Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

SMAMA
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

SMAMA

jmginerjmginer Member, Patron Provider
in Providers

SMAMA = Servicio de Monitorización de Ataques y Mitigación Automática

"Service for Monitoring Attacks and Automatic Mitigation"

SMAMA is a service which, as the name suggests, monitors all the incoming traffic
on our network and enable appropriate mitigation routines.

The analysis is performed by monitoring flows received by our routers.

When SMAMA detects a attack what it does is:

  • If the source of the attack is a single IP, ie is a DoS attack, create a firewall rule that blocks the attacker IP.

  • If the source of the attack is distributed, ie, it is a DDoS attack, it enables the BGP session in the mitigation router and turn off the BGP session in the normal router.

The time it takes for an attack to be detected is less than 1 minute.
The time it takes for the move the traffic by the mitigation BGP session is less than 1 minute.
That is, SMAMA takes less than 2 minutes to start mitigating attacks in ANY IP OF OUR NETWORK

When detect that there are no more attacks running, the BGP sessions back to normal
and if it has applied any firewall rules, it is deactivated.

«1

Comments

  • perennateperennate Member, Host Rep
    edited August 2015

    Cool story bro.

    Edit: also lol two minutes, fail

    RamNull is our customized DDoS mitigation system. RamNull automatically nullroutes targeted IPs across our network and emails respective clients when under attack. Nullroutes are lifted every few minutes and re-applied if the attack is ongoing. Since nullroutes are handled quickly and automatically, RamNull minimizes downtime experienced by neighbor clients when an IP on the same node is under attack.

    This system is not the same as DDoS protection since a nullroute does take your IP offline. If you need DDoS protection (i.e., filtering), please see this article: https://clientarea.ramnode.com/knowledgebase.php?action=displayarticle&id=85

    Thanked by 1GCat
  • jmginerjmginer Member, Patron Provider
    edited August 2015

    perennate said: Edit: also lol two minutes, fail

    Yes, to prevent packet loss during this time and not become affected for attacks to other customers, you can order a full protected IP, only 3€/month and you will get permanent mitigation.

  • perennateperennate Member, Host Rep
    edited August 2015

    jmginer said: Yes, to prevent packet loss during this time and not become affected for attacks to other customers, you can order a full protected IP, only 3€/month and you will get permanent mitigation.

    ???

  • perennateperennate Member, Host Rep
    edited August 2015

    cheap plans 50% off -- http://summerhost.biz/subpage.html use coupon SMAMA

    to prevent packet loss you can order full protected IP, only 2 BTC per month.

  • cassacassa Member

    @perennate said:
    cheap plans 50% off -- http://summerhost.biz/subpage.html use coupon SMAMA

    Doesn't works here :( :( :(

  • perennateperennate Member, Host Rep
    edited August 2015

    cassa said: Doesn't works here :( :( :(

    sorry we are out of stock, went out fast!

    you can still purchase without coupon

    we accept btc, litecoin, dogecoin, bluecoin, orangecoin, summercoin, etc.

  • cassacassa Member

    @perennate said:
    sorry we are out of stock, went out fast!

