This article discusses how to deploy the DDoS Protect application in a Juniper Networks environment. Juniper has a long history of supporting BGP Flowspec on their routing platforms and Juniper has added support for sFlow to their entire product range, see sFlow available on Juniper MX series routers.
First, Junos doesn't provide a way to connect to the non-standard BGP port (1179) that sFlow-RT uses by default. Allowing sFlow-RT to open the standard BGP port (179) requires that the service be given additional Linux capabilities.
docker run --rm --net=host --sysctl net.ipv4.ip_unprivileged_port_start=0 \ sflow/ddos-protect -Dbgp.port=179
The above command launches the prebuilt sflow/ddos-protect Docker image. Alternatively, if sFlow-RT has been installed as a deb / rpm package, then the required permissions can be added to the service.
sudo systemctl edit sflow-rt.serviceType the above command to edit the service configuration and add the following lines:
[Service] AmbientCapabilities=CAP_NET_BIND_SERVICENext, edit the sFlow-RT configuration file for the DDoS Protect application:
sudo vi /usr/local/sflow-rt/conf.d/ddos-protect.confand add the line:
bgp.port=179Finally, restart sFlow-RT:
sudo systemctl restart sflow-rtThe application is now listening for BGP connections on TCP port 179.
Now configure the router to send sFlow telemetry to sFlow-RT - see Junos: sFlow Monitoring Technology
set protocols sflow collector 192.168.65.2 udp-port 6343 set protocols sflow polling-interval 20 set protocols sflow sample-rate ingress 1000 set protocols sflow interfaces ge-0/0/0 set protocols sflow interfaces ge-0/0/1 ...
For example, the above commands enable sFlow monitoring on a Juniper MX router. See sFlow-RT Agents for recommended sFlow configuration settings.
Also configure a BGP Flowspec session with sFlow-RT - see Junos: Multiprotocol BGP.
policy-options {
policy-statement ACCEPT_ALL {
from protocol bgp;
then accept;
}
}
routing-options {
router-id 1.1.1.1;
autonomous-system 65000;
}
protocols {
bgp {
group sflow-rt {
type internal;
local-address 172.17.0.2;
family inet {
unicast;
flow {
no-validate ACCEPT_ALL;
}
}
family inet6 {
unicast;
flow {
no-validate ACCEPT_ALL;
}
}
neighbor 192.168.65.2 {
import ACCEPT_ALL;
peer-as 65000;
}
}
}
}
The above configuration establishes the BGP Flowspec session with sFlow-RT.Real-time DDoS mitigation using BGP RTBH and FlowSpec describes how to simulate a DDoS UDP amplification attack in order to test the automated detection and control functionality.
root@07358a106c21> show route table inetflow.0 detail
inetflow.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
192.0.2.129,*,proto=17,srcport=53/term:N/A (1 entry, 0 announced)
*BGP Preference: 170/-101
Next hop type: Fictitious, Next hop index: 0
Address: 0x55653aae979c
Next-hop reference count: 1
Next hop:
State: <Active Int Ext SendNhToPFE>
Local AS: 65000 Peer AS: 65000
Age: 6
Validation State: unverified
Task: BGP_65000.192.168.65.2
AS path: I
Communities: traffic-rate:0:0
Accepted
Localpref: 100
Router ID: 0.6.6.6
Command line output from the router shown above verifies that a Flowspec control blocking the amplification attack has been received. The control will remain in place for 60 minutes (the configured timeout), after which it will be automatically withdrawn. If the attack is still in progress it will be immediately detected and the control reapplied.
DDoS Protect can mitigate a wide range of common attacks, including: NTP, DNS, Memcached, SNMP, and SSDP amplification attacks; IP, UDP, ICMP and TCP flood attacks; and IP fragmentation attacks. Mitigation options include: remote triggered black hole (RTBH), filtering, rate limiting, DSCP marking, and redirection. IPv6 is fully supported in detection and mitigation of each of these attack types.
No comments:
Post a Comment