FastNetMon与MikroTik集成(DDoS检测系統)

背景
從事IDC行業經常會遇到DDoS攻擊,一般用以下解決辦法處理,即:

  • NULL路由
  • 一堆金盾用帶寬硬撐
  • 切路由到國外清洗(Voxility&incapsula)
  • 等死

不過沒關係,只要有自己的AS和IP,還有線路,完全可以避免這些事情發生。(前提自己得有一些底蘊,只有10把20M這些只有死路一條。)

首先,先準備一只VPS,配置大概如下:

雙核,2G 內存,40G 硬盤,帶寬無所謂,最好和你的路由在同機房,否則因為延遲大的原因可能會產生一些奇怪的事情。

1.-安装组件和配置基础知识
1.1.- FastNetMon

1 wget https://raw.githubusercontent.com/pavel-odintsov/fastnetmon/master/src/fastnetmon_install.pl -Ofastnetmon_install.pl
2 sudo perl fastnetmon_install.pl

慢慢等它就完成了…傳送門點這裡看完整安裝教學。

安裝完畢之後,首先要進行一些操作.

/etc/networks_list

/etc/networks_whitelist

這2個文件,一個是需要監測的prefix列表,一個是白名單列表.沒有就自己創建個。例如我們的prefix 是1.1.1.0/24 和2.2.2.0/24,直接vi /etc/networks_list

1 1.1.1.0/24
2 2.2.2.0/24

加白名單的話,操作一樣,IP後面要按照CIDR的格式寫,例如1.1.1.1/32。

2.- 配置路由

首先要確定一下,路由的哪個接口是主要流量通過的,

1 /ip traffic-flow
2 set active-flow-timeout=1m cache-entries=1k enabled=yes interfaces=bonding1
3 /ip traffic-flow target
4 add dst-address=10.110.100.114(FastNetMon IP) port=1234

然後就是設置fastnetmon的配置文件,以下是我的配置:

001 ###
002 ### Main configuration params
003 ###
004
005 ### Logging configuration
006
007 # enable this option if you want to send logs to local syslog facility
008 logging:local_syslog_logging = off
009
010 # enable this option if you want to send logs to a remote syslog server via UDP
011 logging:remote_syslog_logging = off
012
013 # specify a custom server and port for remote logging
014 logging:remote_syslog_server = 10.10.10.10
015 logging:remote_syslog_port = 514
016
017 # Enable/Disable any actions in case of attack
018 enable_ban = on
019
020 # disable processing for certain direction of traffic
021 process_incoming_traffic = on
022 process_outgoing_traffic = off
023
024 # How many packets will be collected from attack traffic
025 ban_details_records_count = 500
026
027 # How long (in seconds) we should keep an IP in blocked state
028 # If you set 0 here it completely disables unban capability
029 ban_time = 3600
030
031 # Check if the attack is still active, before triggering an unban callback with this option
032 # If the attack is still active, check each run of the unban watchdog
033 unban_only_if_attack_finished = on
034
035 # enable per subnet speed meters
036 # For each subnet, list track speed in bps and pps for both directions
037 enable_subnet_counters = off
038
039 # list of all your networks in CIDR format
040 networks_list_path = /etc/networks_list
041
042 # list networks in CIDR format which will be not monitored for attacks
043 white_list_path = /etc/networks_whitelist
044
045 # redraw period for client's screen
046 check_period = 1
047
048 # Connection tracking is very useful for attack detection because it provides huge amounts of information,
049 # but it's very CPU intensive and not recommended in big networks
050 enable_connection_tracking = off
051
052 # Different approaches to attack detection
053 ban_for_pps = off
054 ban_for_bandwidth = on
055 ban_for_flows = off
056
057 # Limits for Dos/DDoS attacks
058 threshold_pps = 20000
059 threshold_mbps = 350
060 threshold_flows = 3500
061
062 # Per protocol attack thresholds
063 # We don't implement per protocol flow limits, sorry 🙁
064 # These limits should be smaller than global pps/mbps limits
065
066 threshold_tcp_mbps = 100000
067 threshold_udp_mbps = 100000
068 threshold_icmp_mbps = 100000
069
070 threshold_tcp_pps = 100000
071 threshold_udp_pps = 100000
072 threshold_icmp_pps = 100000
073
074 ban_for_tcp_bandwidth = off
075 ban_for_udp_bandwidth = off
076 ban_for_icmp_bandwidth = off
077
078 ban_for_tcp_pps = off
079 ban_for_udp_pps = off
080 ban_for_icmp_pps = off
081
082 ###
083 ### Traffic capture methods
084 ###
085
086 # PF_RING traffic capture, fast enough but the wirespeed version needs a paid license
087 mirror = off
088
089 # Port mirroring sample rate
090 pfring_sampling_ratio = 1
091
092 # Netmap traffic capture (very fast but needs patched drivers)
093 mirror_netmap = off
094
095 # SnabbSwitch traffic capture
096 mirror_snabbswitch = off
097
098 # AF_PACKET capture engine
099 # Please use it only with modern Linux kernels (3.6 and more)
100 # And please install birq for irq ditribution over cores
101 mirror_afpacket = off
102
103 # use PCI-e addresses here instead of OS device names. You can find them in "lspci" output
104 interfaces = eth0,eth1
105
106 # Port mirroring sampling ratio
107 netmap_sampling_ratio = 1
108
109 # This option should be enabled if you are using Juniper with mirroring of the first X bytes of packet: maximum-packet-length 110;
110 netmap_read_packet_length_from_ip_header = off
111
112 # Pcap mode, very slow and thus not suitable for production
113 pcap = off
114 # Netflow capture method with v5, v9 and IPFIX support
115 netflow = on
116 # sFLOW capture suitable for switches
117 sflow = off
118
119 # PF_RING configuration
120 # If you have a license for PF_RING ZC, enable this mode and it might achieve wire speed for 10GE
121 enable_pf_ring_zc_mode = off
122
123 # Configuration for netmap, mirror, pcap modes
124 # For pcap and PF_RING we could specify "any"
125 # For netmap and PF_RING we could specify multiple interfaces = eth0,eth1
126 interfaces = eth0,eth1
127
128 # We use average values for traffic speed to certain IP and we calculate average over this time slice
129 average_calculation_time = 1
130
131 # We use average values for traffic speed for subnet and we calculate average over this time slice
132 average_calculation_time_for_subnets = 20
133
134 # Netflow configuration
135
136 # it's possible to specify multiple ports here, using commas as delimiter
137 netflow_port = 1234
138 netflow_host = 0.0.0.0
139
140 # To bind to all interfaces = eth0,eth1
141 # To bind to all interfaces = eth0,eth1
142 # To bind to localhost for a specific protocol:      ::1 or 127.0.0.1
143
144 # Netflow v9 and IPFIX agents use different and very complex approaches for notifying about sample ratio
145 # Here you could specify a sampling ratio for all this agents
146 # For NetFLOW v5 we extract sampling ratio from packets directely and this option not used
