Roderick Mooi is the Senior Information Security Officer at GÉANT and service owner for Distributed Denial of Service (DDoS) Cleansing and Alerting (C&A). CONNECT met with him to talk about the planning process, deployment, and migration to NeMo of the DDoS attack detection and mitigation solution for NRENs.
Roderick, can you tell us about NeMo and how it became the standard DDoS software for the GÉANT Project participants?
NeMo was originally developed by DFN-CERT for DFN (the German NREN), to meet the NREN’s unique network monitoring and mitigation requirements. NeMo has been deployed on the DFN network for over 12 years. In addition, the regular and continuous development of the solution through the latest iterations of the GÉANT Project, delivered considerable improvements and increased NeMo’s suitability for the GN5-1 project participants, and for GÉANT and its NREN members. NeMo was selected to detect and protect, in the event of DDoS attacks, the GÉANT network, related infrastructure and especially NREN uplinks.
Could you summarise NeMo’s benefits and how it compares to other DDoS solutions for NRENs?
NeMo has been freely licensed for R&E use which means that NRENs don’t need to pay a licence fee. It uses flow data and statistical algorithms to detect anomalies on the network and sends alerts, when anomalies are identified, backed by a powerful analysis interface. In addition, it features its own cleansing engine! NeMo is a holistic, scalable and decentralised DDoS detection and mitigation solution and its propriety mitigation technology provides multiple mitigation options when needed. In addition, ongoing GN project support makes it an appealing and cost-effective alternative to commercial solutions for NRENs.
What are the main challenges that have characterised the NeMo migration?
After 12 months of setup, adding features, tuning and meticulous testing, NeMo was finally declared fit-for-purpose and ready for production in the GÉANT network. The pilot started with three NRENs in July 2023, and to date 12 NRENs have been onboarded. In between, we also decommissioned FlowMon DDoS Defender (our previous detection solution). To evaluate the roll out of NeMo we carried out a survey among the first NRENs who completed the migration, and I am pleased to say that we received high scoring and encouraging feedback on the solution’s user interface, but most importantly on its detection capabilities and analysis tools as well as the support provided by our teams throughout the process.
One of our main challenges is a shortage of resources, in addition, the actual implementation of the project took longer than expected due to reduced hardware availability in 2022 (network cards in particular). These shortages delayed the real-life deployment with actual hardware even though we could perform a simulated setup and preliminary testing using virtual machines. NeMo itself wasn’t completely ready for adoption outside of DFN – we initially planned a GÉANT implementation for 2023-24, but due to expanding requirements – current DDoS C&A hardware reaching end-of-life, product discontinuation (FlowMon DDoS Defender) and far too expensive commercial alternatives – we expedited our implementation. This meant that, in consultation with the WP8 DDoS project task team, activities needed to be re-prioritised and resources reallocated and carefully managed.
Who manages NeMo?
The GÉANT Security Operation Centre (SOC) is responsible for NeMo’s day-to-day operations, it’s in fact the first service completely run by our SOC! We can say that NeMo has brought together security and operation teams, they are now working more closely, united by a common goal.
More about NeMo: https://security.geant.org/nemo-ddos-software/
This interview is part of a longer article on NeMo. Read part 2, in which we had a chat about the history of NeMo with Eugene A Brin, DFN-CERT: https://connect.geant.org/2023/11/22/nemo-the-ddos-solution-for-nrens-interview-with-roderick-mooi-senior-information-security-officer-geant
Roderick joined GÉANT just over two years ago and, in addition to DDoS, he also focusses on Cyber Threat Intelligence (CTI). He has a foundation in computer engineering, a Master’s degree plus various certifications in Information Security, and 13 years of experience in R&E networks. He enjoys being part of the community, learning and sharing experiences.