Like most we occasionally get a DDOS attack, they are annoying and in the range of 900+ Mbit so it sucks up all of our transit.
Luckily both our upstream providers support ‘black hole’ BGP groups, so we can advertise a BGP community for a /32 ip address and it goes down the black hole.
I already have a script I run that updates (and enables) the BGP filter rules, an the BGP networks with the corresponding customers /32 address, this then puts an end to the attack all the way to my providers providers provider!.
[currently we just edit the IP address in the script so it can do all the work.]
My issue now is automatically detecting it, when the attacks happen we see 1000’s of connections. So my theory was to do a count on ‘source’ destinations and if there is over 1000 to any one IP address it will run the script.
has anyone got any idea or has done something like this before?
in theory would be good to schedule the script to check the connection count every 30 seconds?
Why would you not write a mangle and firewall rule that limits (and adds to an address list) the connection count to any once source on your WAN interface that exceeds a give value? Something like this maybe:
For a true DDOS blocking it locally has little benefit.
Unless we advertise the BGP community back to our peers, the traffic will still be hitting the router, with high CPU load and max out our transits.
Advertising the community basically blocks the traffic all the way back to the Tier-1 international providers.
Yes, I understand that, but you need a way of identifying the traffic first, which is the mangle rule I gave you. Once you identify the offender, then you can script to add to the BGP advertise filter list.
I just added the firewall rule in as an extra precaution.
That Wiki is relevant to stopping DDOS at the router itself. However he is looking to dynamically update his BGP black hole list.
Again though, both examples show how to identify traffic and place into an address list. You just need to script a way of adding them into your BGP lists.
Over the last few months I have tried both of the options above for detecting DDOS however we get too many false positives.
I have scripts in place (as below for use by others) that once an address is added to the address list, using a scheduled task that runs every minute, the script automatically Black holes the IP to our upstream providers, after 10 minutes it is removed (usally that’s all it takes for the attack to stop)
Im not sure if its because I have the connection limit set to low, but I have set it as high as 1000, and still get false positives.
we do not NAT, all users get their own /32 public ip address.
When a DDOS comes in, they have 1000’s of connections open
detector - Run every minute by scheduler
;global ip
;set ip ""
:foreach n in=[/ip firewall address-list find list="ddosed"] do={
set ip [/ip firewall address-list get $n address]
}
:if ( $ip != "") do={
:log info "DDOS ATTACK";
;log info $ip
/system script run auto_DDOS
delay 5;
/log info "time updated; uptime: $[/system resource get uptime]"
:local es "DDOS on $[/system clock get date] $[/system clock get time]"
:local eb "$[/system identity get name] DDOS on $[/system clock get date] $[/system clock get time] IP DDOSED: $ip"
/tool e-mail send to="emailaddress@nuskope.com.au" subject=$es body=$eb
:log info "DDOS-unblock in 10 minutes";
delay 60;
:log info "DDOS-unblock in 9 minutes";
delay 60;
:log info "DDOS-unblock in 8 minutes";
delay 60;
:log info "DDOS-unblock in 7 minutes";
delay 60;
:log info "DDOS-unblock in 6 minutes";
delay 60;
:log info "DDOS-unblock in 5 minutes";
delay 60;
:log info "DDOS-unblock in 4 minutes";
delay 60;
:log info "DDOS-unblock in 3 minutes";
delay 60;
:log info "DDOS-unblock in 2 minutes";
delay 60;
:log info "DDOS-unblock in 1 minute";
delay 60;
/system script run auto_DDOS_Disable
}
:if ( $ip = "") do={
:log info "no DDOS detected";
}
auto_DDOS - this is the script that adds the /32 to our BGP and also edits some filter rules to add a blackhole community to the ip address
:global ip
:log info "DDOS ATTACK";
;log info $ip
#Set the ip address in the filters
/routing filter set [ find comment ="DDOS"] prefix=$ip
# Enable the rules
/routing filter enable [/routing filter find comment ="DDOS"]
#Add the ip to the BGP network
/routing bgp network add network=$ip synchronize=no
# Make sure rules are at the top
:foreach n in=[/routing filter find comment="DDOS"] do={ /routing filter move $n [:pick [/routing filter find] 0] }
:foreach n in=[/routing filter find comment="DDOS"] do={ /routing filter move $n [:pick [/routing filter find] 0] }
auto_DDOS_Disable - disables the block
/routing filter disable [/routing filter find comment="DDOS"]
:log info "DDOS-unblocked";
The approach I’ve taken for RTBH and DDOS detecting on our edge routers is to use firewall filter rules to jump incoming small packet UDP and TCP to a detection chain rule, this accepts traffic under a certain threshold per destination IP, it’s up to you what pps you consider a DDOS, any traffic exceeding the threshold is jumped to a new chain where the dst address is added to an address-list.
Once in the address-list a script adds a blackhole route with BGP MED of 666 and a routing filter then distributes this to an adjacent router with a separate dedicated circuit to our transit RTBH routers, this is in case the DDOS is large enough to take down our transit links. The script then removes the route which removes the RTBH after a few minutes just like yours.
This is what I have now, from the above posted wiki.
hwoever, my problem is after say 1-2 hours it starts adding IP’s and after 12 hours it adds almost every ip on my network.
Its almost like its never clearing the connections, so it counts them and never resets the counters.