The screen capture above shows a simulated DNS amplification attack. The Top Targets chart is a real-time view of external traffic to on-site IP addresses. The red line indicates the threshold that has been set at 10,000 packets per second and it is clear that traffic to address 192.168.151.4 exceeds the threshold. The Top Protocols chart below shows that the increase in traffic is predominantly DNS. The Controls chart shows that a control was added the instant the traffic crossed the threshold.
Controls are added and removed by calling an external TCL/Expect script which logs into the site router and applies the following CLI command to drop traffic to the targeted address:
ip route target_ip/32 null0 name "DOS ATTACK"The script can easily be modified or replaced to apply different controls or to work with different vendor CLIs.
Additional instructions are available under the Help tab. Instructions for downloading and installing the DDoS Blackhole application are available on sFlow-RT.com.
The software will work on any site with sFlow capable switches, even if the router itself doesn't support sFlow. Running the application in Manual mode is a completely safe way to become familiar with the software features and get an understanding of normal traffic levels. Download the software and give it a try.
Even better if your ISP support RTBH via BGP Communities. Level 3 allows you to trigger it with the following community (or at least used to):
ReplyDelete3356:9999 - blackhole (discard) traffic
Thanks for the information about Level 3. There is rudimentary BGP support built in to sFlow-RT, Active Route Manager, but BGP Communities aren't yet supported.
DeleteIn the mean time, you could probably replace the TCL/Expect script with a script that uses ExaBGP.
hai Mr.Peter. can you explain specifically about where should command ip route apply, because i try it in sflow-rt dir or new terminal, both failed, last i try curl command curl http://localhost:8008/script/ddos.js/json?action=enable {"controls":{},"enabled":true}, still controls on ddos application show nothing. Thank you ..
ReplyDeleteYou need to configure the IP Address Groups and add additional group(s) containing the globally routable CIDRs for your servers. The address groups are used to identify local, non-local and non-routable address spaces. Traffic from external addresses to local globally routable addresses is monitored for DDoS attacks.
DeleteOnce you have the groups configured you should start to see traffic under the charts tab.
hi,I can't see the traffic, can you explain specific how to configuration?
ReplyDeleteYou need to set the address groups, the following article gives a description Remotely Triggered Black Hole (RTBH) Routing
DeleteIt must use the BGP?
DeleteI am using mininet to simulated network environment, and want to use the ddos blackhole to detect ddos attacks, but i don't use the BGP. What should i do?
There are a number of additional examples on this blog, click on the DoS label to see the articles.
DeleteIf you are using Mininet then you might be interested in Mininet flow analytics and Mininet dashboard.
You can write your application using the REST API or the internal JavaScript API, see Writing Applications