Slides about DDoS detection tool. IPFIX, sFlow, Netflow support. Instant detection. Complete API and command line tools.
Free trial: https://fastnetmon.com/trial/
This document discusses techniques for mitigating distributed denial of service (DDoS) attacks, including remotely triggered black hole filtering (RTBH) and BGP FlowSpec. It provides an overview of DDoS attack trends, types, and impacts. It also introduces the open-source FastNetMon tool for DDoS detection using network telemetry and introducing mitigation actions like flow blocking through integration with tools like ExaBGP.
Ripe71 FastNetMon open source DoS / DDoS mitigationPavel Odintsov
This document describes FastNetMon, an open source DDoS mitigation toolkit. It provides concise summaries of network traffic and detects DDoS attacks in real-time. It can block malicious traffic through methods like BGP announcements. FastNetMon supports many Linux distributions and can integrate with hardware/cloud solutions. It detects attacks faster than traditional hardware/service approaches through optimized packet capture using tools like Netmap and PF_RING.
This document discusses using fastnetmon and ExaBGP to monitor and mitigate DDoS attacks at the University of Wisconsin-Platteville. Fastnetmon monitors network traffic in real-time and detects DDoS attacks based on packet, bandwidth, and flow thresholds. It then triggers ExaBGP to inject blackhole routes to drop attack traffic while allowing legitimate traffic to pass. This integrated solution allows the university to automatically detect and mitigate DDoS attacks in near real-time.
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Pavel Odintsov
This document discusses how Coloclue, a non-profit volunteer-driven ISP, automated the detection and mitigation of DDoS attacks through the use of FastNetMon and BIRD. FastNetMon allows for detection of attacks within 3 seconds by monitoring traffic levels. BIRD then injects selective blackhole routes within 1 second to mitigate attacks by dropping traffic for 1 IP or subnet for 60 seconds. This approach solves the DDoS problem within 4 seconds through 100% automated detection and mitigation.
GoBGP is an open source BGP implementation written in Go that aims for high performance. It uses gRPC for its API-first architecture and OpenConfig for its vendor-neutral configuration model. Some key uses of GoBGP include as a high performance route server, for integration with data analysis systems via its APIs, and as a BGP implementation for whitebox switches.
This document discusses using BGP Flowspec for DDoS mitigation. It provides an overview of legacy DDoS mitigation methods, describes how BGP Flowspec works by distributing flow specifications using BGP, and gives examples of how it can be used for inter-domain and intra-domain DDoS mitigation as well as with a scrubbing center. It also discusses vendor support, advantages over previous methods, potential issues, real world deployments, and the current state and future of BGP Flowspec.
BGP FlowSpec experience and future developmentsPavel Odintsov
This document discusses BGP FlowSpec, which is a technique for mitigating DDoS attacks. It provides an overview of FlowSpec implementations by various vendors and open source tools. It also discusses operational experience with FlowSpec deployments. While FlowSpec works well against many amplification attacks, the document notes some limitations and areas for improvement. This includes improving router scale, adding flexibility to payload matching, and developing standards for traffic reporting across administrative domains. Overall, FlowSpec is presented as a mature mitigation technique, but one that requires continued development and vendor/operator collaboration to address evolving attacks.
Slides about DDoS detection tool. IPFIX, sFlow, Netflow support. Instant detection. Complete API and command line tools.
Free trial: https://fastnetmon.com/trial/
This document discusses techniques for mitigating distributed denial of service (DDoS) attacks, including remotely triggered black hole filtering (RTBH) and BGP FlowSpec. It provides an overview of DDoS attack trends, types, and impacts. It also introduces the open-source FastNetMon tool for DDoS detection using network telemetry and introducing mitigation actions like flow blocking through integration with tools like ExaBGP.
Ripe71 FastNetMon open source DoS / DDoS mitigationPavel Odintsov
This document describes FastNetMon, an open source DDoS mitigation toolkit. It provides concise summaries of network traffic and detects DDoS attacks in real-time. It can block malicious traffic through methods like BGP announcements. FastNetMon supports many Linux distributions and can integrate with hardware/cloud solutions. It detects attacks faster than traditional hardware/service approaches through optimized packet capture using tools like Netmap and PF_RING.
This document discusses using fastnetmon and ExaBGP to monitor and mitigate DDoS attacks at the University of Wisconsin-Platteville. Fastnetmon monitors network traffic in real-time and detects DDoS attacks based on packet, bandwidth, and flow thresholds. It then triggers ExaBGP to inject blackhole routes to drop attack traffic while allowing legitimate traffic to pass. This integrated solution allows the university to automatically detect and mitigate DDoS attacks in near real-time.
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Pavel Odintsov
This document discusses how Coloclue, a non-profit volunteer-driven ISP, automated the detection and mitigation of DDoS attacks through the use of FastNetMon and BIRD. FastNetMon allows for detection of attacks within 3 seconds by monitoring traffic levels. BIRD then injects selective blackhole routes within 1 second to mitigate attacks by dropping traffic for 1 IP or subnet for 60 seconds. This approach solves the DDoS problem within 4 seconds through 100% automated detection and mitigation.
GoBGP is an open source BGP implementation written in Go that aims for high performance. It uses gRPC for its API-first architecture and OpenConfig for its vendor-neutral configuration model. Some key uses of GoBGP include as a high performance route server, for integration with data analysis systems via its APIs, and as a BGP implementation for whitebox switches.