    Please fix. I need VPS with 100 ip for opt-in email list

  • perennateperennate Member, Host Rep

    cassa said: Please fix. I need VPS with 100 ip for opt-in email list

    I hear these guys can get you set up fast -- http://ipsystemsltd.com

  • perennateperennate Member, Host Rep
    edited August 2015

    Haters gonna hate

    13:28:14.689642 IP 95.84.240.213.1900 > 38.110.117.199.28119: UDP, length 312
13:28:14.689693 IP 95.84.129.68.1900 > 38.110.117.199.28119: UDP, length 307
13:28:14.689698 IP 95.69.131.15.1900 > 38.110.117.199.28119: UDP, length 311
13:28:14.689699 IP 95.84.185.114.1900 > 38.110.117.199.28119: UDP, length 245
13:28:14.689703 IP 95.84.240.213.1900 > 38.110.117.199.28119: UDP, length 308
13:28:14.689718 IP 95.9.73.80.1900 > 38.110.117.199.28119: UDP, length 268
13:28:14.689756 IP 38.110.117.199 > 95.44.179.118: ICMP 38.110.117.199 udp port 28119 unreachable, length 345
13:28:14.689770 IP 38.110.117.199 > 95.45.138.150: ICMP 38.110.117.199 udp port 28119 unreachable, length 345
13:28:14.689774 IP 95.69.136.189.1900 > 38.110.117.199.28119: UDP, length 323
13:28:14.689779 IP 95.84.230.127.1900 > 38.110.117.199.28119: UDP, length 245
13:28:14.689783 IP 38.110.117.199 > 95.44.229.209: ICMP 38.110.117.199 udp port 28119 unreachable, length 345
13:28:14.689787 IP 95.84.240.213.1900 > 38.110.117.199.28119: UDP, length 306
13:28:14.689795 IP 95.69.166.43.1900 > 38.110.117.199.28119: UDP, length 317
13:28:14.689799 IP 95.69.131.15.1900 > 38.110.117.199.28119: UDP, length 307
13:28:14.689848 IP 38.110.117.199 > 95.44.71.102: ICMP 38.110.117.199 udp port 28119 unreachable, length 369
13:28:14.689858 IP 95.84.240.213.1900 > 38.110.117.199.28119: UDP, length 308
13:28:14.689858 IP 95.84.185.114.1900 > 38.110.117.199.28119: UDP, length 315
13:28:14.689864 IP 38.110.117.199 > 95.45.139.70: ICMP 38.110.117.199 udp port 28119 unreachable, length 297
13:28:14.689865 IP 95.44.251.56.1900 > 38.110.117.199.28119: UDP, length 323
13:28:14.689877 IP 38.110.117.199 > 95.44.70.10: ICMP 38.110.117.199 udp port 28119 unreachable, length 369
13:28:14.689878 IP 95.9.132.14.1900 > 38.110.117.199.28119: UDP, length 288
13:28:14.689885 IP 95.45.140.207.1900 > 38.110.117.199.28119: UDP, length 341
13:28:14.689887 IP 95.9.91.74.1900 > 38.110.117.199.28119: UDP, length 288
13:28:14.689888 IP 38.110.117.199 > 95.44.72.170: ICMP 38.110.117.199 udp port 28119 unreachable, length 369
13:28:14.689891 IP 95.9.46.14.1900 > 38.110.117.199.28119: UDP, length 331
13:28:14.689915 IP 95.84.230.127.1900 > 38.110.117.199.28119: UDP, length 315
13:28:14.689929 IP 95.69.136.189.1900 > 38.110.117.199.28119: UDP, length 311
13:28:14.689937 IP 95.84.129.68.1900 > 38.110.117.199.28119: UDP, length 307
13:28:14.689960 IP 38.110.117.199 > 95.44.239.94: ICMP 38.110.117.199 udp port 28119 unreachable, length 306
13:28:14.689975 IP 38.110.117.199 > 95.45.224.49: ICMP 38.110.117.199 udp port 28119 unreachable, length 306
13:28:14.689989 IP 38.110.117.199 > 95.44.182.21: ICMP 38.110.117.199 udp port 28119 unreachable, length 361
13:28:14.689999 IP 95.84.168.143.1900 > 38.110.117.199.28119: UDP, length 245
13:28:14.690001 IP 38.110.117.199 > 95.44.236.125: ICMP 38.110.117.199 udp port 28119 unreachable, length 369
13:28:14.690010 IP 95.84.230.127.1900 > 38.110.117.199.28119: UDP, length 291
13:28:14.690013 IP 38.110.117.199 > 95.44.91.179: ICMP 38.110.117.199 udp port 28119 unreachable, length 369
13:28:14.690032 IP 95.69.131.15.1900 > 38.110.117.199.28119: UDP, length 305
13:28:14.690034 IP 95.84.185.114.1900 > 38.110.117.199.28119: UDP, length 291
13:28:14.690075 IP 95.84.129.68.1900 > 38.110.117.199.28119: UDP, length 317
13:28:14.690088 IP 95.84.168.143.1900 > 38.110.117.199.28119: UDP, length 315
13:28:14.690101 IP 38.110.117.199 > 95.44.239.94: ICMP 38.110.117.199 udp port 28119 unreachable, length 369
13:28:14.690113 IP 38.110.117.199 > 95.44.68.122: ICMP 38.110.117.199 udp port 28119 unreachable, length 297
13:28:14.690114 IP 95.69.136.189.1900 > 38.110.117.199.28119: UDP, length 307
13:28:14.690125 IP 38.110.117.199 > 95.44.236.51: ICMP 38.110.117.199 udp port 28119 unreachable, length 361
13:28:14.690137 IP 38.110.117.199 > 95.44.115.167: ICMP 38.110.117.199 udp port 28119 unreachable, length 297
13:28:14.690148 IP 38.110.117.199 > 95.45.138.163: ICMP 38.110.117.199 udp port 28119 unreachable, length 361
13:28:14.690157 IP 95.69.140.175.1900 > 38.110.117.199.28119: UDP, length 228
13:28:14.690205 IP 95.84.185.114.1900 > 38.110.117.199.28119: UDP, length 323
13:28:14.690225 IP 95.9.166.101.1900 > 38.110.117.199.28119: UDP, length 216
13:28:14.690226 IP 95.69.131.15.1900 > 38.110.117.199.28119: UDP, length 307
13:28:14.690234 IP 95.84.168.143.1900 > 38.110.117.199.28119: UDP, length 291
13:28:14.690244 IP 38.110.117.199 > 95.44.72.170: ICMP 38.110.117.199 udp port 28119 unreachable, length 361
13:28:14.690266 IP 95.69.136.189.1900 > 38.110.117.199.28119: UDP, length 305
13:28:14.690269 IP 38.110.117.199 > 95.44.19.245: ICMP 38.110.117.199 udp port

    But seriously, no idea what the point of this topic is... it isn't even an advertisement, it's like it's copied and pasted from their knowledgebase.

