How to detect & mitigate (D)DoS Attacks using FastNetMon

 

Recently i was researching a lot on the various denial of service attacks and how to mitigate them from Layer 1 to 7 and as always the most convenient way to stop any attacks is keeping the bad requests/traffic away from your services starting from the first layers of the ISO/OSI model.

Realistically the only ways to prevent DDoS attacks are:

a) Layer 3-4 mitigation with BGP/Cloud Scrubbing (Sending all your network traffic using BGP or 'sophisticated' VPNs to third-party POP's to delegate attack mitigation).

• Pros: This is the only and smart way to properly mitigating attacks, your services won't be hit by attacks/malicious traffic.
• Cons: Paying an External Provider & bandwidth costs, All your traffic is re-routed so latency, packet loss and any other network issue that could happen to the External Provider affects you directly....And yes there could be false positives and customers may be locked out of their services.
  
  
  

b) DNS Obfuscation/CDN Mitigation/Proxying only legit requests, a well-known example is CloudFlare (Kinda like Security through Obfuscation.. and it works only if you have certain services and know your stuff.)

• Pros: If you only have HTTP(S) services exposed this is a great option and it's cheap or free.. (you could also setup your own poor man private proxying via Nginx on some Cloud provider with DDoS protection).
  
• Cons: Doesn't work well if you have other exposed services like Email servers,FTP or any dedicated exposed network assigned to you (Example.. if you are a Carrier you can't just hide your site using DNS since they will hit your announced AS networks)
  
  
  

c) Layer 6-7 mitigation using server/service side counter-measures (enabling Nginx rate limiting, Cache filtering, Apache modsecurity & modevasive bans ..)

• Pros: Easily to configure and some low-end attacks can be mitigated (example: Website scans, Automated Bots/Aggressive crawlers..)
  
• Cons: A real attack will saturate your uplink and bring you down all your services
  
  
  

d) DIY DDoS protection using Linux boxes and the good packet filter.

• Pros: It's free, it just works, you need only to create your own "patterns" and attack/network blacklists.
  
• Cons: You need to have at least 100G Uplinks and expensive dedicated servers to process all fast incoming/outgoing traffic, you have to manage all the network issues your self and if you saturate your links with the upstream BGP provider they may drop your traffic and/or blackhole you anyway as no one wants unwanted bandwidth costs & saturated links by malicious traffic or bogus packets.
  
  
  

Before do you even think of option d) watch this:

Cool, but how i detect attacks? Well if you have $$ and you only believe enterprise stuff

--> grab that 500+ grand network box and put it in front of your DC whereas if you are an opensource guy you can go for FastNetMon (By Pavel Odintsov) and setup your own Anti-DDoS detection/mitigation solution (note: you must have BGP upstream/peers that allow filtering)

What is FastNetMon?

FastNetMon is DDoS analyzer that will let you to detect nearly realtime attacks or suspicious traffic (example: VPS X is compromised and starts doing SYN Flood vs outbound nets --> detected and alerted by FNM), FNM isn't just a
detection tool but also helps to mitigate attacks, after the ban rule is triggered a bash script is being executed (there are also a lot of 'extra' stuff to do.. Slack webhooks..Keep a track of Influx metircs..Email Alerts...Send an emergency call/SMS..BGP Announce...Shutoff a particular border GW/switch ports to avoid saturation)


Scenario 1:
VPS provider on Hypervisor X protects customers with FNM and when an attacks is detected on NetFlow/sFlow/IPFIX traffic the bash script automatically adds a blackhole rule on edge network device/hypervisor host to avoid degrading network performance for other customers

Scenario 2:
Carrier needs to monitor traffic flows on their network boxes, Set ups FNM and gather all flows to monitor subnets to re-route traffic (GoBGP & ExaBGP are supported by FNM) when links are saturated

..
...

And so on

The FNM setup is quite easy to get up and running, the tricky part is setting up Grafana,Influxdb metrics but that's not a problem if you are interested only in detection/mitigation.
If you are into dashboarding you could also set up an ELK (this is the icing on the cake) to gather NetFlow data and create great visualization with Kibana (Total PPS in, Top "Talkers" on outgoing/incoming traffic, Traffic Categories, Sort by TCP/UDP..).

The only requirements are:

• Small Server/Virtual Machine that will recieve all the flow traffic from routers/switches via a capture backend
  
• For automated BGP integration you need to allow the Server to talk directly to the routers/switches
  
  

Links and Resources:

• Github documentation
  
• FastNetMon site (Thank you Pavel for this project)
  
• Managing Flows (Great tool from Paolo Lucente) if you want to collect properly flows you can use nfacct
  
  

For any question & discussion don't hesitate contact me