Abilene UpdateJoint Techs – Winter 2006Albuquerque, NM

Steve CotterDirector, Network ServicesInternet2

Agenda2006 January

Abilene U

pdate –Joint Techs W

inter 2006Slide 2

• Abilene Overview• Abilene Community• Abilene Operational Security Exercise • Abilene Network Security Monitoring • Additional Info

Abilene Overview2006 January

Abilene U

pdate –Joint Techs W

inter 2006Slide 3

• 10-Gbps ‘best effort’, over-provisioned IP network• Current normal load ~2 Gbps; ~10 Gbps peak

• Carrier provisioned backbone λ’s (Q-Wave)• ~4.8 9’s availability over past 12 months

• SONET backhaul available to connectors• Dual stack IPv4/IPv6, native multicast, MPLS LSPs

• Purchasing 10 Mbps of IPv6 transit at PAIX• IPv6: 56 Participants, 26 Connectors, 40 Peers (3 Federal,

27 International, 10 Experimental/Non-production)• Network research facilitation (data + co-lo)

• Abilene Observatory project• Extensive domestic and int’l R&E peering• Cost recovery model motivates network utilization and

bandwidth upgrade

Abilene Community2006 January

Abilene U

pdate –Joint Techs W

inter 2006Slide 4

• 36 direct connections (OC-3c → 10 Gbps)• 3 10 Gbps (10 GE) connections

• OC-192c SONET also supported• 7 OC-48c connections & 3 GE connectors• 24 connected at OC-12c (622 Mbps) or higher

• 242 Primary Participants – research universities and labs• Newest additions: Ruth Lilly Health Education Center,

City University of New York • Expanded Access

• 134 Sponsored Participants - Individual institutions, K-12 schools, museums, libraries, research institutes

• 34 Sponsored Educational Group Participants - state-based education networks

See: http://abilene.internet2.edu/

Abilene Federal & Research Peerings2006 January

Abilene U

pdate –Joint Techs W

inter 2006Slide 5

2006 JanuaryA

bilene Update –

Joint Techs Winter 2006

Slide 6

Abilene International Network Peerings

Abilene IPv6 Peerings2006 January

Abilene U

pdate –Joint Techs W

inter 2006Slide 7

Abilene Operational Security Exercise2006 January

Abilene U

pdate –Joint Techs W

inter 2006Slide 8

Background:• One day long event, held in November 2005 in Indianapolis,

Indiana• Designed to initiate conversations on the Network Operation

Center's (NOC) activities in their support of AbileneGoals:• This was not an audit – purpose was to gather information and

produce a baseline document.• Detailed document recently released to participants. • A public document is also available.

For more info: Charles Yun, Internet2

Abilene Operational Security Exercise2006 January

Abilene U

pdate –Joint Techs W

inter 2006Slide 9

Methodology:• “Table top” exercise (talking, no flows initiated)• Two scenarios, invented, refined, executed

• DDoS attack• Router compromise with press/reporter investigation

Findings:• Report identifies ~40 observations• Patterns of activity emerged in the two scenarios, some

expected and others not.• Some processes were in place and followed, others need to be

developed• Some observations revealed policy questions that should be

answered by Internet2 or the NOC

Abilene Operational Security Exercise2006 January

Abilene U

pdate –Joint Techs W

inter 2006Slide 10

Lessons Learned:• Well designed, detailed scenarios are important to

respond to unexpected questions.• Engineers (plural) need to be involved in the design

*and* execution of the scenario. • Make sure that every external “event” or “character”

is represented by a real person. If someone is supposedly upset and sending email, have a real person start sending email… and then call a person’s cell phone.

• Test processes, not the cleverness of engineers.

Abilene Operational Security Exercise 2006 January

Abilene U

pdate –Joint Techs W

inter 2006Slide 11

Follow Up:• I2 and NOC plan to initiate regularly occurring

Abilene Operational Exercises• Considering a *live* exercise• Contemplating involving GigaPoPs/RONs and our

international partners in the next one • Start off with a similar baseline exercise and evolve

into more complicated activities

Network Security Monitoring2006 January

Abilene U

pdate –Joint Techs W

inter 2006Slide 12

• Installed Arbor Networks Peakflow tool in late Oct. ’05 • Covers 11 core routers, TransPAC2 router (temp), plus M5

router in ATL• Allows I2, REN-ISAC and Global NOC to actively monitor

the network for threat activity, e.g. DDOS, worms and other network events, and act upon those threats – not only across the backbone but also at affected members’ sites.• Provide threat information and alerts to the community

with the aim to strengthen defensive postures.• I2 and REN-ISAC are participating in the Arbor Fingerprint

Alliance, which provides the ability for all participating network service providers to share information regarding the fingerprints of active threat – permitting early warning regarding new/active threat.

Network Security Monitoring2006 January

Abilene U

pdate –Joint Techs W

inter 2006Slide 13

• Capabilities:• Portal views of network traffic • Provides DDOS detection, classification, traceback, and

mitigation as well as zero day anomaly detection, worm and infected host detection and reporting

• Public reports from the Traffic and Routing Analysis component (TR) are being developed and published at http://www.ren-isac.net/monitoring.html

Network Security Monitoring2006 January

Abilene U

pdate –Joint Techs W

inter 2006Slide 14For more info: Doug Pearson, REN-ISAC/IU NOC

Additional Info2006 January

Abilene U

pdate –Joint Techs W

inter 2006Slide 15

Plug for RONs/Connectors BoF:• Tuesday 6:00 – 8:00pm, Salon III• Additional info on:

• International Peerings• IPv6 routing/transit issues• Security

• Contact info:scotter @ internet2 . edu734.352.7024 (desk)Ann Arbor, Michigan, USA