[NeMo-DDoS-List] FYI: [Geant NeMo Subscribers] Changes to NeMo email senders and alert thresholds

Hank Nussbacher hank at mail.iucc.ac.il
Sun Oct 27 11:32:56 IST 2024


Dear DDoS C&A subscribers,

As part of the current maintenance window we have made the following changes to NeMo:

1. Following an organisational wide mail system upgrade, the sender address for alerts has been changed to: nemo-ddos at host.geant.org<mailto:nemo-ddos at host.geant.org> with the added implementation of DKIM-signed emails. This may affect rules/filters you have configured for NeMo emails. Please update as needed.

2. We have increased all detection thresholds by 10x in order to reduce false positives for what we have observed over the past couple of months as "ignorable" alerts (likely to have no-to-negligible impact and also not requiring mitigation in the GÉANT network). The thresholds have been adjusted as follows:

Sensitivity Category

Detector ‘ignore below’ parameter value (packets per minute)*

Equivalent packets per second value

Default

3000000 ppm

50000 pps

Low

6000000 ppm

100000 pps

High

600000 ppm

10000  pps

Meaning that we do not expect to see alerts for events below those values (unless multiple events are combined into a meta-alert). Initial testing indicates that on average the amount of alerts should be reduced to about 1/3 of what they currently are/were. Further optimisation is ongoing (e.g. we will likely add bandwidth thresholds as well) with the aim of only raising alerts for events likely to have impact and worthy of attention.

Please note that if you've previously requested customised thresholds for any of your objects that these have not been changed.

Thank you for your cooperation and ongoing interest. Any queries please reply to this email.

Best regards,

Roderick Mooi (and also on behalf of our SOC)


--

Senior (Information) Security Officer

DDoS C&A Service Owner



GÉANT



PGP: 969E B264 D516 3BF3 7AA6  1F7D 7744 5FF8 9A07 86D6



Network • Services • Community
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nocvm.iucc.ac.il/pipermail/nemo-ddos-list/attachments/20241027/f2cb3970/attachment.htm>


More information about the Nemo-ddos-list mailing list