• No results found

DDoS detection & mitigation

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "DDoS detection & mitigation"

Copied!
19
0
0

Loading.... (view fulltext now)

Download now ( 19 Page )

Full text

(1)
(2)

DDoS detection & mitigation

Introduction

Name: Thomas de Looff

1 of 3 owners of PCextreme

- Management

- Datacenter

- Network

- Finance

Hobbies

- Programming

- Running

- Kitesurfing

(3)

DDoS detection & mitigation

PCextreme

Services

- Cloud Compute & Objects

- Webhosting & Domain registration

- Dedicated Servers

- Colocation & Rackspace

- Managed Hosting

(4)

DDoS detection & mitigation

What is a DDoS attack?

Making the host/network

unreachable by sending a lot

of traffic from different

(5)

DDoS detection & mitigation

Mitigate a DDoS the old way

Find the ip that is under

attack

Null route the ip address

Attacker is happy

(6)

DDoS detection & mitigation

The Problem

Null route helps the attacker

to reach his goal

Human action is too slow

(Stateful) firewall in between

(7)

DDoS detection & mitigation

(8)

DDoS detection & mitigation

(9)

DDoS detection & mitigation

(10)

DDoS detection & mitigation

(11)

DDoS detection & mitigation

Collecting data with PMACCT

:~# cat /etc/pmacct/sfacctd-1.conf

daemonize: true

sfacctd_port: 9997

aggregate[ddos]: dst_host, proto

plugins: memory[ddos]

imt_path[ddos]: /tmp/pmacct_ddos.pipe

:~# cat /etc/pmacct/sfacctd-1.conf

daemonize: true

sfacctd_port: 9998

aggregate[ddos]: dst_host, proto

plugins: memory[ddos]

imt_path[ddos]: /tmp/pmacct_ddos.pipe

:~# /usr/local/sbin/sfacctd -f /etc/pmacct/sfacctd-1.conf

:~# /usr/local/sbin/sfacctd -f /etc/pmacct/sfacctd-2.conf

(12)

DDoS detection & mitigation

DDoS Detect Configuration

:/opt/ddosdetect# cat ddosdetect.cfg

[ddosdetect]

interval = 0.5

log-cycle = 1

mitigate-back = 60

logfile = /var/log/ddosdetect.log

pmacct-pipe = /tmp/pmacct_ddos.pipe

blacklist = /opt/ddosdetect/blacklist.db

config-database = /opt/ddosdetect/config.db

(13)

DDoS detection & mitigation

Add range configuration

:/opt/ddosdetect# ./configadd.py -h

usage: configadd.py [-h] -r RANGE -n NETMASK [-pr PRIORITY] [-s SUBPRIORITY] -p PROTOCOL -t TYPE -v VALUE -a

{log,firewall,pushover,nullroute} [-k {Y,N}] Add config to database for DDoS Detect

optional arguments:

-h, --help show this help message and exit -r RANGE, --range RANGE

ip

-n NETMASK, --netmask NETMASK

range netmask -pr PRIORITY, --priority PRIORITY

higher number is more important -s SUBPRIORITY, --subpriority SUBPRIORITY

higher number is more important -p PROTOCOL, --protocol PROTOCOL

tcp/udp

-t TYPE, --type TYPE packets / bytes -v VALUE, --value VALUE

trigger value packets/bytes per second

-a {log,firewall,pushover,nullroute}, --action {log,firewall,pushover,nullroute} action to take

-k {Y,N}, --keepon {Y,N}

(14)

DDoS detection & mitigation

Add range configuration

:/opt/ddosdetect# ./configadd.py -r 0.0.0.0 -n 0 -p tcp -t

packet -v 0 -k Y -a log

:/opt/ddosdetect# ./configadd.py -r 0.0.0.0 -n 0 -p udp -t

packet -v 0 -k Y -a log

:/opt/ddosdetect# ./configadd.py -r 66.66.66.0 -n 24 -p tcp -t

packet -v 15 -pr 100 -k Y -a firewall

:/opt/ddosdetect# ./configadd.py -r 66.66.66.0 -n 24 -p udp -t

packet -v 15 -pr 100 -k N -a firewall

:/opt/ddosdetect# ./configadd.py -r 66.66.66.0 -n 24 -p udp -t

packet -v 100 -pr 666 -k N -a nullroute

(15)

