How to detect & mitigate (D)DoS Attacks using FastNetMon
Recently i was researching a lot on the various denial of service attacks and how to mitigate them from Layer 1 to 7 and as always the most convenient way to stop any attacks is keeping the bad requests/traffic away from your services starting from the first layers of the ISO/OSI model.
Realistically the only ways to prevent DDoS attacks are:
a) Layer 3-4 mitigation with BGP/Cloud Scrubbing
(Sending all your network traffic using BGP or 'sophisticated' VPNs to
third-party POP's to delegate attack mitigation).
- Pros: This is the only and smart way to properly mitigating attacks, your services won't be hit by attacks/malicious traffic.
- Cons: Paying an External Provider & bandwidth costs, All your
traffic is re-routed so latency, packet loss and any other network issue
that could happen to the External Provider affects you directly....And
yes there could be false positives and customers may be locked out of
b) DNS Obfuscation/CDN Mitigation/Proxying only
legit requests, a well-known example is CloudFlare (Kinda like Security
through Obfuscation.. and it works only if you have certain services
and know your stuff.)
- Pros: If you only have HTTP(S) services exposed this is a great
option and it's cheap or free.. (you could also setup your own poor man private
proxying via Nginx on some Cloud provider with DDoS protection).
- Cons: Doesn't work well if you have other exposed services like
Email servers,FTP or any dedicated exposed network assigned to you
(Example.. if you are a Carrier you can't just hide your site using DNS
since they will hit your announced AS networks)
c) Layer 6-7 mitigation using server/service side counter-measures (enabling Nginx rate limiting, Cache filtering, Apache modsecurity & modevasive bans ..)
- Pros: Easily to configure and some low-end attacks can be mitigated
(example: Website scans, Automated Bots/Aggressive crawlers..)
- Cons: A real attack will saturate your uplink and bring you down all your services
d) DIY DDoS protection using Linux boxes and the good packet filter.
- Pros: It's free, it just works, you need only to create your own "patterns" and attack/network blacklists.
- Cons: You need to have at least 100G Uplinks and expensive dedicated
servers to process all fast incoming/outgoing traffic, you have to
manage all the network issues your self and if you saturate your links
with the upstream BGP provider they may drop your traffic and/or
blackhole you anyway as no one wants unwanted bandwidth costs &
saturated links by malicious traffic or bogus packets.
Before do you even think of option d) watch this:
Cool, but how i detect attacks? Well if you have $$ and you only believe enterprise stuff
--> grab that 500+ grand network box and put it in front of your DC whereas if you are an opensource guy you can go for FastNetMon (By Pavel Odintsov) and setup your own Anti-DDoS detection/mitigation solution (note: you must have BGP upstream/peers that allow filtering)
What is FastNetMon?
FastNetMon is DDoS analyzer that will let you to
detect nearly realtime attacks or suspicious traffic (example: VPS X is
compromised and starts doing SYN Flood vs outbound nets --> detected
and alerted by FNM), FNM isn't just a
detection tool but also helps to mitigate attacks, after the ban rule is triggered a bash script is being executed (there are also a lot of 'extra' stuff to do.. Slack webhooks..Keep a track of Influx metircs..Email Alerts...Send an emergency call/SMS..BGP Announce...Shutoff a particular border GW/switch ports to avoid saturation)
VPS provider on Hypervisor X protects customers with FNM and when an attacks is detected on NetFlow/sFlow/IPFIX traffic the bash script automatically adds a blackhole rule on edge network device/hypervisor host to avoid degrading network performance for other customers
Carrier needs to monitor traffic flows on their network boxes, Set ups FNM and gather all flows to monitor subnets to re-route traffic (GoBGP & ExaBGP are supported by FNM) when links are saturated
And so on
The FNM setup is quite easy to get up and running, the tricky part is
setting up Grafana,Influxdb metrics but that's not a problem if you are
interested only in detection/mitigation.
If you are into dashboarding you could also set up an ELK (this is the icing on the cake) to gather NetFlow data and create great visualization with Kibana (Total PPS in, Top "Talkers" on outgoing/incoming traffic, Traffic Categories, Sort by TCP/UDP..).
The only requirements are:
- Small Server/Virtual Machine that will recieve all the flow traffic from routers/switches via a capture backend
- For automated BGP integration you need to allow the Server to talk directly to the routers/switches
Links and Resources:
- Github documentation
- FastNetMon site (Thank you Pavel for this project)
- Managing Flows (Great tool from Paolo Lucente) if you want to collect properly flows you can use nfacct
For any question & discussion don't hesitate contact me
Post a Comment