This document discusses using BGP Flowspec for DDoS mitigation. It provides an overview of legacy DDoS mitigation methods, describes how BGP Flowspec works by distributing flow specifications using BGP, and gives examples of how it can be used for inter-domain and intra-domain DDoS mitigation as well as with a scrubbing center. It also discusses vendor support, advantages over previous methods, potential issues, real world deployments, and the current state and future of BGP Flowspec.
BGP FlowSpec experience and future developmentsPavel Odintsov
This document discusses BGP FlowSpec, which is a technique for mitigating DDoS attacks. It provides an overview of FlowSpec implementations by various vendors and open source tools. It also discusses operational experience with FlowSpec deployments. While FlowSpec works well against many amplification attacks, the document notes some limitations and areas for improvement. This includes improving router scale, adding flexibility to payload matching, and developing standards for traffic reporting across administrative domains. Overall, FlowSpec is presented as a mature mitigation technique, but one that requires continued development and vendor/operator collaboration to address evolving attacks.
Implementing BGP Flowspec at IP transit networkPavel Odintsov
This document discusses implementing BGP Flowspec at an IP transit network to help mitigate distributed denial of service (DDoS) attacks. BGP Flowspec allows network operators to announce flow specifications via BGP to define distributed access lists across their network. The document outlines BGP Flowspec options, typical attack scenarios with and without its use, implementation considerations, validation of rules, statistics collection, and plans for a web portal and integration with attack detection systems. Over 85% of detected DDoS traffic was found to originate from foreign interfaces, showing BGP Flowspec's effectiveness against such attacks.
BGP Flowspec (RFC5575) Case study and DiscussionAPNIC
BGP Flowspec is a technique for distributing flow specification rules via BGP. It allows an ISP to dynamically distribute filtering and redirection rules to mitigate DDoS attacks. The document discusses several real-world use cases where BGP Flowspec was deployed to successfully block large DDoS attacks in a targeted manner without affecting legitimate traffic. However, interoperability between vendors and scalability challenges remain open issues requiring further work and testing.
macvlan and ipvlan allow VMs and containers to have direct exposure to the host network by assigning them their own MAC/IP addresses without requiring a bridge. macvlan uses MAC addresses to separate traffic while ipvlan uses layer 3. Both are lighter weight than bridges. macvlan is commonly used in bridge mode to allow communication between VMs/containers on the same host, while ipvlan may be preferred when MAC limits are in place or for untrusted networks.
This document discusses using a loopback interface as the update source for BGP sessions. It explains that when there are multiple paths between BGP neighbors, using a loopback interface ensures the BGP session will not go down if the physical interface fails. It provides the configuration to enable this by specifying the loopback interface in the neighbor update-source command. An example topology is shown connecting routers with EIGRP and configuring BGP between the routers using a loopback interface as the update source.
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecCisco Russia
The document discusses using BGP FlowSpec to provide network security for an internet service provider. It begins with an introduction to BGP FlowSpec, describing its components and how rules are distributed using BGP. It then covers using BGP FlowSpec for different DDoS mitigation scenarios, including stateless amplification attacks, stateless L3/L4 attacks, and stateful attacks targeting application resources. Configuration and other use cases are also briefly mentioned.
In this webinar, we discussed an advanced topic of mikrotik firewall features: nth packet matcher. we assumed the readers already have a solid understanding of prerequisite knowledge.
we started the discussion with the basic concepts of traffic load balancing, and then move to the nth discussion.
The recording is available on youtube (GLC Networks Channel): https://youtu.be/s0JxxdKuh58
netfilter is a framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers.
iptables is a user-space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different netfilter modules) and the chains and rules it stores.
Many systems use iptables/netfilter, Linux's native packet filtering/mangling framework since Linux 2.4, be it home routers or sophisticated cloud network stacks.
In this session, we will talk about the netfilter framework and its facilities, explain how basic filtering and mangling use-cases are implemented using iptables, and introduce some less common but powerful extensions of iptables.
Shmulik Ladkani, Chief Architect at Nsof Networks.
Long time network veteran and kernel geek.
Shmulik started his career at Jungo (acquired by NDS/Cisco) implementing residential gateway software, focusing on embedded Linux, Linux kernel, networking and hardware/software integration.
Some billions of forwarded packets later, Shmulik left his position as Jungo's lead architect and joined Ravello Systems (acquired by Oracle) as tech lead, developing a virtual data center as a cloud-based service, focusing around virtualization systems, network virtualization and SDN.
Recently he co-founded Nsof Networks, where he's been busy architecting network infrastructure as a cloud-based service, gazing at internet routes in astonishment, and playing the chkuku.
This document discusses network address translation (NAT) and NAT traversal techniques. It begins with an overview of NAT and why NAT traversal is needed to access network resources behind NAT. It then covers various NAT traversal solutions including port forwarding, NAT traversal protocols like STUN and TURN, and implementations like ICE and WebRTC that use these protocols. The document provides examples and diagrams to illustrate key NAT concepts and how different traversal techniques work.
Denial of Service attacks – Definitions, related surveys
Traceback of DDoS Attacks – Proposed method, advantages, future work
Detection methods with Shannon and Renyi cross entropy – Previous works, proposed method, dataset and results
The added value of entropy detection methods
References
In this webinar, we start the discussion with an introduction to BGP like AS to AS connection, comparison BGP routing and traditional routing, also BGP peering. we then talk about problem that might occur during BGP peering, its effects, and the solution. finally we cover an example of how to configure BGP filter on mikrotik.
