FastNetMon - ENOG9 speech about DDoS mitigation
-
Upload
pavelodintsov -
Category
Internet
-
view
399 -
download
5
Transcript of FastNetMon - ENOG9 speech about DDoS mitigation
![Page 1: FastNetMon - ENOG9 speech about DDoS mitigation](https://reader038.fdocuments.in/reader038/viewer/2022103002/55b6d857bb61eb1d0f8b478e/html5/thumbnails/1.jpg)
http://bit.ly/fastnetmon
FastNetMonOpen source DDoS mitigation toolkit
Pavel Odintsov [email protected]
1
![Page 2: FastNetMon - ENOG9 speech about DDoS mitigation](https://reader038.fdocuments.in/reader038/viewer/2022103002/55b6d857bb61eb1d0f8b478e/html5/thumbnails/2.jpg)
http://bit.ly/fastnetmon
0
10
20
30
40
2014-12 2015-01 2015-02 2015-03 2015-04 2015-05 2015-06
Number of DDoS attacks per month
2
![Page 3: FastNetMon - ENOG9 speech about DDoS mitigation](https://reader038.fdocuments.in/reader038/viewer/2022103002/55b6d857bb61eb1d0f8b478e/html5/thumbnails/3.jpg)
http://bit.ly/fastnetmon
DDoS attack directions
Outgoing 31 %
Incoming 69 %
3
![Page 4: FastNetMon - ENOG9 speech about DDoS mitigation](https://reader038.fdocuments.in/reader038/viewer/2022103002/55b6d857bb61eb1d0f8b478e/html5/thumbnails/4.jpg)
http://bit.ly/fastnetmon
Incoming DDoS attacks protocols
udp 71 %
tcp 29 %
4
![Page 5: FastNetMon - ENOG9 speech about DDoS mitigation](https://reader038.fdocuments.in/reader038/viewer/2022103002/55b6d857bb61eb1d0f8b478e/html5/thumbnails/5.jpg)
http://bit.ly/fastnetmon
Outgoing DDoS attacks protocols
udp 41 %
tcp 59 %
5
![Page 6: FastNetMon - ENOG9 speech about DDoS mitigation](https://reader038.fdocuments.in/reader038/viewer/2022103002/55b6d857bb61eb1d0f8b478e/html5/thumbnails/6.jpg)
http://bit.ly/fastnetmon
Is it dangerous?
6
![Page 7: FastNetMon - ENOG9 speech about DDoS mitigation](https://reader038.fdocuments.in/reader038/viewer/2022103002/55b6d857bb61eb1d0f8b478e/html5/thumbnails/7.jpg)
http://bit.ly/fastnetmon
Any solutions?
FastNetMon
http://bit.ly/fastnetmon
7
![Page 8: FastNetMon - ENOG9 speech about DDoS mitigation](https://reader038.fdocuments.in/reader038/viewer/2022103002/55b6d857bb61eb1d0f8b478e/html5/thumbnails/8.jpg)
http://bit.ly/fastnetmon
What we could do?• Save NOC’s sleep :)
• Detect any DoS/DDoS attack for channel overflow or equipment overload
• Partially or completely block traffic from/to own host (target of attack)
• Save your network (routers, switches, servers)
• Save your SLA
8
![Page 9: FastNetMon - ENOG9 speech about DDoS mitigation](https://reader038.fdocuments.in/reader038/viewer/2022103002/55b6d857bb61eb1d0f8b478e/html5/thumbnails/9.jpg)
http://bit.ly/fastnetmon
FastNetMon supported packet capture engines
• sFlow v5 (sampled traffic collection from switches)
• NetFlow v5, v9, v10 (sampled traffic data from routers)
• IPFIX (sampled traffic data from routers)
• Span/mirror (routers/switches deep inspection mode)
9
![Page 10: FastNetMon - ENOG9 speech about DDoS mitigation](https://reader038.fdocuments.in/reader038/viewer/2022103002/55b6d857bb61eb1d0f8b478e/html5/thumbnails/10.jpg)
http://bit.ly/fastnetmon
How we could block attack?
