Internet2's DDoS Mitigation Strategy

min read

Special thanks to Paul Howell and Internet2 for allowing EDUCAUSE to republish this column [].

As Internet2 looks to defend its network infrastructure from distributed denial of service (DDoS) attacks, we recognize that the research and education (R&E) community forms an ecosystem of networks that, when working together, offers substantial resources to combat DDoS attacks within the entire community. This proposal summarizes the best options for mitigating DDoS attacks.

The concepts in this paper come from months of working within the community to understand the issues and solutions from a cross-section of our members. The main takeaway from this document is that there isn't just one way to deal with DDoS attacks and there isn't just one provider that can effectively defend our members. Rather it takes a variety of solutions engaged through different providers to thwart large-scale attacks.


DDoS attacks continue to adversely affect research and education institutions. There have been a few recent high profile incidents in the higher education community that have taken campuses or regional networks offline. Attacks can consume network bandwidth and significantly degrade performance of institutional resources (websites, learning management systems, etc.), resulting in potential disruptions to research and education.

DDoS attacks are intended to interfere with the availability of a victim’s network or applications. Such attacks generally fall into the following categories:

  • Volumetric attacks clog the circuits, delivering information by sending more packets than the circuit can process, thereby saturating the circuit and making services unavailable.
  • Application layer attacks are focused on rendering applications such as web servers unavailable by exhausting web server resources. These attacks do not have to consume all of the network bandwidth to be effective. Rather they place an operational strain on the application server in such a way that the server becomes unavailable.
  • Multi-vector attacks tend to run over an extended period of time and engage different attack methods intended to evade detection and mitigation efforts while maximizing the damage to the victim.

According to the Arbor Worldwide Infrastructure Security Report, in the Enterprise, Government and Education sector, over half of the survey respondents experienced failure of a firewall or intrusion prevention system (IPS) due to attack. More than one-quarter of respondents experienced over 10 attacks per month and over half experienced attacks that exceeded their Internet capacity. The attack breakdown was 58% volumetric (consume network bandwidth), 24% state-exhaustion (consume connection state tables), 19% application-layer (attack Layer 7/application).

There can be high operational expenses resulting from an attack, including both the resources spent to identify the nature of the attack and the resources necessary to combat the attack. Further harm comes from lost productivity, interruption of critical institutional services, reputation damage, potential revenue loss, and potential network penetration by malicious actors if the attack is used as a smoke screen. DDoS attacks vary in nature and volume, with no one solution sufficient to provide complete protection. Organizations being targeted by DDoS attacks need to have a range of defensive options at their disposal to minimize the impacts. The options may include enlisting the assistance of an Internet service provider (ISP) to implement filters that block attack traffic, thereby reducing the congestion within the victim network and allowing services to resume.

Internet2 Community Strategy

Through active engagement with the Internet2-sponsored Security Working Group — made up of approximately one hundred network experts from our community — along with meetings at conferences such as the Global Summit and Technology Exchange, we have identified the best options for mitigating volumetric DDoS attacks.

Our approach to reducing the negative consequences of DDoS attacks recognizes that attacks may be divided into two broad categories: (1) application layer attacks, and (2) volumetric network attacks. The first category, application layer attacks, tend to be best mitigated by solutions deployed within the victim network itself. These specialized application layer mitigation appliances and services are being investigated by the security and identity program manager for Internet2 NET+, Nick Lewis, who may be contacted for an update on the possible solutions. The second category, volumetric network attacks, has been the focus of the Network Services Security Team, which has been coordinating a community-wide R&E Security Working Group to investigate different types of volumetric and multi-vector DDoS attacks, gain an understanding of the impact on operations and availability of resources, and identify defensive solutions that can be engaged when attacks occur.

The remainder of this paper discusses the Network Services proposal, developed in conjunction with regional and campus experts, for developing volumetric DDoS attack countermeasures that can work to protect the network infrastructure of Internet2, regional networks, and campus networks by providing remedial services when needed.

Attack Mitigation

It is important to note that when combating volumetric DDoS attacks, a one-size-fits-all solution deployed within a campus will have only limited success. Often the most effective solution to a volumetric DDoS attack is to engage the network service provider to implement filters closest to the source of the attack. In turn, network providers may work together to lessen the effects of an attack on their networks. The R&E community is made up of a trusted group of network providers including campuses, regional networks, and Internet2 that work well together and have a shared stake in effectively responding to DDoS attacks.

The best action plan is to leverage a multifaceted approach involving filtering and scrubbing, crafted in a manner to either supplement existing deployments of DDoS detection and mitigation products by regional networks and campuses, or to provide coverage for members that do not already have a solution in place. Additionally, the proposed solutions would be used by Internet2 to defend its production network from DDoS attacks.


Often the first line of defense, filtering network attacks, takes two basic forms: filtering the victim or filtering the attacker. Both of these discard DDoS attack traffic.

Filtering the victim, often referred to as a real-time black hole, discards all traffic destined to the victim. This technique is useful when the network links used to reach the victim are swamped and unusable, causing sufficient problems so as to be affecting other services. Relief from the attack allows affected services to recover and resume service. The obvious downside of this approach is that all — both good and attack — traffic sent to the victim will be discarded, resulting in a complete denial of service to the victim. Internet2 has supported this form of filtering for several years and will continue to support this.

Filtering the attacker involves discarding traffic originating from the attacker at the point of network ingress. Implementing this type of filter can be done by engineers crafting rules by hand. However, when there are a large number of attackers, handcrafting filtering rules is both time-consuming and error prone. Instead, a routing feature called FlowSpec is available that permits programmatic development of routing filters that are propagated through the routing fabric. Once a FlowSpec filter is installed, the attacking traffic is dropped by the ingress router(s). Currently Internet2 is evaluating this method of filtering and barring any technical impediments, anticipates supporting this method after the evaluation is completed.

These two methods of filtering can be effective at recovering a network suffering from DDoS attack, but also have limitations that can allow DDoS attacks to continue, leading some to consider DDoS scrubbing services.


Scrubbing centers are technical facilities designed for filtering DDoS attacks from inbound traffic while permitting “clean” traffic to pass through to the destination. Scrubbing centers can exist either on network premises or in a cloud-based software as a service (SaaS). Sending attack traffic to a scrubbing center is usually accomplished via network routing announcements that indicate that the scrubbing center is the shortest path to the victim network.

Scrubbing can be an effective DDoS attack solution for services such as learning management systems when maintaining maximum availability is mission critical. The downside of scrubbing tends to be its cost. Whether on-premise or SaaS solution, the service can be expensive and is usually based on clean-traffic volume.

Internet2 is evaluating SaaS scrubbing providers that support network service provider reselling. A network peering arrangement with a selected scrubbing vendor would allow AL2S to carry clean traffic back to the victim.

Internet2 would like to develop a subscription model for SaaS scrubbing that could provide a backstop to regional networks and member universities that already have a scrubbing solution with limited capacity. Alternatively the Internet2 scrubbing offering could be used as the primary scrubbing solution by a regional network to protect its members. Clearly the costs recovered through a group subscription will need to pay for the scrubbing SaaS service, but as the number of subscribers increase, the cost per subscriber would decrease.


Internet2's approach to volumetric DDoS attack mitigation involves working with our regional networks and campuses in using current network functionality for filtering of either the victim or the attacker, and to offer subscriptions for a scrubbing SaaS service.

Paul Howell is the chief cyberinfrastructure security officer at Internet2.

© 2016 Paul Howell. This EDUCAUSE Review blog is licensed under Creative Commons BY-NC-SA 4.0.