DDoS Protection
FastNetMon
FastNetMon is a high-performance DDoS detector/sensor built on top of multiple packet capture engines: NetFlow, IPFIX, sFlow, AF_PACKET (port mirror). It can detect hosts in the deployed network sending or receiving large volumes of traffic, packets/bytes/flows per second and perform a configurable action to handle that event, such as calling a custom script.
VyOS includes the FastNetMon Community Edition.
Configuration
Configure alert script that will be executed when an attack is detected.
Configure how long an IP (attacker) should be kept in blocked state. Default value is 1900.
Specify IPv4 and/or IPv6 networks which are going to be excluded.
Configure listen interface for mirroring traffic.
Specify IPv4 and/or IPv6 networks that should be protected/monitored.
Configure local IPv4 address to listen for sflow.
Configure port number to be used for sflow connection. Default port is 6343.
Configure general threshold parameters.
Configure ICMP threshold parameters.
Configure TCP threshold parameters
Example
A configuration example can be found in this section. In this simplified scenario, main things to be considered are:
Network to be protected: 192.0.2.0/24 (public IPs use by customers)
ban-time and threshold: these values are kept very low in order to easily identify and generate and attack.
Direction: in and out. Protect public network from external attacks, and identify internal attacks towards internet.
Interface eth0 used to connect to upstream.
Since we are analyzing attacks to and from our internal network, two types of attacks can be identified, and different actions are needed:
External attack: an attack from the internet towards an internal IP is identify. In this case, all connections towards such IP will be blocked
Internal attack: an attack from the internal network (generated by a customer) towards the internet is identify. In this case, all connections from this particular IP/Customer will be blocked.
So, firewall configuration needed for this setup:
set firewall group address-group FNMS-DST-Block
set firewall group address-group FNMS-SRC-Block
set firewall ipv4 forward filter rule 10 action 'drop'
set firewall ipv4 forward filter rule 10 description 'FNMS - block destination'
set firewall ipv4 forward filter rule 10 destination group address-group 'FNMS-DST-Block'
set firewall ipv4 forward filter rule 20 action 'drop'
set firewall ipv4 forward filter rule 20 description 'FNMS - Block source'
set firewall ipv4 forward filter rule 20 source group address-group 'FNMS-SRC-Block'
Then, FastNetMon configuration:
set service ids ddos-protection alert-script '/config/scripts/fnm-alert.sh'
set service ids ddos-protection ban-time '10'
set service ids ddos-protection direction 'in'
set service ids ddos-protection direction 'out'
set service ids ddos-protection listen-interface 'eth0'
set service ids ddos-protection mode 'mirror'
set service ids ddos-protection network '192.0.2.0/24'
set service ids ddos-protection threshold general pps '100'
And content of the script:
#!/bin/bash
# alert-script is called twice.
# When an attack occurs, the program calls a bash script twice:
# 1st time when threshold exceed
# 2nd when we collect 100 packets for detailed audit of what happened.
# Do nothing if “attack_details” is passed as an argument
if [ "${4}" == "attack_details" ]; then
# Do nothing
exit
fi
# Arguments:
ip=$1
direction=$2
pps_rate=$3
action=$4
logger -t FNMS "** Start - Running alert script **"
if [ "${direction}" == "incoming" ] ; then
group="FNMS-DST-Block"
origin="external"
else
group="FNMS-SRC-Block"
origin="internal"
fi
if [ "${action}" == "ban" ] ; then
logger -t FNMS "Attack detected for IP ${ip} and ${direction} direction from ${origin} network. Need to block IP address."
logger -t FNMS "Adding IP address ${ip} to firewall group ${group}."
sudo nft add element ip vyos_filter A_${group} { ${ip} }
else
logger -t FNMS "Timeout for IP ${ip}, removing it from group ${group}."
sudo nft delete element ip vyos_filter A_${group} { ${ip} }
fi
logger -t FNMS "** End - Running alert script **"
exit