147 netflow_sampling_ratio = 1
148
149 # In some cases with NetFlow we could get huge bursts related to aggregated data nature
150 # We could try to get smoother data with this option, i.e. we will divide counters on collection interval time
151 netflow_divide_counters_on_interval_length = off
152
153 # Process each netflow packet with LUA
154 # This option is not default and you need build it additionally
155 # netflow_lua_hooks_path = /usr/src/fastnetmon/src/netflow_hooks.lua
156
157 # sFLOW configuration
158
159 # It's possible to specify multiple ports here, using commas as delimiter
160 sflow_port = 6343
161 # sflow_port = 6343,6344
162 sflow_host = 0.0.0.0
163
164 # process each sFLOW packet with LUA
165 # This option is not default and you need build it additionally
166 # sflow_lua_hooks_path = /usr/src/fastnetmon/src/sflow_hooks.lua
167
168 ###
169 ### Actions when attack detected
170 ###
171
172 # This script executed for ban, unban and attack detail collection
173 notify_script_path = /usr/local/bin/notify_about_attack.py
174
175 # pass attack details to notify_script via stdin
176 # Pass details only in case of "ban" call
177 # No details will be passed for "unban" call
178 notify_script_pass_details = on
179
180 # collect a full dump of the attack with full payload in pcap compatible format
181 collect_attack_pcap_dumps = off
182
183 # Execute Deep Packet Inspection on captured PCAP packets
184 process_pcap_attack_dumps_with_dpi = off
185
186 # Save attack details to Redis
187 redis_enabled = off
188
189 # Redis configuration
190 redis_port = 6379
191 redis_host = 127.0.0.1
192
193 # specify a custom prefix here
194 redis_prefix = mydc1
195
196 # We could store attack information to MongoDB
197 mongodb_enabled = off
198 mongodb_host = localhost
199 mongodb_port = 27017
200 mongodb_database_name = fastnetmon
201
202 # If you are using PF_RING non ZC version you could block traffic on host with hardware filters
203 # Please be aware! We can not remove blocks with this action plugin
204 pfring_hardware_filters_enabled = off
205
206 # announce blocked IPs with BGP protocol with ExaBGP
207 exabgp = off
208 exabgp_command_pipe = /var/run/exabgp.cmd
209 exabgp_community = xxxx:666 #上游的黑洞社區,其實不寫也行的。只要路由設置好/32 發到上游黑洞即可。
210
211 # specify multiple communities with this syntax:
212 # exabgp_community = [65001:666 65001:777]
213
214 # specify different communities for host and subnet announces
215 # exabgp_community_subnet = 65001:667
216 # exabgp_community_host = 65001:668
217
218 exabgp_next_hop = 192.0.2.1
219
220 # In complex cases you could have both options enabled and announce host and subnet simultaneously
221
222 # Announce /32 host itself with BGP
223 exabgp_announce_host = on
224
225 # Announce origin subnet of IP address instead IP itself
226 exabgp_announce_whole_subnet = off
227
228 # Announce Flow Spec rules when we could detect certain attack type
229 # Please we aware! Flow Spec announce triggered when we collect some details about attack,
230 # i.e. when we call attack_details script
231 # Please disable exabgp_announce_host and exabgp_announce_whole_subnet if you want to use this feature
232 # Please use ExaBGP v4 only (Git version), for more details: https://github.com/FastVPSEestiOu/fastnetmon/blob/master/docs/BGP_FLOW_SPEC.md
233 exabgp_flow_spec_announces = off
234
235 # GoBGP intergation
236 gobgp = off
237 gobgp_next_hop = 0.0.0.0
238 gobgp_announce_host = on
239 gobgp_announce_whole_subnet = off
240
241 # Graphite monitoring
242 # InfluxDB is also supported, please check our reference:
244 graphite = off
245 graphite_host = 127.0.0.1
246 graphite_port = 2003
247
248 # Default namespace for Graphite data
249 graphite_prefix = fastnetmon
250
251 # Add local IP addresses and aliases to monitoring list
252 # Works only for Linux
253 monitor_local_ip_addresses = on
254
255 # Create group of hosts with non-standard thresholds
256 # You should create this group before (in configuration file) specifying any limits
257 hostgroup = my_hosts:10.10.10.221/32,10.10.10.222/32
258
259 # Configure this group
260 my_hosts_enable_ban = off
261
262 my_hosts_ban_for_pps = off
263 my_hosts_ban_for_bandwidth = off
264 my_hosts_ban_for_flows = off
265
266 my_hosts_threshold_pps = 20000
267 my_hosts_threshold_mbps = 1000
268 my_hosts_threshold_flows = 3500
269
270 # Path to pid file for checking "if another copy of tool is running", it's useful when you run multiple instances of tool
271 pid_path = /var/run/fastnetmon.pid
272
273 # Path to file where we store information for fastnetmon_client
274 cli_stats_file_path = /tmp/fastnetmon.dat
275
276 # Enable gRPC api (required for fastnetmon_api_client tool)
277 enable_api = off
278
279 ###
280 ### Client configuration
281 ###
282
283 # Field used for sorting in client, valid values are: packets, bytes or flows
284 sort_parameter = packets
285 # How much IPs will be listed for incoming and outgoing channel eaters
286 max_ips_in_list = 7

