1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
|
.. _ids:
###############
DDoS Protection
###############
**********
FastNetMon
**********
FastNetMon is a high-performance DDoS detector/sensor built on top of multiple
packet capture engines: NetFlow, IPFIX, sFlow, AF_PACKET (port mirror). It can
detect hosts in the deployed network sending or receiving large volumes of
traffic, packets/bytes/flows per second and perform a configurable action to
handle that event, such as calling a custom script.
VyOS includes the FastNetMon Community Edition.
Configuration
=============
.. cfgcmd:: set service ids ddos-protection alert-script <text>
Configure alert script that will be executed when an attack is detected.
.. cfgcmd:: set service ids ddos-protection ban-time <1-4294967294>
Configure how long an IP (attacker) should be kept in blocked state.
Default value is 1900.
.. cfgcmd:: set service ids ddos-protection direction [in | out]
Configure direction for processing traffic.
.. cfgcmd:: set service ids ddos-protection exclude-network <x.x.x.x/x>
.. cfgcmd:: set service ids ddos-protection exlude-network <h:h:h:h:h:h:h:h/x>
Specify IPv4 and/or IPv6 networks which are going to be excluded.
.. cfgcmd:: set service ids ddos-protection listen-interface <text>
Configure listen interface for mirroring traffic.
.. cfgcmd:: set service ids ddos-protection mode [mirror | sflow]
Configure traffic capture mode.
.. cfgcmd:: set service ids ddos-protection network <x.x.x.x/x>
.. cfgcmd:: set service ids ddos-protection network <h:h:h:h:h:h:h:h/x>
Specify IPv4 and/or IPv6 networks that should be protected/monitored.
.. cfgcmd:: set service ids ddos-protection sflow listen-address <x.x.x.x>
Configure local IPv4 address to listen for sflow.
.. cfgcmd:: set service ids ddos-protection sflow port <1-65535>
Configure port number to be used for sflow conection. Default port is 6343.
.. cfgcmd:: set service ids ddos-protection threshold general
[fps | mbps | pps] <0-4294967294>
Configure general threshold parameters.
.. cfgcmd:: set service ids ddos-protection threshold icmp
[fps | mbps | pps] <0-4294967294>
Configure ICMP threshold parameters.
.. cfgcmd:: set service ids ddos-protection threshold tcp
[fps | mbps | pps] <0-4294967294>
Configure TCP threshold parameters
.. cfgcmd:: set service ids ddos-protection threshold udp
[fps | mbps | pps] <0-4294967294>
Configure UDP threshold parameters
Example
=======
A configuration example can be found in this section.
In this simplified scenario, main things to be considered are:
* Network to be protected: 192.0.2.0/24 (public IPs use by
customers)
* **ban-time** and **threshold**: these values are kept very low in order
to easily identify and generate and attack.
* Direction: **in** and **out**. Protect public network from external
attacks, and identify internal attacks towards internet.
* Interface **eth0** used to connect to upstream.
Since we are analyzing attacks to and from our internal network, two types
of attacks can be identified, and differents actions are needed:
* External attack: an attack from the internet towards an internal IP
is identify. In this case, all connections towards such IP will be
blocked
* Internal attack: an attack from the internal network (generated by a
customer) towards the internet is identify. In this case, all connections
from this particular IP/Customer will be blocked.
So, firewall configuration needed for this setup:
.. code-block:: none
set firewall group address-group FNMS-DST-Block
set firewall group address-group FNMS-SRC-Block
set firewall ipv4 forward filter rule 10 action 'drop'
set firewall ipv4 forward filter rule 10 description 'FNMS - block destination'
set firewall ipv4 forward filter rule 10 destination group address-group 'FNMS-DST-Block'
set firewall ipv4 forward filter rule 20 action 'drop'
set firewall ipv4 forward filter rule 20 description 'FNMS - Block source'
set firewall ipv4 forward filter rule 20 source group address-group 'FNMS-SRC-Block'
Then, FastNetMon configuration:
.. code-block:: none
set service ids ddos-protection alert-script '/config/scripts/fnm-alert.sh'
set service ids ddos-protection ban-time '10'
set service ids ddos-protection direction 'in'
set service ids ddos-protection direction 'out'
set service ids ddos-protection listen-interface 'eth0'
set service ids ddos-protection mode 'mirror'
set service ids ddos-protection network '192.0.2.0/24'
set service ids ddos-protection threshold general pps '100'
And content of the script:
.. code-block:: none
#!/bin/bash
# alert-script is called twice.
# When an attack occurs, the program calls a bash script twice:
# 1st time when threshold exceed
# 2nd when we collect 100 packets for detailed audit of what happened.
# Do nothing if “attack_details” is passed as an argument
if [ "${4}" == "attack_details" ]; then
# Do nothing
exit
fi
# Arguments:
ip=$1
direction=$2
pps_rate=$3
action=$4
logger -t FNMS "** Start - Running alert script **"
if [ "${direction}" == "incoming" ] ; then
group="FNMS-DST-Block"
origin="external"
else
group="FNMS-SRC-Block"
origin="internal"
fi
if [ "${action}" == "ban" ] ; then
logger -t FNMS "Attack detected for IP ${ip} and ${direction} direction from ${origin} network. Need to block IP address."
logger -t FNMS "Adding IP address ${ip} to firewall group ${group}."
sudo nft add element ip vyos_filter A_${group} { ${ip} }
else
logger -t FNMS "Timeout for IP ${ip}, removing it from group ${group}."
sudo nft delete element ip vyos_filter A_${group} { ${ip} }
fi
logger -t FNMS "** End - Running alert script **"
exit
|