The recording is available on youtube (GLC Networks Channel): https://www.youtube.com/channel/UCI611_IIkQC0rsLWIFIx_yg
Network LACP/Bonding/Teaming with MikrotikGLC Networks
Webinar topic: Network LACP/Bonding/Teaming with Mikrotik
Presenter: Achmad Mardiansyah
In this webinar series, How Network LACP/Bonding/Teaming with Mikrotik
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/en/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram also discord
Recording available on Youtube
https://youtu.be/smRcyLE42hU
Webinar topic: OSPF On Router OS7
Presenter: Achmad Mardiansyah & M. Taufik Nurhuda
In this webinar series, How OSPF On Router OS7
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/en/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram also discord
Recording available on Youtube
https://youtu.be/nuByFdZHvAg
- The document discusses Linux network stack monitoring and configuration. It begins with definitions of key concepts like RSS, RPS, RFS, LRO, GRO, DCA, XDP and BPF.
- It then provides an overview of how the network stack works from the hardware interrupts and driver level up through routing, TCP/IP and to the socket level.
- Monitoring tools like ethtool, ftrace and /proc/interrupts are described for viewing hardware statistics, software stack traces and interrupt information.
This document outlines an IPv6 lab and techtorial that covers IPv6 addressing, neighbor discovery, static routing, OSPFv3, BGP, and tunneling. The agenda includes lectures on these topics as well as corresponding labs to provide hands-on experience. Prerequisites for the session are basic network engineering knowledge and interest in Cisco technologies. The document then goes on to describe IPv6 addressing formats, types of addresses, and how addresses are allocated to interfaces.
This document provides an introduction to eBPF and XDP. It discusses the history of BPF and how it evolved into eBPF. Key aspects of eBPF covered include the instruction set, JIT compilation, verifier, helper functions, and maps. XDP is introduced as a way to program the data plane using eBPF programs attached early in the receive path. Example use cases and performance benchmarks for XDP are also mentioned.
BMP (BGP Monitoring Protocol) allows routers to send BGP peer route updates and statistics to external monitoring stations. It provides access to the pre-policy routing table (Adj-RIB-In) of peers on an ongoing basis. Cisco supports BMP in IOS-XE and IOS-XR routers. OpenBMP is an open-source BMP collector that stores updates in a MySQL database for analysis.
In this webinar, we are talking about BGP implementation on mikrotik router. the presentation starts with the fundamental of BGP and then discuss about Basic BGP setting on RouterOS
The TC Flower Classifier allows control of packets based on flows determined by matching of well-known packet fields and metadata. This is inspired by similar flow classification described by OpenFlow and implemented by Open vSwitch. Offload of the TC Flower classifier and related modules provides a powerful mechanism to both increase throughput and reduce CPU utilisation for users of such flow-based systems. This presentation will give an overview of the evolution of offload of the TC Flower classifier: where it came from, the current status and possible future directions.
Detecting and mitigating DDoS ZenDesk by Vicente De LucaPavel Odintsov
This document discusses how to improve detection of DDoS attacks using an open-source solution involving FastNetMon, InfluxDB, Grafana, Redis, Morgoth, BIRD, and an experimental code called Net Healer. FastNetMon detects attacks and reports them to Redis. Net Healer watches Redis for attack reports and can trigger actions like alerting on-call teams or injecting routes based on policy thresholds over a 5 minute period to mitigate attacks faster without relying solely on humans. The solution integrates various open source tools for scalable metrics storage, routing, anomaly detection, and triggering automated responses to detected attacks.
DDoS detection at small ISP by Wardner MaiaPavel Odintsov
Este documento trata sobre la detección y mitigación de ataques distribuidos de denegación de servicio (DDoS) en un pequeño proveedor de servicios de Internet (ISP). Explica conceptos básicos sobre DDoS, incluidos tipos de ataques y arquitectura. Luego, discute buenas prácticas de red para minimizar ataques, como la implementación de BCP-38 y la eliminación de amplificadores y bucles estáticos. Finalmente, cubre técnicas de mitigación como blackholing remoto y sol
Implementing BGP Flowspec at IP transit networkPavel Odintsov
This document discusses implementing BGP Flowspec at an IP transit network to help mitigate distributed denial of service (DDoS) attacks. BGP Flowspec allows network operators to announce flow specifications via BGP to define distributed access lists across their network. The document outlines BGP Flowspec options, typical attack scenarios with and without its use, implementation considerations, validation of rules, statistics collection, and plans for a web portal and integration with attack detection systems. Over 85% of detected DDoS traffic was found to originate from foreign interfaces, showing BGP Flowspec's effectiveness against such attacks.
BGP Flowspec (RFC5575) Case study and DiscussionAPNIC
BGP Flowspec is a technique for distributing flow specification rules via BGP. It allows an ISP to dynamically distribute filtering and redirection rules to mitigate DDoS attacks. The document discusses several real-world use cases where BGP Flowspec was deployed to successfully block large DDoS attacks in a targeted manner without affecting legitimate traffic. However, interoperability between vendors and scalability challenges remain open issues requiring further work and testing.
macvlan and ipvlan allow VMs and containers to have direct exposure to the host network by assigning them their own MAC/IP addresses without requiring a bridge. macvlan uses MAC addresses to separate traffic while ipvlan uses layer 3. Both are lighter weight than bridges. macvlan is commonly used in bridge mode to allow communication between VMs/containers on the same host, while ipvlan may be preferred when MAC limits are in place or for untrusted networks.
