Community discussions

MikroTik App
 
nuskope
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 73
Joined: Wed Oct 22, 2008 3:11 pm
Location: Adelaide, South Australia
Contact:

DDOS BGP protection [automate communitys?]

Sun Aug 11, 2013 3:06 am

HI all,

We have been getting a few DDOS attacks of late, Luckily both our upstream providers support 'black hole' BGP groups, so we can advertise a BGP community for a /32 ip address and it goes down the black hole.

Unfortunately this is a manual process, so we first need to detect an attack, locate the IP under attack by torching the interface,
then we add the ip 111.111.111.1 to the BGP network
then we add the rules to our Router filter to set a BGP community of 17498:666 to that ip.

I was wondering if there was a way we could automate this process. I know we can automate things to the firewall chain but can we to the routing tables?

Thank
 
raz
Member Candidate
Member Candidate
Posts: 102
Joined: Wed Dec 19, 2012 3:26 pm
Location: Austria

Re: DDOS BGP protection [automate communitys?]

Mon Aug 12, 2013 5:12 pm

before you advertise this IP to your Blackhole Communities, you have to find out what kind of DDoS hitting you.
Maybe Queues would here be useful in combination of scripting.
 
User avatar
amt
Long time Member
Long time Member
Posts: 529
Joined: Fri Jan 16, 2015 2:05 pm

Re: DDOS BGP protection [automate communitys?]

Mon Jun 13, 2016 12:31 pm

HI all,

We have been getting a few DDOS attacks of late, Luckily both our upstream providers support 'black hole' BGP groups, so we can advertise a BGP community for a /32 ip address and it goes down the black hole.

Unfortunately this is a manual process, so we first need to detect an attack, locate the IP under attack by torching the interface,
then we add the ip  111.111.111.1 to the BGP network
then we add the rules to our Router filter to set a BGP community of 17498:666 to that ip.

I was wondering if there was a way we could automate this process. I know we can automate things to the firewall chain but can we to the routing tables?

Thank

Find any solution for this ?
 
User avatar
shaoranrch
Member Candidate
Member Candidate
Posts: 184
Joined: Thu Feb 13, 2014 8:03 pm

Re: DDOS BGP protection [automate communitys?]

Sat Jun 25, 2016 3:29 am

HI all,

We have been getting a few DDOS attacks of late, Luckily both our upstream providers support 'black hole' BGP groups, so we can advertise a BGP community for a /32 ip address and it goes down the black hole.

Unfortunately this is a manual process, so we first need to detect an attack, locate the IP under attack by torching the interface,
then we add the ip  111.111.111.1 to the BGP network
then we add the rules to our Router filter to set a BGP community of 17498:666 to that ip.

I was wondering if there was a way we could automate this process. I know we can automate things to the firewall chain but can we to the routing tables?

Thank

Find any solution for this ?
As of right now there's no automated solution built into RouterOS  natively.
What you can do is use some scripting altogether with firewall rules to try to detect when there's a a DDoS attack and to where and add the IPs to address lists so you can reference them on your scripts. Problem is, how do you detect that it's an attack and not regular traffic? there's a script around built by chupaka that's used to detect SYN attacks and add the DDoSers and DDoSed to address lists, but you probably need something more than this. 
Hope this answer your question
 
User avatar
amt
Long time Member
Long time Member
Posts: 529
Joined: Fri Jan 16, 2015 2:05 pm

Re: DDOS BGP protection [automate communitys?]

Sat Jun 25, 2016 10:27 am

HI all,

We have been getting a few DDOS attacks of late, Luckily both our upstream providers support 'black hole' BGP groups, so we can advertise a BGP community for a /32 ip address and it goes down the black hole.

Unfortunately this is a manual process, so we first need to detect an attack, locate the IP under attack by torching the interface,
then we add the ip  111.111.111.1 to the BGP network
then we add the rules to our Router filter to set a BGP community of 17498:666 to that ip.

I was wondering if there was a way we could automate this process. I know we can automate things to the firewall chain but can we to the routing tables?

