All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
any suggestions?: automated DDOS detection and BGP black-holing
I'm currently looking into methods to automate the DDOS detection to (at least) alert me if an attack is taking place, and possibly automatically black-hole the ip(s) under attack.
Currently I am planning for my network to look something like this:
upstream----cisco_switch---servers
|
|---network_sniffer
...or in other words, I'll be spanning the port connecting to my upstream provider and mirroring that out to my sniffer box. The sniffer box will likely be a vanilla debian box, so I'll have the full set of unix tools to utilize. I'll have an eBGP peering session between myself and my provider, so setting up a black-hole (ala rfc3882) to the destination ip of the attack isn't going to be a problem.
I'm also considering sticking a vyatta box in front of the cisco switch and having that do the handle the BGP session do any sniffing inline.
Where I am having a bit of a hard time with all of this is with finding the right tool to use for bandwidth statistics on a per IP basis. I've always used tcpdump, but that doesn't seem as useful in this case. Tools like iptraf, ntop, and bandwidthd are great...but don't seem to lend themselves to automation very well. Right now I'm strongly considering sflow if I go with the provider-to-cisco topology, or trying to work this out with iptables on the vyatta box. At that point it's just a couple of lines of code to diff between output sampled at two spaces in time. However, the sflow method seems like it could get overly complicated for what I need, and the iptables method doesn't seem like it'd scale well if I had multiple /24 blocks.
But I'm sure that someone's done this before...does anyone have any insight that they can give me on how they accomplished this?
Thanks in advance.
Comments
The Cisco is layer 2 or layer 3 switch? With tcl you can do what you need in a layer 3 switch, and rsh from your sniffer back to the Cisco to issue the needed commands.
From the Cisco you could do something as simple as mirror the uplink to a second port
That's it, just that simple. Now if the Cisco is just a dumb switch, yes, put a Vyatta in and there are tons of community resources out there to do exactly what you want.
http://ipband.sourceforge.net/ can be used for per IP bandwidth notification. Not sure if that's what you're trying to do.
As you mentioned, iptables can be used for per IP monitoring too. While it's a bit unwieldy to set up (is there anything in iptables that isn't unwieldy?), shell scripts will help with maintenance automation once you've got it going.
It's a c3550, so it's an older L3 switch. Sorry, my ascii diagram didn't come across very well. I'll already be mirroring the port as you mentioned there.
Are there? Because I've been searching for a couple of days and I haven't found anything. Could you please point me in the right direction? Feel free to respond back with a "let me google that for you" link, because I maybe I just need to get slapped upside the head. But I've been googling "vyatta + bgp + black-hole + ddos + script".
Thanks Damian. That looks quite usable. Better than anything I've found so far.
What if you would get a Cisco Firewall for this?
I've never heard of a firewall that can detect an attack and that'll then pass a bgp community string to black-hole a /32 to an upstream provider before. Is there such a beast?
http://www.linux.it/~md/text/blackholing.html came up about IOS, specifically the section about "Customer-triggered blackholing". This appears to be provider-centric instead of customer-centric, but it may give you direction.
@caffleck Sorry i did a mistake, i meant the Cisco Guard + Traffic Anomaly detector devices.
Specifically i had the Cisco Guard XT 5650A and the Cisco Traffic Anomaly Detector XT 5600 in mind.
The following PDF has more info on these two:
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6236/prod_presentation0900aecd80225903.pdf
Right! That's exactly what I'm looking to accomplish. That's what the rfc I mentioned in the initial discussion covers. I've been assuming that this would be fairly common place for providers as a defense against attacks. I've assumed that most providers (at least those that own their own equipment) would already have something like this in place.
Thanks for the suggestion, but that's not really what I'm after.
What I'm looking to do is the following:
01. Detect and attack event on my network.
02. Email/SMS me that an event is in progress.
03. Execute a perl script that'll telnet into the cisco + tag a route so that my eBGP upstream will black-hole a route, in a manner such as the one described in the link sent by Damian.
I think BuyVM has a similar setup, which they refer to as "auto-null".
@sturdyvps: That'd be a good solution, except I think it's EOL/EOS. Also, it's pretty expensive, and I'd rather use open source.
@caffleck Yes i believe its EOL and you are correct it would be quite expensive - i managed to get the hardware from a Datacenter that was closing down so got them extremely cheap
IPTables is fine for getting accounting on a single box, but on an edge box you want there to be as few iptables rules as possible, if any. IPTables really bogs things down, even on really large gear.
When we were rebuilding our whole bandwidth accounting system for stallion, I screwed up some sanity checks and it ended up flooding our ip6tables FORWARD table wtih 40,000 entries at 2000 new entries every 15 minutes.
Once it hit 40,000 we started to see heavy packet loss to the box and terrible network performance. I quickly addressed the bug but still
To the OP, there isn't any public systems for this. We ended up having a system coded that does this on our vyatta edge router.
Francisco
Looks like I'll be rolling my own then. Thanks to everybody that gave input!
Stallion sounds nice :P
just want to save my time, have you compared it to untangle or any other debian derivatives firewall os?