This document discusses using a loopback interface as the update source for BGP sessions. It explains that when there are multiple paths between BGP neighbors, using a loopback interface ensures the BGP session will not go down if the physical interface fails. It provides the configuration to enable this by specifying the loopback interface in the neighbor update-source command. An example topology is shown connecting routers with EIGRP and configuring BGP between the routers using a loopback interface as the update source.
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecCisco Russia
The document discusses using BGP FlowSpec to provide network security for an internet service provider. It begins with an introduction to BGP FlowSpec, describing its components and how rules are distributed using BGP. It then covers using BGP FlowSpec for different DDoS mitigation scenarios, including stateless amplification attacks, stateless L3/L4 attacks, and stateful attacks targeting application resources. Configuration and other use cases are also briefly mentioned.
In this webinar, we discussed an advanced topic of mikrotik firewall features: nth packet matcher. we assumed the readers already have a solid understanding of prerequisite knowledge.
we started the discussion with the basic concepts of traffic load balancing, and then move to the nth discussion.
The recording is available on youtube (GLC Networks Channel): https://youtu.be/s0JxxdKuh58
netfilter is a framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers.
iptables is a user-space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different netfilter modules) and the chains and rules it stores.
Many systems use iptables/netfilter, Linux's native packet filtering/mangling framework since Linux 2.4, be it home routers or sophisticated cloud network stacks.
In this session, we will talk about the netfilter framework and its facilities, explain how basic filtering and mangling use-cases are implemented using iptables, and introduce some less common but powerful extensions of iptables.
Shmulik Ladkani, Chief Architect at Nsof Networks.
Long time network veteran and kernel geek.
Shmulik started his career at Jungo (acquired by NDS/Cisco) implementing residential gateway software, focusing on embedded Linux, Linux kernel, networking and hardware/software integration.
Some billions of forwarded packets later, Shmulik left his position as Jungo's lead architect and joined Ravello Systems (acquired by Oracle) as tech lead, developing a virtual data center as a cloud-based service, focusing around virtualization systems, network virtualization and SDN.
Recently he co-founded Nsof Networks, where he's been busy architecting network infrastructure as a cloud-based service, gazing at internet routes in astonishment, and playing the chkuku.
This document discusses network address translation (NAT) and NAT traversal techniques. It begins with an overview of NAT and why NAT traversal is needed to access network resources behind NAT. It then covers various NAT traversal solutions including port forwarding, NAT traversal protocols like STUN and TURN, and implementations like ICE and WebRTC that use these protocols. The document provides examples and diagrams to illustrate key NAT concepts and how different traversal techniques work.
Denial of Service attacks – Definitions, related surveys
Traceback of DDoS Attacks – Proposed method, advantages, future work
Detection methods with Shannon and Renyi cross entropy – Previous works, proposed method, dataset and results
The added value of entropy detection methods
References
In this webinar, we start the discussion with an introduction to BGP like AS to AS connection, comparison BGP routing and traditional routing, also BGP peering. we then talk about problem that might occur during BGP peering, its effects, and the solution. finally we cover an example of how to configure BGP filter on mikrotik.
The recording is available on youtube (GLC Networks Channel): https://www.youtube.com/channel/UCI611_IIkQC0rsLWIFIx_yg
Network LACP/Bonding/Teaming with MikrotikGLC Networks
Webinar topic: Network LACP/Bonding/Teaming with Mikrotik
Presenter: Achmad Mardiansyah
In this webinar series, How Network LACP/Bonding/Teaming with Mikrotik
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/en/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram also discord
Recording available on Youtube
https://youtu.be/smRcyLE42hU
Webinar topic: OSPF On Router OS7
Presenter: Achmad Mardiansyah & M. Taufik Nurhuda
In this webinar series, How OSPF On Router OS7
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/en/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram also discord
Recording available on Youtube
https://youtu.be/nuByFdZHvAg
- The document discusses Linux network stack monitoring and configuration. It begins with definitions of key concepts like RSS, RPS, RFS, LRO, GRO, DCA, XDP and BPF.
- It then provides an overview of how the network stack works from the hardware interrupts and driver level up through routing, TCP/IP and to the socket level.
- Monitoring tools like ethtool, ftrace and /proc/interrupts are described for viewing hardware statistics, software stack traces and interrupt information.
This document outlines an IPv6 lab and techtorial that covers IPv6 addressing, neighbor discovery, static routing, OSPFv3, BGP, and tunneling. The agenda includes lectures on these topics as well as corresponding labs to provide hands-on experience. Prerequisites for the session are basic network engineering knowledge and interest in Cisco technologies. The document then goes on to describe IPv6 addressing formats, types of addresses, and how addresses are allocated to interfaces.
This document provides an introduction to eBPF and XDP. It discusses the history of BPF and how it evolved into eBPF. Key aspects of eBPF covered include the instruction set, JIT compilation, verifier, helper functions, and maps. XDP is introduced as a way to program the data plane using eBPF programs attached early in the receive path. Example use cases and performance benchmarks for XDP are also mentioned.
BMP (BGP Monitoring Protocol) allows routers to send BGP peer route updates and statistics to external monitoring stations. It provides access to the pre-policy routing table (Adj-RIB-In) of peers on an ongoing basis. Cisco supports BMP in IOS-XE and IOS-XR routers. OpenBMP is an open-source BMP collector that stores updates in a MySQL database for analysis.
In this webinar, we are talking about BGP implementation on mikrotik router. the presentation starts with the fundamental of BGP and then discuss about Basic BGP setting on RouterOS
The TC Flower Classifier allows control of packets based on flows determined by matching of well-known packet fields and metadata. This is inspired by similar flow classification described by OpenFlow and implemented by Open vSwitch. Offload of the TC Flower classifier and related modules provides a powerful mechanism to both increase throughput and reduce CPU utilisation for users of such flow-based systems. This presentation will give an overview of the evolution of offload of the TC Flower classifier: where it came from, the current status and possible future directions.