Thank

Find any solution for this ?
As of right now there's no automated solution built into RouterOS  natively.
What you can do is use some scripting altogether with firewall rules to try to detect when there's a a DDoS attack and to where and add the IPs to address lists so you can reference them on your scripts. Problem is, how do you detect that it's an attack and not regular traffic? there's a script around built by chupaka that's used to detect SYN attacks and add the DDoSers and DDoSed to address lists, but you probably need something more than this. 
Hope this answer your question
do you have another script for using ddos ?
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1135
Joined: Tue Oct 11, 2005 4:53 pm

Re: DDOS BGP protection [automate communitys?]

Sun Jun 26, 2016 3:15 pm

Try FastNetMon with ExaBGP.
https://github.com/pavel-odintsov/fastnetmon

I've set it up on a VM, and I configured my edge routers to send to FastNetMon netflow data. (IP > Traffic Flow in RouterOS).

FastNetMon will constantly evaluate the packet rate and transfer rate and if your configured thresholds are exceeded it can announce to ExaBGP the /32 being attacked with whatever BGP Community (or communities) you need.

ExaBGP has a BGP session with the edge routers, which in turn advertises those /32 routes to them, which in turn advertise the /32 routes to the upstream ISPs which based on the BGP community they will blackhole those IPs. The amount of time that an IP will remain blackholed is configurable.

FastNetMon will detect the attack in ~40-60seconds. This is a NetFlow limitation (it takes some time for the flows to be exported from the router to the collector). Using other methods it can detect the attacks way faster. Fully mirroring the traffic to FastNetMon (and using for example PF_RING ZC capture method) it can detect and block the attack in 1-3seconds.
Once FastNetMon detects an attack, the blackhole advertisements will take just a few seconds at most to propagate to the upstreams (it takes as fast as any BGP advertisement to propagate).
You also get alert emails when an attack is detected with information about the attack (ie UDP flood, TCP syn flood, etc) and the IP being attacked.

The end result is a completely automated DDoS mitigation solution, and it is all open source! :)
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1135
Joined: Tue Oct 11, 2005 4:53 pm

Re: DDOS BGP protection [automate communitys?]

Sun Jun 26, 2016 3:17 pm

There's also this presentation on the subject http://mum.mikrotik.com/presentations/E ... 752556.pdf
 
User avatar
shaoranrch
Member Candidate
Member Candidate
Posts: 184
Joined: Thu Feb 13, 2014 8:03 pm

Re: DDOS BGP protection [automate communitys?]

Mon Jun 27, 2016 1:19 am

There's also this presentation on the subject http://mum.mikrotik.com/presentations/E ... 752556.pdf
Excelent information, thanks for sharing. 
 
ropebih
Member Candidate
Member Candidate
Posts: 113
Joined: Tue May 22, 2007 5:35 pm

Re: DDOS BGP protection [automate communitys?]

Sat Sep 10, 2016 6:12 pm

There is big problem with fastnetmon and ROS, besause ROS Traffic Flow is too slow and need over one minute for DDoS detection. With sflow it is 1-2 seconds but mikrotik doesn't have support for sflow.
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1135
Joined: Tue Oct 11, 2005 4:53 pm

Re: DDOS BGP protection [automate communitys?]

Wed Sep 28, 2016 2:43 pm

There is big problem with fastnetmon and ROS, besause ROS Traffic Flow is too slow and need over one minute for DDoS detection. With sflow it is 1-2 seconds but mikrotik doesn't have support for sflow.
I agree. The problem lies with the active flows timeout not being able to be set any lower than 1 minute.

So, long active flows (eg large file downloads) will be exported every one minute and the collector will measure a burst of bytes/s & packets/s causing fastnetmon to produce false positives.

I am not sure if the 60seconds minimum active flow timeout is a protocol limitation or just a ROS limitation.
Glancing at the NetFlow v9 RFC I didn't find any explicit mention to this limit, but I may be wrong.


By the way, on the latest version of FastNetmon a Mikrotik plugin/script has been added that will add the blackhole routes via ROS API instead of using ExaBGP to push the routes to ROS.
 