• BGP announce (community 666, blackhole, selective blackhole)
• BGP flow spec/RFC 5575 (selective traffic blocking)
• ACL on switch
• Custom script
10
![Page 11: FastNetMon - ENOG9 speech about DDoS mitigation](https://reader038.fdocuments.in/reader038/viewer/2022103002/55b6d857bb61eb1d0f8b478e/html5/thumbnails/11.jpg)
http://bit.ly/fastnetmon
Supported platforms
• Hyper-V, ESXi, KVM - we offer appliance based on VyOS
• CentOS/RHEL/Fedora Linux
• Debian/Ubuntu Linux
• FreeBSD
11
![Page 12: FastNetMon - ENOG9 speech about DDoS mitigation](https://reader038.fdocuments.in/reader038/viewer/2022103002/55b6d857bb61eb1d0f8b478e/html5/thumbnails/12.jpg)
http://bit.ly/fastnetmon
Hardware requirements
• 1 GE NIC (10GE recommended for mirror/span modem, Intel NIC’s only)
• Intel Xeon CPU (E5 v3 recommended for high speed capture from mirror)
• 10GB hard disk drive
12
![Page 13: FastNetMon - ENOG9 speech about DDoS mitigation](https://reader038.fdocuments.in/reader038/viewer/2022103002/55b6d857bb61eb1d0f8b478e/html5/thumbnails/13.jpg)
http://bit.ly/fastnetmon
Performance
• sFLOW - 40-100GE
• NetFLOW - 40-100GE
• Span/mirror - 10-40GE per node (tested up to 10 MPPS)
13
![Page 14: FastNetMon - ENOG9 speech about DDoS mitigation](https://reader038.fdocuments.in/reader038/viewer/2022103002/55b6d857bb61eb1d0f8b478e/html5/thumbnails/14.jpg)
http://bit.ly/fastnetmon
Supported vendors
• Cisco
• Juniper
• Extreme
• Huawei
• Linux (ipt_NETFLOW)
14
![Page 15: FastNetMon - ENOG9 speech about DDoS mitigation](https://reader038.fdocuments.in/reader038/viewer/2022103002/55b6d857bb61eb1d0f8b478e/html5/thumbnails/15.jpg)
http://bit.ly/fastnetmon
Attack detection logic• By number of packets per second to/from /32
• By number of mbps per second from/to /32
• By number of flows per second from/to /32
• By number of fragmented packets from/to /32
• By number of tcp syn packets from/to /32
• By number of udp packets from/to /32
15
![Page 16: FastNetMon - ENOG9 speech about DDoS mitigation](https://reader038.fdocuments.in/reader038/viewer/2022103002/55b6d857bb61eb1d0f8b478e/html5/thumbnails/16.jpg)
http://bit.ly/fastnetmon
Complete support for most popular attacks for channel overflow
• SYN flood
• UDP amplification (SSDP, Chargen, DNS, SNMP, NTP)
• IP fragmentation
16
![Page 17: FastNetMon - ENOG9 speech about DDoS mitigation](https://reader038.fdocuments.in/reader038/viewer/2022103002/55b6d857bb61eb1d0f8b478e/html5/thumbnails/17.jpg)
http://bit.ly/fastnetmon
Example attack reportIP: 10.10.10.221 Attack type: syn_flood Initial attack power: 546475 packets per second Peak attack power: 546475 packets per second Attack direction: incoming Attack protocol: tcp Total incoming traffic: 245 mbps Total outgoing traffic: 0 mbps Total incoming pps: 99059 packets per second Total outgoing pps: 0 packets per second Total incoming flows: 98926 flows per second Total outgoing flows: 0 flows per second Average incoming traffic: 45 mbps Average outgoing traffic: 0 mbps Average incoming pps: 99059 packets per second Average outgoing pps: 0 packets per second
Incoming ip fragmented traffic: 250 mbps Outgoing ip fragmented traffic: 0 mbps Incoming ip fragmented pps: 546475 packets per second Outgoing ip fragmented pps: 0 packets per second Incoming tcp traffic: 250 mbps Outgoing tcp traffic: 0 mbps Incoming tcp pps: 546475 packets per second Outgoing tcp pps: 0 packets per second Incoming syn tcp traffic: 250 mbps Outgoing syn tcp traffic: 0 mbps Incoming syn tcp pps: 546475 packets per second Outgoing syn tcp pps: 0 packets per second Incoming udp traffic: 0 mbps Outgoing udp traffic: 0 mbps Incoming udp pps: 0 packets per second
17
![Page 18: FastNetMon - ENOG9 speech about DDoS mitigation](https://reader038.fdocuments.in/reader038/viewer/2022103002/55b6d857bb61eb1d0f8b478e/html5/thumbnails/18.jpg)
http://bit.ly/fastnetmon
Deploy scheme
18
![Page 19: FastNetMon - ENOG9 speech about DDoS mitigation](https://reader038.fdocuments.in/reader038/viewer/2022103002/55b6d857bb61eb1d0f8b478e/html5/thumbnails/19.jpg)
http://bit.ly/fastnetmon
Attack visualization in Graphite
19
![Page 20: FastNetMon - ENOG9 speech about DDoS mitigation](https://reader038.fdocuments.in/reader038/viewer/2022103002/55b6d857bb61eb1d0f8b478e/html5/thumbnails/20.jpg)
http://bit.ly/fastnetmon
How I can help?• If you are Internet Carrier, please offer BGP blackhole for
customers
• If you are Home ISP or Data Center, please filter outgoing attacks with big attention
• Contribute to FastNetMon on GitHub!
• Share knowledge about DDoS mitigation
20