internet2 network to carry clean traffic to the Tenant’s routers. There is an additional fee for each Tenant.
Each Subscriber will have:
-Direct access to the Security Operations Center (SOC) of the provider to initiate mitigation
-Access to a portal to review mitigation efforts and subsequent reports
-A direct VRF across the Internet2 network to carry clean traffic to the Subscriber’s routers
-The ability to offer services to Tenants and Subtenants
Each Tenant will have:
-Direct access to the Security Operations Center (SOC) of the provider to initiate mitigation
-Access to a portal to review mitigation efforts and subsequent reports
-A direct VRF across the Internet2 network to carry clean traffic to the Subscriber’s routers
–
In 2016, working with a subgroup of the Security Working Group, Internet2 developed requirements for a cloud-based DDoS service. Internet2 then issued an RFP and solicited responses from six providers. The RFP responses were reviewed by a community technical team. Based on the ratings of that team, Internet2 negotiated with three high ranking providers and one was chosen to provide the service beginning in 2017. In 2018, the original DDoS provider was acquired and the service was set to end-of-life in early 2020. During the last half of 2019, Internet2 and one of the other three high-ranking providers negotiated a new DDoS Mitigation Service agreement to provide continued service to the community.
Internet2 gathered input on the proposed business models from the Network Architecture, Operations and Policy Program Advisory Group (NAOPpag) and also convened a group of regional representatives to review the proposed business models.
Because this service is cloud-based, it may make sense for members who already have on-site DDoS mitigation tools to also include this solution in their overall DDoS mitigation strategy.
Internet2 encourages Connectors/Network Members to, at least initially, subscribe to the service (i.e., become a Subscriber) on behalf of themselves as well as their own members (downstreams). Each downstream that has its own publicly registered Autonomous System Number (public ASN) and does not choose the option to be a Tenant is considered to be a Subtenant of the Subscriber, with associated fees. A Subtenant will not have access to the SOC or the DDoS Portal. Subtenant fees are waived for any organization eligible to receive USF E-Rate funds such as K-12 schools and Public Libraries.
Yes, if the downstream becomes a Tenant. A Tenant will have (a) direct access to the Security Operations Center (SOC) of the provider to initiate mitigation, (b) access to a portal to review mitigation efforts and subsequent reports and © direct VRF across the Internet2 network to carry clean traffic to the Subscriber’s routers. There is an additional fee for each Tenant.
A VRF will be created between the Subscriber/Tenant and the DDoS Mitigation Service provider. The Subscriber/Tenant will provide a list of prefixes to the provider and a BGP session will be created between the Subscriber and the provider.
The service provides scrubbing for commodity traffic and R&E traffic including both IPv4 and IPv6 traffic. Based on the prefix that the Subscriber indicates needs to be scrubbed, the provider announces a more specific route to the internet drawing all traffic for the prefix to their scrubbing center. They scrub the traffic and return the clean traffic to the Subscriber via a VRF on the Subscriber’s Internet2 connection that is provisioned during service onboarding.
This is a cloud-based volumetric DDoS Mitigation service and, at this time, we don’t have a service that provides detection.