Detecting and mitigating DDoS ZenDesk by Vicente De LucaPavel Odintsov
This document discusses how to improve detection of DDoS attacks using an open-source solution involving FastNetMon, InfluxDB, Grafana, Redis, Morgoth, BIRD, and an experimental code called Net Healer. FastNetMon detects attacks and reports them to Redis. Net Healer watches Redis for attack reports and can trigger actions like alerting on-call teams or injecting routes based on policy thresholds over a 5 minute period to mitigate attacks faster without relying solely on humans. The solution integrates various open source tools for scalable metrics storage, routing, anomaly detection, and triggering automated responses to detected attacks.
DDoS detection at small ISP by Wardner MaiaPavel Odintsov
Este documento trata sobre la detección y mitigación de ataques distribuidos de denegación de servicio (DDoS) en un pequeño proveedor de servicios de Internet (ISP). Explica conceptos básicos sobre DDoS, incluidos tipos de ataques y arquitectura. Luego, discute buenas prácticas de red para minimizar ataques, como la implementación de BCP-38 y la eliminación de amplificadores y bucles estáticos. Finalmente, cubre técnicas de mitigación como blackholing remoto y sol
O documento discute estratégias de defesa contra ataques de negação de serviço (DoS e DDoS), incluindo tipos de ataques, planejamento de rede, detecção e contramedidas. É destacada a importância da visibilidade da rede, do conhecimento dos serviços e da capacidade dos equipamentos para mitigar ataques. Quando o ataque excede a banda disponível, opções como bloqueio remoto, "clean pipes" e distribuição de carga podem ajudar a reduzir o impacto.
Blackholing from a_providers_perspektive_theo_vossPavel Odintsov
This document discusses blackholing from a provider's perspective. It describes how blackholing can be implemented at the provider's upstreams and internet exchange points (IXPs). The document also discusses using FastNetMon for DDoS attack detection and implementing blackholing policies on routers to discard attack traffic in the case of a detected DDoS attack.
FastNetMon is an open source, cross-platform, and lightweight real-time black hole monitoring system that can detect network anomalies from sFlow, Netflow, or mirrored port data. It has flexible response methods and works with routing protocols like ExaBGP and GoBGP, though its limited documentation and some quirks like inaccurate flow averages require modifications for optimal use.
This document describes an open-source solution for improving fast detection of and automating mitigation of DDoS attacks. The solution uses FastNetMon for fast detection of attacks from sFlow, NetFlow, or port mirroring. Metrics and events are stored in InfluxDB for analysis by Morgoth and visualization in Grafana. Net Healer uses policies to trigger actions like blackholing routes in BIRD based on data from Redis and anomalies detected by Morgoth in InfluxDB. This provides faster detection and reaction than traditional hardware appliances alone.
Distributed Denial of Service Attack - Detection And MitigationPavel Odintsov
This document discusses distributed denial of service (DDoS) attacks, detection, and mitigation. It provides background on DDoS including components and architecture. It explains why small and medium internet service providers should care about DDoS attacks. The presentation aims to show how an ISP can implement an automated solution for DDoS mitigation using Mikrotik Traffic Flow, Fastnetmon for detection, and ExaBGP for route announcements. Detection and mitigation techniques are discussed such as remote triggered blackholing, mitigation at a cloud scrubbing center, and using the Cymru Unwanted Traffic Removal Service.
Protect your edge BGP security made simplePavel Odintsov
SysEleven filters routes to protect its edge by rejecting bogon prefixes and invalid routes. It generates prefix filters automatically based on peer AS sets to apply strict inbound filtering. It also uses RPKI to validate routes and reject invalid announcements. For DDoS mitigation, it uses FastNetMon for detection and FlowSpec to propagate rate limiting filters via BGP to upstream providers for quick attack mitigation in under 2 minutes. Open source tools like bgpq3, aggregate, and GoBGP help implement these solutions in a cost effective manner.
Janog 39: speech about FastNetMon by Yutaka IshizakiPavel Odintsov
FastNetMon is an open-source software that can quickly detect DDoS attacks by analyzing packet capture and NetFlow data. It stores metrics in InfluxDB and Redis for visualization and attack details. When an attack is detected, FastNetMon can trigger scripts and announce blocked IPs using protocols like BGP. While it detects attacks well based on thresholds, it may be more effective when combined with other components for full DDoS mitigation functionality.
Marek discusses how his company Faelix uses MikroTik hardware and RouterOS at their network edges to route over 600k IPv4 and 30k IPv6 routes. While there were some initial issues, MikroTik has proven reliable and cost-effective. Marek then explains how Faelix implements firewalling with zero filter rules through a multi-step process. They use fail2ban to block brute force attacks, AMQP to share block lists across routers, and destination NAT misbehaving traffic. Most importantly, they leverage the "/ip route rule" feature to route blocked traffic to a separate routing table for easy isolation without complex firewall rules.
Борьба с DDoS в хостинге - по обе стороны баррикад / Константин Новаковский (...Ontico
Доклад будет полезен тем, кто планирует организовывать защиту от DDoS-атак собственными силами. Отдельный акцент будет сделан на использовании open-source продуктов для обнаружения и блокирования внешних сетевых атак. Кроме этого, я поделюсь опытом организации автоматического обнаружения и предотвращения атак изнутри инфраструктуры (взломанные клиентские серверы, недобросовестные клиенты).