  • NeoonNeoon Community Contributor, Veteran

    So wait, that just "Premium" DDOS Protection with a different name?

  • jmginerjmginer Member, Patron Provider
    edited August 2015

    @Infinity580 said:
    So wait, that just "Premium" DDOS Protection with a different name?

    SMAMA is not a DDoS protection service, is a service that detects the attacks and do the routines to activate the mitigation, but don't do any mitigation.


    @perennate said:

    is not the same as DDoS protection since a nullroute does take your IP offline. If you need DDoS protection (i.e., filtering)

    SMAMA do the routines to mitigate the attack, not a nullroute.

  • NixtrenNixtren Member

    SMAMA is like a basic (D)DoS protection? I'm a bit confused.

  • nexmarknexmark Member

    @jmginer said:

    SMAMA is not a DDoS protection service, is a service that detects the attacks and do the routines to activate the mitigation, but don't do any mitigation.

    So it detects attacks to activate the mitigation but doesn't do mitigation.

    Thanked by 1lifehome
  • cloromorphocloromorpho Member

    Good news, This is better than a nullroute.

    thanks @jmginer

  • nexusrainnexusrain Member

    "Mama" is German and is like "mom" in English. Further, you could pronounce the s in front of it as ass. So we've got an "ass mom" obviously.

    Kinda as senseful as a system which

    detects the attacks and do the routines to activate the mitigation, but don't do any mitigation.

  • perennateperennate Member, Host Rep
    edited August 2015

    Come on, we're seriously going to complain about how the post says mitigation (something that many other providers like RamNode do) instead of complaining about how the post gives no context and looks like it should be a knowledgebase article?

  • jmginerjmginer Member, Patron Provider

    We're working on new option, now, a new option to enable/disable the permanent mitigation:

  • rm_rm_ IPv6 Advocate, Veteran

    Reminds me of AutoBoot (tm)

    Thanked by 3ATHK alexvolk FlamesRunner
  • netomxnetomx Moderator, Veteran

    So much trolling today

    Thanked by 1Amitz
  • jmginerjmginer Member, Patron Provider

    I love this project.

    we provide BGP AntiDDoS protection, What is this? is a sensor + mitigation service that mitigates via BGP+tunel in less than 2 minutes.

    We have 3 peers using it, fair to be done, but working really good.

    DONE:

1- Option in the admin to setup the nfsen alerts URL, currently: http://nfsen.ginernet.com/alerts/

4- Implement CIDR IP ranges and in firewall whitelist add by default internal networks (never add a firewall rule if a IP is internal)

6.1- In the router config add a option:
 -- if the router is NOT protected, disable networks: yes/no (default yes)
 6.2-- When a router is added, and we show the networks, for each network add option called "Blocked status" : yes/no (default no)
    - If yes -> never change the current status for this network IN this router
    - If no -> Can do any change (enable/disable network) IN this router
    
    
7- Implement the "Network list":
 - Read all networks in routers and show
 - For each network, add option:
   - "IP Manager" option (point 8)
   - "Mitigation options"
     -- "When then attack finish, disable in protected router" -> yes/no (default no)

8- Implement a "IP Manager" for each network:
 - Show all IPs of the networks
 - For each IP, button to show logs of attacks (nfsen and fastnetmon)
 - For each IP allow to run curl commands:
    -- All IPs are by default in "Sensor mode"
    -- Option to enable "Mitigation mode" and save this status in the database
 

9- CURL commands:
 - Sensor mode: xxx
 - Mitigation mode: xxx
 
 
 
10- When attack is detected (flows limit reached):
 -- Check if the affected IP is internal (found in some router network) or if it's external (not in any router)
    -- If the IP is external -> Run firewall command (this is done, working good)
    -- if the IP is internal:
        -- Check to find the IP on the routers:
            -- Check if the network is blocked or not (point 6.2) if it's not blocked:
                -- If the router is protected -> Allways run the "Enable network" and run the CURL for "Mitigation mode"
                -- If the router is NOT protected -> Disable the network if point 6.1 is configured as yes, if no, dont disable.