User avatar
shaoranrch
Member Candidate
Member Candidate
Posts: 184
Joined: Thu Feb 13, 2014 8:03 pm

Re: DDOS BGP protection [automate communitys?]

Sun Jul 30, 2017 9:37 pm

Try FastNetMon with ExaBGP.
https://github.com/pavel-odintsov/fastnetmon

I've set it up on a VM, and I configured my edge routers to send to FastNetMon netflow data. (IP > Traffic Flow in RouterOS).

FastNetMon will constantly evaluate the packet rate and transfer rate and if your configured thresholds are exceeded it can announce to ExaBGP the /32 being attacked with whatever BGP Community (or communities) you need.

ExaBGP has a BGP session with the edge routers, which in turn advertises those /32 routes to them, which in turn advertise the /32 routes to the upstream ISPs which based on the BGP community they will blackhole those IPs. The amount of time that an IP will remain blackholed is configurable.

FastNetMon will detect the attack in ~40-60seconds. This is a NetFlow limitation (it takes some time for the flows to be exported from the router to the collector). Using other methods it can detect the attacks way faster. Fully mirroring the traffic to FastNetMon (and using for example PF_RING ZC capture method) it can detect and block the attack in 1-3seconds.
Once FastNetMon detects an attack, the blackhole advertisements will take just a few seconds at most to propagate to the upstreams (it takes as fast as any BGP advertisement to propagate).
You also get alert emails when an attack is detected with information about the attack (ie UDP flood, TCP syn flood, etc) and the IP being attacked.

The end result is a completely automated DDoS mitigation solution, and it is all open source! :)
Hi,

I'm going to revive this thread because lately I've been looking for an automated DDoS mitigation system, rather than using RTBH, I want to activate the use of the scrubbing centers for suspected /24 being DDosed.

I've been testing FastNetMon in a production environment that's basically servers only, but I think it's detecting things as positive attacks when in reality they're not.

Test is done in one of the edge routers: CCR 1036-12G-4S on BFO 6.38.7
Traffic Flow configuration:
/ip traffic-flow
set active-flow-timeout=1m cache-entries=4M enabled=yes interfaces="sfp1,sfp2"
I'm using Netflow v9

Latest FastNetMon, all is set to default except:
average_calculation_time = 30
process_outgoing_traffic = off
First the average I changed it after reading and seeing documentation for this software, it was set to 5 first and every single IP I had was detected as being either DDosed or being a DDoser, after the change this stopped.
I also turned process_outgoing_traffic off since I am currently only concerned about incoming attacks.

Anyway, it started detecting UDP Flood attacks with reported high PPS (over 20.000), I went to check immediately about those issues, since I have it integrated with slack I check at the very moment I get the notification, I'm monitoring both interfaces via SNMP using another system also, counting the PPS in/out every 30 seconds and it doesn't show anything at all, not a burst or a measure that's notably out of the ordinary or that could hint to a DDoS, in fact checking the measures of the previous hour it's all consistent. I am checking every single measure not the estimated PPS given by the application (PRTG if this matters). So I get something like this:

12:00:00 -> 3500000 packets
12:00:30 -> 3500390 packets
12:01:00 -> 3500594 packets
12:01:30 -> 3500720 packets
12:02:00 -> 3501100 packets <- this is when I get the alarm

Those are not the exact values, is just to show that the changes are really small and kind of consistent as reported by PRTG.

Have you experienced something like this? If so, did you manage to fix it? or have you tried anything different for this?

Seems FastNetMon has a lot of users in other brands like Cisco for instance with no issues at all using netflow too. Makes me wonder if there's a problem with MikroTik's implementation of netflow.
 
User avatar
Murmaider
Member Candidate
Member Candidate
Posts: 126
Joined: Fri Oct 30, 2015 10:10 am

Re: DDOS BGP protection [automate communitys?]

Sun Sep 24, 2017 4:06 pm

Connect your links to fast 10g switches and then connect your mikrotiks to those switches. So traffic to and from your network goes over the switches.