JANOG39 トラフィック可視化 BoF 発表資料
Japanese - https://www.janog.gr.jp/meeting/janog39/program/traffic
English - https://www.janog.gr.jp/meeting/janog39/en/programs/y-bof-traffic
BGP Flow Specification allows network operators to define and distribute traffic filtering rules via BGP. This helps operators quickly mitigate DDoS attacks by filtering traffic at an upstream level rather than just blackholing entire prefixes. It separates filtering information from routing data using new BGP address families. Validating flow specifications against the best unicast route helps prevent spoofing. Common filtering actions include traffic policing, sampling, and redirection. While some ISPs have begun implementations, widespread adoption is still needed to realize the benefits of centralized DDoS defense using BGP Flow Specification.
Terabit Security offers a DDoS protection solution (DPS) that uses BGP Flowspec to quickly distribute ACL rules across routers to mitigate DDoS attacks. The DPS software can be installed on customer servers or virtual machines, and provides detection of DDoS attacks in 1-2 seconds and protection of up to 6.4Tbps of traffic. Professional support plans include basic 8x5 and advanced 24x7 support with unlimited cases. Over 1000 customers in 20+ countries use Terabit Security's solutions to protect terabits of internet traffic from DDoS attacks.
Presentación del webinar “Cómo proteger–de verdad–tus aplicaciones web”, en la que se ha desarrollado la presentación del producto Incapsula de Imperva
This document discusses route filtering recommendations to protect networks from routing leaks. It recommends:
1. Identifying transit routes using AS path filtering, communities, or prefix lists to refuse advertising these routes.
2. Applying maximum prefix limits and filters to inbound routes from peers to limit route exposure.
3. Creating inbound route filters to protect networks from leaked routes that should not be received from peers.
Set top boxes allow users to access multimedia services and cable television through a user-friendly interface. They integrate video and audio decoding with an application execution environment. While multimedia computers are more versatile and expensive, set top boxes have limited functionality and lower cost, targeting entertainment applications. Digital video networks use set top boxes to deliver high-bandwidth video and low-bandwidth interactivity between the user and service provider over various connection types like cable, satellite, and internet. Set top box hardware and software architectures integrate components like an MPEG decoder and microprocessor to control devices and enable downloading and running of applications.
This document discusses enabling seamless interworking between SDN and IP networks. It proposes using SDN controllers to emulate IP routing in the SDN domain so that SDN appears as a single router to external IP peers. The SDN controller would install flow entries proactively based on BGP routes and update them reactively upon BGP changes. This would allow SDN and IP networks to peer without requiring any changes to the IP networks. The document outlines the current implementation using ONOS and future work, such as improving performance and scaling the solution across multiple ONOS instances and BGP processes.
DDOS Mitigation Experience from IP ServerOne by CL LeeMyNOG
IP ServerOne is a Malaysian data center provider that manages over 4500 physical servers across 5 data centers. They experience 2-5 DDoS attacks per day, mostly ranging from 4.5-8.9 Gbps. To detect attacks, they use netflow to monitor traffic patterns and flag abnormal packet rates to single IPs. When an attack is detected, traffic is rerouted to on-premise filtering devices in less than 90 seconds to scrub attacks while allowing legitimate traffic. IP ServerOne advocates a hybrid mitigation approach using their own infrastructure alongside cloud-based protection.
DDoS Attack Detection & Mitigation in SDNChao Chen
This document summarizes a presentation on detecting and mitigating distributed denial of service (DDoS) attacks in software-defined networks. It discusses using sFlow and the Floodlight controller to detect common DDoS attack types like ICMP floods, SYN floods, and DNS amplification. An application was developed in Python to classify attacks and push static flow entries to direct attack traffic to the sFlow collector for analysis. The scheme was tested in a Mininet virtual network and shown to successfully mitigate ICMP and SYN flood attacks. Future work includes testing DNS amplification and UDP floods, implementing adaptive sampling rates and thresholds, and designing an unblocking mechanism.
DDoS attacks are a growing menace due to readily available attack tools, botnets for hire, and lack of adequate protections by many organizations. The motives for attacks include hacktivism, extortion, competitive attacks in online games, and revenge. Common targets are websites and online services. The impacts of DDoS attacks include lost revenue, reputation damage, lost productivity, and recovery costs. Common attack types are volumetric (flooding bandwidth), protocol attacks, and application layer attacks targeting services like HTTP and DNS. Myths around protection include overreliance on firewalls, belief that attacks only happen to others, and that ISPs or software fixes can fully mitigate risks. Effective mitigation techniques involve monitoring, over
DDoS attacks are a growing menace due to readily available attack tools, botnets for hire, and lack of adequate protections by many organizations. The motives for attacks include hacktivism, extortion, competitive attacks in online games, and revenge. Common targets are websites and online services. The impacts of DDoS attacks include lost revenue, reputation damage, lost productivity, and recovery costs. Common attack types are volumetric (flooding bandwidth), protocol attacks, and application layer attacks targeting services like HTTP and DNS. Many organizations have myths about protection and rely solely on firewalls, IDS, or their ISPs. Effective mitigation requires monitoring, overprovisioning resources, IP reputation databases, ACLs, load
This document provides an overview and discussion of distributed denial of service (DDoS) attacks. It begins with an agenda outlining topics to be covered, including the business side of DDoS, attack types, recognition and mitigation. It then covers various DDoS attack types classified by network layer, including examples like SYN floods. Detection and mitigation techniques are discussed for different layers. The document emphasizes preparation, monitoring, response plans and partnerships as important strategies for dealing with DDoS attacks.
IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...APNIC
APNIC's Senior Security Specialist Adli Wahid gave a presentation on Linux malware, DDoS agents and bots, based on observations from the Honeynet project at the IX 2020 – Internet Security and Mitigation of Risk Webinar, held online on 15 June 2020.
The document discusses security issues with internal networks and proposes a security switch solution from HanDreamnet. It notes that 80% of breaches come from internal traffic but most perimeter security like firewalls only protect from external threats. The security switch aims to detect and block harmful internal traffic in real-time without impacting regular traffic. It uses proprietary technology to analyze network traffic on multiple dimensions and identify attacks like denial of service, spoofing, and advanced persistent threats. The document compares the security switch's features to regular switches and other vendor solutions.
A UDP flood attack is a denial of service attack where an attacker overwhelms a targeted host with UDP packets. UDP is a connectionless protocol that does not require handshaking, allowing it to be used to launch attacks. While firewalls can filter unwanted traffic, they too can be overwhelmed. There are several ways to mitigate UDP flood attacks, such as rate limiting ICMP responses, firewall filtering, and filtering UDP packets except for DNS at the network level. Advanced mitigation techniques involve load balancing attacks across scrubbing servers using anycast technology and deep packet inspection to filter out malicious packets.
The document discusses various reconnaissance and access attacks against Cisco networks, as well as countermeasures. It covers passive sniffing, port scans, ping sweeps, password attacks, trust exploitation, IP spoofing, DHCP/ARP attacks, and DoS/DDoS attacks. Defenses include switched networks, encryption, firewall rules, DHCP snooping, dynamic ARP inspection, rate limiting, and storm control.
The document provides information about different types of DDoS attacks including DoS, DDoS, DNS reflection, SYN reflection, SMURF, UDP flood, SNMP, NTP, HTTP GET, and HTTP POST attacks. It describes how each attack works and overloads the target system with traffic. Mitigation techniques are also outlined, such as firewalls, rate limiting, authentication, and modifying server configurations.
DDoS Threat Landscape - Ron Winward CHINOG16Radware
- DDoS attacks continue to grow in complexity and now utilize multi-vector attacks across all layers of the infrastructure. The top failure points for networks are internet pipe saturation and stateful firewalls.
- Common attack types include UDP, ICMP, reflection attacks, TCP weaknesses like SYN floods, low and slow attacks like Slowloris, and encrypted attacks such as HTTPS floods. Anonymous hacking tools enable these attacks.
- Successful mitigation of DDoS attacks requires proactive preparation across the network, including a hybrid solution of on-premise and cloud-based detection and mitigation, emergency response planning, and a single point of contact during attacks.
This document discusses DDoS attacks and mitigation methods. It begins by defining DDoS attacks as using multiple sources to overwhelm a target's availability, unlike a DOS attack which uses a single source. Common DDoS attack types are then outlined, along with the costs and impacts of attacks for victims. The document also provides details on specific attack methods like SYN floods, reflection attacks using DNS and NTP, and recommended mitigation techniques including whitelisting, rate limiting, and fingerprinting. It concludes by emphasizing that DDoS attacks are easy to carry out and difficult to detect, while having significant negative effects on victims.
This document discusses challenges and solutions related to detecting and mitigating DDoS attacks in IPv6 environments. It provides an overview of common attack vectors in IPv6, such as protocol floods, fragmentation attacks, and spoofing. It also addresses issues with using existing monitoring tools in IPv6 networks and proposes protocols like Netflow v9, IPFIX, and sFlow v5 for exporting IPv6 traffic metadata. Specific challenges involving BGP, blackholing, traffic engineering and fastnetmon tool support for IPv6 are examined along with potential solutions.
This document discusses how to launch and defend against DDoS attacks. It explains that DDoS attacks are easy to conduct using tools that allow for spoofing of IP addresses. It also describes how protocols like UDP and DNS amplification attacks can be used to launch large attacks. The document then provides recommendations for how to defend against DDoS attacks, including using a global network with anycast, hiding your origin IP, separating protocols by IP, and working closely with your upstream provider.
This document discusses how to launch and defend against DDoS attacks. It explains that DDoS attacks are easy to conduct using tools that allow for spoofing of IP addresses. It also describes how protocols like UDP and DNS amplification attacks can be used to launch large attacks. The document then provides recommendations for how to defend against DDoS attacks, including using a global network with anycast, hiding your origin IP, separating protocols by IP, and working closely with your upstream provider.
DDosMon A Global DDoS Monitoring Project by Yiming Gong.
A presentation given at APNIC 42's FIRST TC Security Session (2) session on Wednesday, 5 October 2016.
This document discusses how to use tcpdump and Linux utilities like grep, awk and sed to analyze network traffic for incident response. It provides examples of basic tcpdump syntax and using BPF filters to profile traffic. Specific techniques covered include hunting for suspicious DNS queries, mapping related infrastructure, finding unusual outbound connections, and automating tasks with scripting. The overall message is that security analysts should go beyond automated tools and learn to manually analyze network data to identify compromised systems that tools may miss.
Similar to FastNetMon - ENOG9 speech about DDoS mitigation (20)
Using MikroTik routers for BGP transit and IX points Pavel Odintsov
This document discusses using MikroTik routers for BGP transit and internet exchange (IX) points. It covers how to configure BGP to import routes from transit carriers and IXes, export routes to customers, and control outgoing traffic preferences. Communities are used to mark routes from different providers and for blackholing DDoS attacks. Recommended BGP attribute values are provided to control traffic flow. Acknowledgments are given to DE-CIX for information used in the presentation.
