[NeMo-DDoS-List] FYI: [Geant NeMo Subscribers] Changes to NeMo email senders and alert thresholds
Hank Nussbacher
hank at mail.iucc.ac.il
Sun Oct 27 11:32:56 IST 2024
Dear DDoS C&A subscribers,
As part of the current maintenance window we have made the following changes to NeMo:
1. Following an organisational wide mail system upgrade, the sender address for alerts has been changed to: nemo-ddos at host.geant.org<mailto:nemo-ddos at host.geant.org> with the added implementation of DKIM-signed emails. This may affect rules/filters you have configured for NeMo emails. Please update as needed.
2. We have increased all detection thresholds by 10x in order to reduce false positives for what we have observed over the past couple of months as "ignorable" alerts (likely to have no-to-negligible impact and also not requiring mitigation in the GÉANT network). The thresholds have been adjusted as follows:
Sensitivity Category
Detector ‘ignore below’ parameter value (packets per minute)*
Equivalent packets per second value
Default
3000000 ppm
50000 pps
Low
6000000 ppm
100000 pps
High
600000 ppm
10000 pps
Meaning that we do not expect to see alerts for events below those values (unless multiple events are combined into a meta-alert). Initial testing indicates that on average the amount of alerts should be reduced to about 1/3 of what they currently are/were. Further optimisation is ongoing (e.g. we will likely add bandwidth thresholds as well) with the aim of only raising alerts for events likely to have impact and worthy of attention.
Please note that if you've previously requested customised thresholds for any of your objects that these have not been changed.
Thank you for your cooperation and ongoing interest. Any queries please reply to this email.
Best regards,
Roderick Mooi (and also on behalf of our SOC)
--
Senior (Information) Security Officer
DDoS C&A Service Owner
GÉANT
PGP: 969E B264 D516 3BF3 7AA6 1F7D 7744 5FF8 9A07 86D6
Network • Services • Community
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nocvm.iucc.ac.il/pipermail/nemo-ddos-list/attachments/20241027/f2cb3970/attachment.htm>
More information about the Nemo-ddos-list
mailing list