=======================

PENDING:

2- Option in the admin to setup the fastnetmon alerts URL, currently: http://185.47.131.150/attacks/

3- Implement fastnetmon detection

5- Implement multiuser option

11- To stop mitigation:
 -- Check the timeout in the configuration of the system and point 14.2, then
    -- Check if the IP is configured in "Mitigation mode" (point 8)
      -- If it's in "Mitigation mode" -> re-run CURL for "Mitigation mode"
      -- If it's in "Sensor mode" -> run CURL for "Sensor mode"
    -- For each router, check if the network is blocked or not (point 6.2) if it's not blocked:
        -- Check if the network is configured as "Disable protected" (point 7):
          -- if yes: Enable the network in ALL NOT protected routers, and disable in protected routers
          -- if no: Enable in ALL routers 

12- Logs & email alerts

    12.0 - Write a log on every event, specifing if it's do by hand (username) or by cron
        12.0.1 - IP status changed (sensor/mitigation)
        12.0.2 - Firewall rule added
        12.0.3 - Network enabled/disabled
        
    12.1 - Give the user to configure what email alerts receive:
        12.1.1 - When a new alert is detected in NFSEN (YES/NO), if yes, one extra option to select:
                a - Any alert
                b - Only internal networks
                c - Only internal networks that flows limit is reached (Check point 14)
        12.1.2 - IP status changed (sensor/mitigation) (YES/NO)
        12.1.3 - Firewall rule added (YES/NO)
        12.1.4 - Network enabled/disabled (YES/NO)
        
        
13- Mitigate by URL
    -- Option to parse a attacked IP by URL, ex: 
            * http://smama.ginernet.com/mitigate.php?ip=5.134.199.99&option=start (start mitigation = point 10)
            * http://smama.ginernet.com/mitigate.php?ip=5.134.199.99&option=stop (stop mitigation = point 11)
        -- Restrict access to mitigate.php
        -- Run mitigation process: points 10 and 11
        -- Write logs & email alert

        
14- Flows and timeout limits
    14.1 -  For each network, allow to change the default flows limit value. 
            Then, in point 10, when mitigation process starts, check if the affected network has a custom flow limit.
            If the network has not a custom value in flows limit, use the default value configured in admin/options.
            
    14.2 -  For each network, allow to change the default timeout value (Reactivate Disabled Network After (in minutes):)
            Then, in point 11, when mitigation process ends, check if the affected network has a custom timeout value.
            If the network has not a custom timeout value, use the default value configured in admin/options.


15- when adding a firewall rule, add in the timeout a unlimited option (without timeout)
        * /ip firewall address-list add address=x.x.x.x list=xxxx
  • tommytommy Member

    I need some popcorn.

  • PetaByetPetaByet Member

    @jmginer interested, PM me.

  • srvrprosrvrpro Member

    Any specific reason for the hate guys? I'm out of loop but I am pretty good at hating!

    Thanked by 1switsys
  • doughmanesdoughmanes Member

    srvrpro said: Any specific reason for the hate guys?

    Looks like the main source of the butthurt didn't pan out to be his claim so he's gone quiet

  • classyclassy Member

    If a "DoS" is coming from one IP, it's likely not an attack at all...

  • MunMun Member

    @classy said:
    If a "DoS" is coming from one IP, it's likely not an attack at all...

    You sir... Are an idiot.

    Thanked by 1theroyalstudent
  • classyclassy Member

    Mun said: You sir... Are an idiot.

    Mun, we've all experienced you being the biggest, dumbest baboon around here.

    If it's coming from one IP it's a DoS, yeah, duh, anyone can read Wikipedia.

    But why in the fucking world, in 2015, would someone attempt launching an "attack" from a single IP, a single server and a single upstream. That's just plain stupid and utterly ineffective.

    DoS attacks are almost always on Layer 7, because that's where it's effective. On layer 3 it's pretty fucking useless as at best it may fuck a bit with your throttle until QoS kicks in.

  • MunMun Member

    Maybe you should learn that all attacks aren't massive nwtwork attacks . You can really take down most WordPress sites with a simple search based attack .

  • classyclassy Member

    Mun said: Maybe you should learn that all attacks aren't massive nwtwork attacks . You can really take down most WordPress sites with a simple search based attack .

    So how is this protection mechanism going to detect it then?

    jmginer said: If the source of the attack is a single IP, ie is a DoS attack, create a firewall rule that blocks the attacker IP.

    Is it going to screen all incoming HTTP requests? Because it probably just looks at your incoming PPS as it would become incredibly intensive to monitor otherwise.

    At which point the firewall is either useless against DoS "attacks" or you have no way to know if people got blacklisted unintentionally without contacting the provider.

  • MunMun Member

    My point is not if the protection will work . My point is about you can have a dos attack from one ip, and it can be effective .

    Dos is generally from a few ips anyways which is why it isn't considered a ddos.

    So case and point... You are an idiot, and im clearly not the biggest and dumbest baboon.

Sign In or Register to comment.