Try FastNetMon with ExaBGP.
I've set it up on a VM, and I configured my edge routers to send to FastNetMon netflow data. (IP > Traffic Flow in RouterOS).
FastNetMon will constantly evaluate the packet rate and transfer rate and if your configured thresholds are exceeded it can announce to ExaBGP the /32 being attacked with whatever BGP Community (or communities) you need.
ExaBGP has a BGP session with the edge routers, which in turn advertises those /32 routes to them, which in turn advertise the /32 routes to the upstream ISPs which based on the BGP community they will blackhole those IPs. The amount of time that an IP will remain blackholed is configurable.
FastNetMon will detect the attack in ~40-60seconds. This is a NetFlow limitation (it takes some time for the flows to be exported from the router to the collector). Using other methods it can detect the attacks way faster. Fully mirroring the traffic to FastNetMon (and using for example PF_RING ZC capture method) it can detect and block the attack in 1-3seconds.
Once FastNetMon detects an attack, the blackhole advertisements will take just a few seconds at most to propagate to the upstreams (it takes as fast as any BGP advertisement to propagate).
You also get alert emails when an attack is detected with information about the attack (ie UDP flood, TCP syn flood, etc) and the IP being attacked.
The end result is a completely automated DDoS mitigation solution, and it is all open source!
I'm going to revive this thread because lately I've been looking for an automated DDoS mitigation system, rather than using RTBH, I want to activate the use of the scrubbing centers for suspected /24 being DDosed.
I've been testing FastNetMon in a production environment that's basically servers only, but I think it's detecting things as positive attacks when in reality they're not.
Test is done in one of the edge routers: CCR 1036-12G-4S on BFO 6.38.7
Traffic Flow configuration:
set active-flow-timeout=1m cache-entries=4M enabled=yes interfaces="sfp1,sfp2"
I'm using Netflow v9
Latest FastNetMon, all is set to default except:
average_calculation_time = 30
process_outgoing_traffic = off
First the average I changed it after reading and seeing documentation for this software, it was set to 5 first and every single IP I had was detected as being either DDosed or being a DDoser, after the change this stopped.
I also turned process_outgoing_traffic off since I am currently only concerned about incoming attacks.
Anyway, it started detecting UDP Flood attacks with reported high PPS (over 20.000), I went to check immediately about those issues, since I have it integrated with slack I check at the very moment I get the notification, I'm monitoring both interfaces via SNMP using another system also, counting the PPS in/out every 30 seconds and it doesn't show anything at all, not a burst or a measure that's notably out of the ordinary or that could hint to a DDoS, in fact checking the measures of the previous hour it's all consistent. I am checking every single measure not the estimated PPS given by the application (PRTG if this matters). So I get something like this:
12:00:00 -> 3500000 packets
12:00:30 -> 3500390 packets
12:01:00 -> 3500594 packets
12:01:30 -> 3500720 packets
12:02:00 -> 3501100 packets <- this is when I get the alarm
Those are not the exact values, is just to show that the changes are really small and kind of consistent as reported by PRTG.
Have you experienced something like this? If so, did you manage to fix it? or have you tried anything different for this?
Seems FastNetMon has a lot of users in other brands like Cisco for instance with no issues at all using netflow too. Makes me wonder if there's a problem with MikroTik's implementation of netflow.