mirror of
https://github.com/vyos/vyos-documentation.git
synced 2025-10-26 08:41:46 +01:00
Merge pull request #1624 from dmbaturin/T6919-good-bye-fastnetmon
T7241: remove Fastnetmon
This commit is contained in:
Robert Göhler
GitHub
commit
0678571263
@ -1,179 +0,0 @@
|
|||||||
.. _ids:
|
|
||||||
|
|
||||||
###############
|
|
||||||
DDoS Protection
|
|
||||||
###############
|
|
||||||
|
|
||||||
**********
|
|
||||||
FastNetMon
|
|
||||||
**********
|
|
||||||
|
|
||||||
FastNetMon is a high-performance DDoS detector/sensor built on top of multiple
|
|
||||||
packet capture engines: NetFlow, IPFIX, sFlow, AF_PACKET (port mirror). It can
|
|
||||||
detect hosts in the deployed network sending or receiving large volumes of
|
|
||||||
traffic, packets/bytes/flows per second and perform a configurable action to
|
|
||||||
handle that event, such as calling a custom script.
|
|
||||||
|
|
||||||
VyOS includes the FastNetMon Community Edition.
|
|
||||||
|
|
||||||
Configuration
|
|
||||||
=============
|
|
||||||
|
|
||||||
.. cfgcmd:: set service ids ddos-protection alert-script <text>
|
|
||||||
|
|
||||||
Configure alert script that will be executed when an attack is detected.
|
|
||||||
|
|
||||||
.. cfgcmd:: set service ids ddos-protection ban-time <1-4294967294>
|
|
||||||
|
|
||||||
Configure how long an IP (attacker) should be kept in blocked state.
|
|
||||||
Default value is 1900.
|
|
||||||
|
|
||||||
.. cfgcmd:: set service ids ddos-protection direction [in | out]
|
|
||||||
|
|
||||||
Configure direction for processing traffic.
|
|
||||||
|
|
||||||
.. cfgcmd:: set service ids ddos-protection exclude-network <x.x.x.x/x>
|
|
||||||
.. cfgcmd:: set service ids ddos-protection exclude-network <h:h:h:h:h:h:h:h/x>
|
|
||||||
|
|
||||||
Specify IPv4 and/or IPv6 networks which are going to be excluded.
|
|
||||||
|
|
||||||
.. cfgcmd:: set service ids ddos-protection listen-interface <text>
|
|
||||||
|
|
||||||
Configure listen interface for mirroring traffic.
|
|
||||||
|
|
||||||
.. cfgcmd:: set service ids ddos-protection mode [mirror | sflow]
|
|
||||||
|
|
||||||
Configure traffic capture mode.
|
|
||||||
|
|
||||||
.. cfgcmd:: set service ids ddos-protection network <x.x.x.x/x>
|
|
||||||
.. cfgcmd:: set service ids ddos-protection network <h:h:h:h:h:h:h:h/x>
|
|
||||||
|
|
||||||
Specify IPv4 and/or IPv6 networks that should be protected/monitored.
|
|
||||||
|
|
||||||
.. cfgcmd:: set service ids ddos-protection sflow listen-address <x.x.x.x>
|
|
||||||
|
|
||||||
Configure local IPv4 address to listen for sflow.
|
|
||||||
|
|
||||||
.. cfgcmd:: set service ids ddos-protection sflow port <1-65535>
|
|
||||||
|
|
||||||
Configure port number to be used for sflow connection. Default port is 6343.
|
|
||||||
|
|
||||||
.. cfgcmd:: set service ids ddos-protection threshold general
|
|
||||||
[fps | mbps | pps] <0-4294967294>
|
|
||||||
|
|
||||||
Configure general threshold parameters.
|
|
||||||
|
|
||||||
.. cfgcmd:: set service ids ddos-protection threshold icmp
|
|
||||||
[fps | mbps | pps] <0-4294967294>
|
|
||||||
|
|
||||||
Configure ICMP threshold parameters.
|
|
||||||
|
|
||||||
.. cfgcmd:: set service ids ddos-protection threshold tcp
|
|
||||||
[fps | mbps | pps] <0-4294967294>
|
|
||||||
|
|
||||||
Configure TCP threshold parameters
|
|
||||||
|
|
||||||
.. cfgcmd:: set service ids ddos-protection threshold udp
|
|
||||||
[fps | mbps | pps] <0-4294967294>
|
|
||||||
|
|
||||||
Configure UDP threshold parameters
|
|
||||||
|
|
||||||
Example
|
|
||||||
=======
|
|
||||||
|
|
||||||
A configuration example can be found in this section.
|
|
||||||
In this simplified scenario, main things to be considered are:
|
|
||||||
|
|
||||||
* Network to be protected: 192.0.2.0/24 (public IPs use by
|
|
||||||
customers)
|
|
||||||
|
|
||||||
* **ban-time** and **threshold**: these values are kept very low in order
|
|
||||||
to easily identify and generate and attack.