主要的參數講解下,

1 ban_for_bandwidth = on #只監測帶寬,不監測pps 和flows,因為這個閾值很不好調節,有些幷發高的服務器就...
2 process_incoming_traffic = on
3 process_outgoing_traffic = off #對於DDoS攻擊,我們更關心的是入向流量.
4 average_calculation_time = 1 #設置1秒可以在3秒內監測到DDoS并往上游發黑洞.

設置好之後,啟動FastNetMon 服務

1 service fastnetmon start
2 并把/opt/fastnetmon/fastnetmon --daemonize 添加到/etc/rc.local

此時你會看到路由的filow有數據正在流動…

1 [admin@HKG_BGP] /ip traffic-flow> monitor     
2      finished-flows: 3563877950
3        active-flows: 1023
4   unmanaged-packets: 0
5     unmanaged-bytes: 0
6 -- [Q quit|D dump|C-z pause]

在fastnetmon VPS 上執行

1 /opt/fastnetmon/fastnetmon_client

如果之前的配置無誤的話,你會看到這樣的顯示…

01 FastNetMon 1.1.3 master git-94f4947e87753b8be193ca54d17dac24cac599fb Pavel Odintsov: stableit.ru
02 IPs ordered by: packets
03 Incoming traffic         34023 pps     22 mbps      0 flows
04 1.1.1.1            30118 pps     16 mbps      0 flows
05 1.1.1.2              547 pps      0 mbps      0 flows
06 1.1.1.3             307 pps      1 mbps      0 flows
07
08
09 Outgoing traffic             0 pps      0 mbps      0 flows
10 Internal traffic             1 pps      0 mbps
11
12 Other traffic             1907 pps      9 mbps
13
14 Screen updated in:              0 sec 188 microseconds
15 Traffic calculated in:          0 sec 283 microseconds
16 Total amount of IPv6 packets related to our own network: 0
17 Not processed packets: 0 pps

此時,fastnetmon 的工作已經完成.

3.-對接黑洞路由

3.1.- FastNetMon部分

FastNetMon VPS 機器執行以下操作安裝Bird.

1 yum install bird -y

安裝好后設定一下,我直接貼出我的配置

01 router id 10.110.100.114;
02
03 protocol kernel {
04   scan time 60;
05   import all;
06 }
07
08 protocol device {
09   scan time 60;
10 }
11
12 function isnt_blackhole () {
13   if proto != "static_blackhole" then return true;
14   if net.len != 32 then return true;
15
16   return false;
17 }
18
19 protocol static static_blackhole {
20   include "/etc/bird/blackhole4/*.blackhole";
21 }
22
23
24 protocol bgp bgp_pig_hk {
25   local as 你的AS號;
26
27   neighbor 10.111.113.89(路由IP) as 你的AS號;
28   source address 10.110.100.114;
29
30   export filter {
31     if isnt_blackhole() then reject;
32     accept;
33   };
34   import none;
35
36   multihop 2;
37   graceful restart on;
38 };

3.2.-Mikrotik 部分

01 #設置黑洞BGP過濾器
02 /routing filter
03 add action=accept chain=BGP-BH-IN prefix-length=32 #只收FNM機發來的/32,也就是單個IP..
04 add action=discard chain=BGP-BH-OUT
05 #設置上游黑洞過濾器
06 /routing filter
07 add action=accept append-bgp-communities=xxxx:666(黑洞社區自己找上游拿) chain=BGP-Pig-OUT  prefix-length=32 set-type=blackhole
08 #建立黑洞BGP Peer
09 /routing bgp peer
10 add in-filter=BGP-BH-IN multihop=yes name=BGP-BH out-filter=BGP-BH-OUT remote-address=10.110.100.114 remote-as=你的AS route-reflect=yes ttl=default
11
12 操作完全正確的話,你會看到黑洞BGP 已經UP.
1 [admin@HKG_BGP] /routing bgp peer> /routing bgp peer print detail status where name=BGP-BH
2 Flags: X - disabled, E - established
3  0 E name="BGP-BH" instance=default remote-address=10.110.100.114 remote-as=xxoxx tcp-md5-key="" nexthop-choice=default multihop=yes route-reflect=yes hold-time=3m ttl=default
4      in-filter=BGP-BH-IN out-filter=BGP-BH-OUT address-families=ip default-originate=never remove-private-as=no as-override=no passive=no use-bfd=no remote-id=10.110.100.114
5      local-address=10.111.113.89 uptime=21h33m50s prefix-count=0 updates-sent=0 updates-received=3 withdrawn-sent=0 withdrawn-received=3 remote-hold-time=4m used-hold-time=3m
6      used-keepalive-time=1m refresh-capability=yes as4-capability=yes state=established

4.-後記

/usr/local/bin/notify_about_attack.py 這個東西可以做很多有意思的東西,例如telegram 通知,郵件通知等等..自助解封,主動封鎖等等…….

還有flow并不是最佳的監測辦法,最好的辦法是用端口鏡像..或者分光,條件有限只能這樣搞了.

全文終。

来源:https://zhu.vn/archives/1966