(ids)= # DDoS Protection ## FastNetMon FastNetMon is a high-performance DDoS detector/sensor built on top of multiple packet capture engines: NetFlow, IPFIX, sFlow, AF_PACKET (port mirror). It can detect hosts in the deployed network sending or receiving large volumes of traffic, packets/bytes/flows per second and perform a configurable action to handle that event, such as calling a custom script. VyOS includes the FastNetMon Community Edition. ### Configuration ```{eval-rst} .. cfgcmd:: set service ids ddos-protection alert-script Configure alert script that will be executed when an attack is detected. ``` ```{eval-rst} .. cfgcmd:: set service ids ddos-protection ban-time <1-4294967294> Configure how long an IP (attacker) should be kept in blocked state. Default value is 1900. ``` ```{eval-rst} .. cfgcmd:: set service ids ddos-protection direction [in | out] Configure direction for processing traffic. ``` ```{eval-rst} .. cfgcmd:: set service ids ddos-protection exclude-network ``` ```{eval-rst} .. cfgcmd:: set service ids ddos-protection exlude-network Specify IPv4 and/or IPv6 networks which are going to be excluded. ``` ```{eval-rst} .. cfgcmd:: set service ids ddos-protection listen-interface Configure listen interface for mirroring traffic. ``` ```{eval-rst} .. cfgcmd:: set service ids ddos-protection mode [mirror | sflow] Configure traffic capture mode. ``` ```{eval-rst} .. cfgcmd:: set service ids ddos-protection network ``` ```{eval-rst} .. cfgcmd:: set service ids ddos-protection network Specify IPv4 and/or IPv6 networks that should be protected/monitored. ``` ```{eval-rst} .. cfgcmd:: set service ids ddos-protection sflow listen-address Configure local IPv4 address to listen for sflow. ``` ```{eval-rst} .. cfgcmd:: set service ids ddos-protection sflow port <1-65535> Configure port number to be used for sflow conection. Default port is 6343. ``` ```{eval-rst} .. cfgcmd:: set service ids ddos-protection threshold general [fps | mbps | pps] <0-4294967294> Configure general threshold parameters. ``` ```{eval-rst} .. cfgcmd:: set service ids ddos-protection threshold icmp [fps | mbps | pps] <0-4294967294> Configure ICMP threshold parameters. ``` ```{eval-rst} .. cfgcmd:: set service ids ddos-protection threshold tcp [fps | mbps | pps] <0-4294967294> Configure TCP threshold parameters ``` ```{eval-rst} .. cfgcmd:: set service ids ddos-protection threshold udp [fps | mbps | pps] <0-4294967294> Configure UDP threshold parameters ``` ### Example A configuration example can be found in this section. In this simplified scenario, main things to be considered are: > - Network to be protected: 192.0.2.0/24 (public IPs use by > customers) > - **ban-time** and **threshold**: these values are kept very low in order > to easily identify and generate and attack. > - Direction: **in** and **out**. Protect public network from external > attacks, and identify internal attacks towards internet. > - Interface **eth0** used to connect to upstream. Since we are analyzing attacks to and from our internal network, two types of attacks can be identified, and differents actions are needed: > - External attack: an attack from the internet towards an internal IP > is identify. In this case, all connections towards such IP will be > blocked > - Internal attack: an attack from the internal network (generated by a > customer) towards the internet is identify. In this case, all connections > from this particular IP/Customer will be blocked. So, firewall configuration needed for this setup: ```none set firewall group address-group FNMS-DST-Block set firewall group address-group FNMS-SRC-Block set firewall ipv4 forward filter rule 10 action 'drop' set firewall ipv4 forward filter rule 10 description 'FNMS - block destination' set firewall ipv4 forward filter rule 10 destination group address-group 'FNMS-DST-Block' set firewall ipv4 forward filter rule 20 action 'drop' set firewall ipv4 forward filter rule 20 description 'FNMS - Block source' set firewall ipv4 forward filter rule 20 source group address-group 'FNMS-SRC-Block' ``` Then, FastNetMon configuration: ```none set service ids ddos-protection alert-script '/config/scripts/fnm-alert.sh' set service ids ddos-protection ban-time '10' set service ids ddos-protection direction 'in' set service ids ddos-protection direction 'out' set service ids ddos-protection listen-interface 'eth0' set service ids ddos-protection mode 'mirror' set service ids ddos-protection network '192.0.2.0/24' set service ids ddos-protection threshold general pps '100' ``` And content of the script: ```none #!/bin/bash # alert-script is called twice. # When an attack occurs, the program calls a bash script twice: # 1st time when threshold exceed # 2nd when we collect 100 packets for detailed audit of what happened. # Do nothing if “attack_details” is passed as an argument if [ "${4}" == "attack_details" ]; then # Do nothing exit fi # Arguments: ip=$1 direction=$2 pps_rate=$3 action=$4 logger -t FNMS "** Start - Running alert script **" if [ "${direction}" == "incoming" ] ; then group="FNMS-DST-Block" origin="external" else group="FNMS-SRC-Block" origin="internal" fi if [ "${action}" == "ban" ] ; then logger -t FNMS "Attack detected for IP ${ip} and ${direction} direction from ${origin} network. Need to block IP address." logger -t FNMS "Adding IP address ${ip} to firewall group ${group}." sudo nft add element ip vyos_filter A_${group} { ${ip} } else logger -t FNMS "Timeout for IP ${ip}, removing it from group ${group}." sudo nft delete element ip vyos_filter A_${group} { ${ip} } fi logger -t FNMS "** End - Running alert script **" exit ```