Posted in DDoS

FastNetMon, ExaBGP and BGP integration for DDoS mitigation – part 2

   Published Date: December 4, 2019

As a bgp daemon we are using quagga, which is easy to be installed on every Linux distro.

We are automating the process behind RTBH (Remotely-Triggered Black Hole) which is a very good tool for protecting us in case of a DDoS.
Routers Quagga1 – Quagga4 compose the network, and router Quagga5 acts as a management router for route injection – which has in place 2 dedicated software: FastNetMon and ExaBGP for automating the detection of any DDoS and for triggering the black hole routing in an automate way.

RTBH works by injecting a specially-crafted BGP route into the network, forcing routers to drop all traffic with a specific next-hop — effectively creating a “black hole.”
This route forces any traffic destined for 192.0.2.6/32 to be immediately dropped by the router. This route is added to all edge routers (Quagga1 and Quagga2) in our case, so the traffic is dropped to the edge routers.

Once we have in place all 5 systems, we can start configuring them, as follows:

A). Quagga5 – is the system that holds FastNetMon and ExaBGP tools

1) FasNetmon is configured to accept sflow traffic – there are multiple options in place, but for the fastest detection for DDoS we have to opt between netflow and sflow, if mirroring ports is not possible.

sflow – https://en.wikipedia.org/wiki/SFlow – “sampled flow”, is an industry standard for packet export at Layer 2 of the OSI model.

To generate sflows in our proof of concept we are using softflowd – https://www.mindrot.org/projects/softflowd/.

I just want to point out the parameters that are necessary to achieve our goal, from the /etc/softflowd.conf file.

############################################
enable_ban = on
process_incoming_traffic = on
process_outgoing_traffic = on

networks_list_path = /etc/networks_list

white_list_path = /etc/networks_whitelist

ban_for_pps = on
ban_for_bandwidth = on
ban_for_flows = on

ban_for_udp_bandwidth = on
ban_for_icmp_bandwidth = on

ban_for_tcp_pps = on
ban_for_udp_pps = on
ban_for_icmp_pps = on

sflow = on
sflow_port = 6343
sflow_host = 0.0.0.0

exabgp = on
exabgp_command_pipe = /var/run/exabgp.cmd
exabgp_community = 100:666
exabgp_next_hop = 10.10.12.3 -----> This is ExaBGP IP address
exabgp_announe_host = on

######################################

Next – Part 3

Author: techwritter