Setup port mirroring on your uplink ports on the switches to mirror to a single port (or a few if it's high traffic)

Buy wanguard from andrisoft and use packet sensors for the mirror ports. It should detect and start mitigating an attack within a few seconds. It will also allow you to enable remote ddos scrubbing.
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1135
Joined: Tue Oct 11, 2005 4:53 pm

Re: DDOS BGP protection [automate communitys?]

Sun Sep 24, 2017 6:08 pm

Connect your links to fast 10g switches and then connect your mikrotiks to those switches. So traffic to and from your network goes over the switches.
Yes, this is viable a solution, but it's a waste of money, Us in your rack, power consumption, etc just to be able to 'tap' into your uplinks to properly extract the information your anti DDoS solution needs.
If only Mikrotik would release a small 10G switch. ie: CRS106-1C-5S+
That would be awesome for such uses! It would be (relative) cheap, and you would be able to shove it in the back of the rack somewhere without wasting valuable Us.

If Netflow/IPFIX on routeros didn't have those quirks it would have been perfectly fine with FastNetMon which is free/open and doesn't require any special hardware in the data path (except the netflow exporter of course).

For example, with UDP attacks, FastNetMon detects the attack in ~3seconds and blocks it properly even with RouterOS' netflow implementation.
I haven't had any false positives with UDP since (for my type of traffic) there are no long lived udp connections. So those attack packets are exported in 1 second (ie: inactive flow timeout=1s) and the thresholds in FastNetMon get triggered right away.

So for the time being I practically use FastNetMon to mitigate only UDP attacks (which is usually the case). For TCP attacks (eg: synflood) it's still a manual process for me...
 
User avatar
tgrand
Long time Member
Long time Member
Posts: 667
Joined: Mon Aug 21, 2006 2:57 am
Location: Winnipeg, Manitoba, Canada

Re: DDOS BGP protection [automate communitys?]

Thu Oct 26, 2017 10:21 pm

Flow analysis is just not fast enough to detect most DDOS attacks.

We use Wanguard from andrisoft.

Fiber from our uplinks first goes through an optic splitter and from the splitter out1 goes to our border router and out2 goes to an optic transceiver which Wanguard uses to sniff the packets in real time.
It is literally just micro seconds from the attack start time till our BGP blackhole announcement.
Does not give the attack enough time to ramp up the traffic and have an effect on our network.
 
mcesaric
just joined
Posts: 1
Joined: Fri Feb 26, 2021 1:34 pm

Re: DDOS BGP protection [automate communitys?]

Fri Feb 26, 2021 1:57 pm

We are in a process of implementing Wanguard Sensor (packet mirror mode) in combination with MikroTik BGP edge. We'll use ExaBGP to advertise blackhole routes (/32 RTBH mitigation) marked with community as well as diversion to third-party scrubbing center (/24 prefixes).

Stuck with diversion method. The problem is that Wanguard advertises /24 route which we don't want to be active route, but MikroTik can't propagate routes which are inactive, like Juniper and Cisco can (Juniper: advertise-inactive, Cisco: suppress-inactive).

Does anyone have example of Wanguard + MikroTik implementation?

Thank you.
 
method
newbie
Posts: 39
Joined: Fri Mar 25, 2005 3:29 pm

Re: DDOS BGP protection [automate communitys?]

Wed Mar 17, 2021 11:38 am

We are in a process of implementing Wanguard Sensor (packet mirror mode) in combination with MikroTik BGP edge. We'll use ExaBGP to advertise blackhole routes (/32 RTBH mitigation) marked with community as well as diversion to third-party scrubbing center (/24 prefixes).

Stuck with diversion method. The problem is that Wanguard advertises /24 route which we don't want to be active route, but MikroTik can't propagate routes which are inactive, like Juniper and Cisco can (Juniper: advertise-inactive, Cisco: suppress-inactive).

Does anyone have example of Wanguard + MikroTik implementation?

Thank you.
Vanguard works almost the same as FastNetMon. If you want to test FNM, just mail me.

Who is online

Users browsing this forum: No registered users and 12 guests