|
|
||||||
|
|
||||||
* Direction: **in** and **out**. Protect public network from external
|
|
||||||
attacks, and identify internal attacks towards internet.
|
|
||||||
|
|
||||||
* Interface **eth0** used to connect to upstream.
|
|
||||||
|
|
||||||
Since we are analyzing attacks to and from our internal network, two types
|
|
||||||
of attacks can be identified, and different actions are needed:
|
|
||||||
|
|
||||||
* External attack: an attack from the internet towards an internal IP
|
|
||||||
is identify. In this case, all connections towards such IP will be
|
|
||||||
blocked
|
|
||||||
|
|
||||||
* Internal attack: an attack from the internal network (generated by a
|
|
||||||
customer) towards the internet is identify. In this case, all connections
|
|
||||||
from this particular IP/Customer will be blocked.
|
|
||||||
|
|
||||||
|
|
||||||
So, firewall configuration needed for this setup:
|
|
||||||
|
|
||||||
.. code-block:: none
|
|
||||||
|
|
||||||
set firewall group address-group FNMS-DST-Block
|
|
||||||
set firewall group address-group FNMS-SRC-Block
|
|
||||||
|
|
||||||
set firewall ipv4 forward filter rule 10 action 'drop'
|
|
||||||
set firewall ipv4 forward filter rule 10 description 'FNMS - block destination'
|
|
||||||
set firewall ipv4 forward filter rule 10 destination group address-group 'FNMS-DST-Block'
|
|
||||||
|
|
||||||
set firewall ipv4 forward filter rule 20 action 'drop'
|
|
||||||
set firewall ipv4 forward filter rule 20 description 'FNMS - Block source'
|
|
||||||
set firewall ipv4 forward filter rule 20 source group address-group 'FNMS-SRC-Block'
|
|
||||||
|
|
||||||
Then, FastNetMon configuration:
|
|
||||||
|
|
||||||
.. code-block:: none
|
|
||||||
|
|
||||||
set service ids ddos-protection alert-script '/config/scripts/fnm-alert.sh'
|
|
||||||
set service ids ddos-protection ban-time '10'
|
|
||||||
set service ids ddos-protection direction 'in'
|
|
||||||
set service ids ddos-protection direction 'out'
|
|
||||||
set service ids ddos-protection listen-interface 'eth0'
|
|
||||||
set service ids ddos-protection mode 'mirror'
|
|
||||||
set service ids ddos-protection network '192.0.2.0/24'
|
|
||||||
set service ids ddos-protection threshold general pps '100'
|
|
||||||
|
|
||||||
And content of the script:
|
|
||||||
|
|
||||||
.. code-block:: none
|
|
||||||
|
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
# alert-script is called twice.
|
|
||||||
# When an attack occurs, the program calls a bash script twice:
|
|
||||||
# 1st time when threshold exceed
|
|
||||||
# 2nd when we collect 100 packets for detailed audit of what happened.
|
|
||||||
|
|
||||||
# Do nothing if “attack_details” is passed as an argument
|
|
||||||
if [ "${4}" == "attack_details" ]; then
|
|
||||||
# Do nothing
|
|
||||||
exit
|
|
||||||
fi
|
|
||||||
# Arguments:
|
|
||||||
ip=$1
|
|
||||||
direction=$2
|
|
||||||
pps_rate=$3
|
|
||||||
action=$4
|
|
||||||
|
|
||||||
logger -t FNMS "** Start - Running alert script **"
|
|
||||||
|
|
||||||
if [ "${direction}" == "incoming" ] ; then
|
|
||||||
group="FNMS-DST-Block"
|
|
||||||
origin="external"
|
|
||||||
else
|
|
||||||
group="FNMS-SRC-Block"
|
|
||||||
origin="internal"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "${action}" == "ban" ] ; then
|
|
||||||
logger -t FNMS "Attack detected for IP ${ip} and ${direction} direction from ${origin} network. Need to block IP address."
|
|
||||||
logger -t FNMS "Adding IP address ${ip} to firewall group ${group}."
|
|
||||||
sudo nft add element ip vyos_filter A_${group} { ${ip} }
|
|
||||||
else
|
|
||||||
logger -t FNMS "Timeout for IP ${ip}, removing it from group ${group}."
|
|
||||||
sudo nft delete element ip vyos_filter A_${group} { ${ip} }
|
|
||||||
fi
|
|
||||||
logger -t FNMS "** End - Running alert script **"
|
|
||||||
exit
|
|
||||||
@ -16,7 +16,6 @@ Service
|
|||||||
dns
|
dns
|
||||||
eventhandler
|
eventhandler
|
||||||
https
|
https
|
||||||
ids
|
|
||||||
ipoe-server
|
ipoe-server
|
||||||
lldp
|
lldp
|
||||||
mdns
|
mdns
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user