Flowspec contre les attaques DDoS : l'expérience danoisePavel Odintsov
RÉSUMÉ
Au sein de DeiC, le réseau de recherche au Danemark, nous avons développé un service de protection contre les attaques DDoS qui est basé sur la distribution des règles firewall vers les routeurs de bordure par le biais de BGP FlowSpec.
Par rapport aux solutions alternatives, cette méthode a un coût très réduit puisqu'elle est basée sur des composants open source uniquement.
Dans cette phase du projet la détection des attaques est faite au moyen de FastNetMon, mais grâce aux interfaces ouvertes, d'autres outils IDS peuvent être utilisés.
Nous présenterons un retour d'expérience pour ce service qui est actuellement en cours de déploiement au sein de DeIC.
Detectando DDoS e intrusiones con RouterOSPavel Odintsov
Maximiliano Dobladez presentó sobre cómo detectar ataques DDoS e intrusiones con RouterOS. Explicó las herramientas Suricata e IDS/IPS para analizar tráfico en busca de eventos maliciosos conocidos y FastNetMon para detectar DDoS en 2 segundos. Detalló cómo instalar y configurar estas herramientas, integrarlas con RouterOS y tomar acciones como enviar tráfico a un blackhole cuando se detecta un ataque.
The survey found that the most commonly used NOC tools are for monitoring (e.g. CACTI, Nagios), problem management (e.g. Nagios, Request Tracker), and ticketing (e.g. Request Tracker, OTRS). Performance management tools like Iperf, Wireshark and MRTG were also widely used. Configuration management was commonly done using tools like Git, RANCID, Subversion and CVS. The survey provided insights into the software tools used by NOCs and helped identify trends in tools that have increased in importance since a previous survey in 2011.
Containers are becoming increasingly popular as the future of cloud computing. The document discusses and compares several open source container virtualization platforms - KVM, Xen, OpenVZ, and LXC. It provides details on each platform such as the main developer, status, hardware support, virtualization type, and supported operating systems. OpenVZ is highlighted as being production ready since 2006, having extremely low overhead compared to Xen and KVM, and being widely used in projects like Docker.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...APNIC
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Securing BGP: Operational Strategies and Best Practices for Network Defenders...APNIC
Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
8. http://bit.ly/fastnetmon
What we could do?
• Save NOC’s sleep :)
• Detect any DoS/DDoS attack for channel overflow or equipment
overload
• Partially or completely block traffic from/to own host (target of attack)
• Save your network (routers, switches, servers)
• Save your SLA
8
9. http://bit.ly/fastnetmon
FastNetMon supported packet
capture engines
• sFlow v5 (sampled traffic collection from switches)
• NetFlow v5, v9, v10 (sampled traffic data from routers)
• IPFIX (sampled traffic data from routers)
• Span/mirror (routers/switches deep inspection mode)
9
10. http://bit.ly/fastnetmon
How we could block attack?
• BGP announce (community 666, blackhole, selective blackhole)
• BGP flow spec/RFC 5575 (selective traffic blocking)
• ACL on switch
• Custom script
10
12. http://bit.ly/fastnetmon
Hardware requirements
• 1 GE NIC (10GE recommended for mirror/span modem, Intel NIC’s only)
• Intel Xeon CPU (E5 v3 recommended for high speed capture from mirror)
• 10GB hard disk drive
12
15. http://bit.ly/fastnetmon
Attack detection logic
• By number of packets per second to/from /32
• By number of mbps per second from/to /32
• By number of flows per second from/to /32
• By number of fragmented packets from/to /32
• By number of tcp syn packets from/to /32
• By number of udp packets from/to /32
15
17. http://bit.ly/fastnetmon
Example attack report
IP: 10.10.10.221
Attack type: syn_flood
Initial attack power: 546475 packets per second
Peak attack power: 546475 packets per second
Attack direction: incoming
Attack protocol: tcp
Total incoming traffic: 245 mbps
Total outgoing traffic: 0 mbps
Total incoming pps: 99059 packets per second
Total outgoing pps: 0 packets per second
Total incoming flows: 98926 flows per second
Total outgoing flows: 0 flows per second
Average incoming traffic: 45 mbps
Average outgoing traffic: 0 mbps
Average incoming pps: 99059 packets per second
Average outgoing pps: 0 packets per second
Incoming ip fragmented traffic: 250 mbps
Outgoing ip fragmented traffic: 0 mbps
Incoming ip fragmented pps: 546475 packets per
second
Outgoing ip fragmented pps: 0 packets per second
Incoming tcp traffic: 250 mbps
Outgoing tcp traffic: 0 mbps
Incoming tcp pps: 546475 packets per second
Outgoing tcp pps: 0 packets per second
Incoming syn tcp traffic: 250 mbps
Outgoing syn tcp traffic: 0 mbps
Incoming syn tcp pps: 546475 packets per second
Outgoing syn tcp pps: 0 packets per second
Incoming udp traffic: 0 mbps
Outgoing udp traffic: 0 mbps
Incoming udp pps: 0 packets per second
17
20. http://bit.ly/fastnetmon
How I can help?
• If you are Internet Carrier, please offer BGP blackhole for
customers
• If you are Home ISP or Data Center, please filter outgoing
attacks with big attention
• Contribute to FastNetMon on GitHub!
• Share knowledge about DDoS mitigation
20