DDoS detection & mitigation

Run DDoS Detect

root@pmacct:/opt/ddosdetect# ./ddosdetect.py Config:

id: 1 keepon: Y priority: 0 range: 0.0.0.0/0 subpriority: 0 protocol: udp type: packets type_value: 10.0 action: log

id: 2 keepon: Y priority: 0 range: 0.0.0.0/0 subpriority: 0 protocol: tcp type: packets type_value: 10.0 action: log

id: 5 keepon: N priority: 666 range: 66.66.66.66/32 subpriority: 0 protocol: udp type: packets type_value: 100.0 action: nullroute

id: 4 keepon: N priority: 100 range: 66.66.66.0/24 subpriority: 0 protocol: tcp type: packets type_value: 15.0 action: firewall

id: 3 keepon: N priority: 100 range: 66.66.66.0/24 subpriority: 0 protocol: udp type: packets type_value: 15.0 action: firewall

2015-09-15 09:51:03,142:INFO:Star Cycle 2015-09-15 09:51:05,189:INFO:Star Cycle 2015-09-15 09:51:07,226:INFO:Star Cycle

2015-09-15 09:51:09,248:INFO:Log:ip_dst: 66.66.66.66 ip_proto: udp packets p/s: 12.0 bytes p/s: 17748.0 Check protocol: udp type: packets value: 10.0

2015-09-15 09:51:09,255:INFO:Star Cycle 2015-09-15 09:51:11,293:INFO:Star Cycle 2015-09-15 09:51:13,329:INFO:Star Cycle

2015-09-15 09:51:15,349:INFO:Firewall:ip_dst: 66.66.66.66 ip_proto: udp packets p/s: 24.0 bytes p/s: 35496.0 Check protocol: udp type: packets value: 15.0

2015-09-15 09:51:15,358:INFO:Star Cycle

2015-09-15 09:51:17,391:INFO:Nullroute:ip_dst: 66.66.66.66 ip_proto: udp packets p/s: 184.0 bytes p/s: 266224.0 Check protocol: udp type: packets value: 100.0

(16)

DDoS detection & mitigation

Route injection with ExaBGP config

cat /etc/exabgp/exabgp1.conf

neighbor 92.63.170.217 {

description "core01";

router-id 1.1.1.1;

local-address [router ip];

local-as 65002;

peer-as 65002;

graceful-restart;

static {

route 88.88.88.0/24 next-hop [firewall ip] community [as]:[community];

}

process announce-routes {

run /opt/ddosdetect/exabgproutes.py [router name] [firewall ip];

}

(17)

DDoS detection & mitigation

Route injection with ExaBGP example

:/opt/ddosdetect# /opt/ddosdetect/exabgproutes.py

announce route 92.63.168.230/32 next-hop [firewall ip]

withdraw route 92.63.168.230/32 next-hop [firewall ip]

(18)

DDoS detection & mitigation

(19)

DDoS detection & mitigation

Thanks

Coming Soon

https://github.com/thomasdelooff/

Collaboration

- NBIP/ NaWas

- OSAS H2020

Interested?

[email protected]

References

Download now ( PDF - 19 Page - 1.68 MB )

Related documents

Analysis on Reports of Qualitative Researches Published in Korean Journal of Women Health Nursing

Analysis on the reports of qualitative researches published in KJWHN was firstly conducted using a useful guideline of consolidated criteria for reporting

PLANNING COMMISSION SUMMARY ACTION MINUTES Regular Teleconference Meeting October 15, 2020

Request to rehabilitate two designated cultural resources, demolish all non-historic buildings and rear additions and construct a new four-story senior congregate care

Weekly Current Affairs Sep 29 to Oct 03

 On September 27, 2020, the Union Health Minister Dr Harsh Vardhan announced.. that GoI is to increase the health care expenditure in the country by 2.5%

Bee Keeping a Novices Guide Unlocked

You need to give the nucleus some food stores, so select a couple of frames of brood which have some capped stores and place in the nucleus as the first and fifth frame..

Antidote Use in the Critically Ill Poisoned Patient

The more commonly used antidotes that may be encountered in the intensive care unit (N-acetylcysteine, ethanol, fomepizole, physostigmine, naloxone, flumazenil, sodium

‘Under Our Protection, That of the Church and Their Own’- Papal and Secular Protection of the Families and Properties the Crusaders Left Behind, c.1095-1226.

Crusade regencies can be identified from the First Crusade, thus in chapters two, four, five and seven the case studies of Flanders, Champagne, the kingdom of France

The Stock Market Impact of Government Interventions on Financial Services Industry Groups: Evidence from the 2007-2009 Crisis

We expect to find a mixed reaction in the market with respect to banks and S&Ls, but a positive reaction from REITs and insurance companies (those that provided credit

Defined Benefit versus Defined Contribution Pension Plans: What are the Real Tradeoffs?

If the replacement rate is the relevant variable for worker retirement utility, then DB plans offer some degree of insurance against real wage risk.. Of course, protection offered