User Tools

Site Tools


ddos:flowspec

FlowSpec

Описание правил

Правила для фильтрации:

  • Destination prefix
  • Source prefix
  • IP protocols
  • Source or Destination port
  • Destination port
  • Source port
  • ICMP Type
  • ICMP Code
  • TCP Flags
  • Packet Length
  • DSCP
  • Fragment encoding

Действия которые можем применять:

  • traffic-rate (0 for drop)
  • Traffic-Action (sampling)
  • Redirect to VRF
  • Traffic-Marking

Пример настройки на Juniper

FlowSpec правила определяются в routing-options flowspec и применяются для всего джунипера.

set routing-options flowroute block-10.131.1.1 match destination 10.131.1.1/32
set routing-options flow route block-10.131.1.1 match protocol icmp
set routing-options flow route block-10.131.1.1 match icmp-type echo-request
set routing-options flow route block-10.131.1.1 then discard
set routing-options flow term-order standard

Если мы хотим чтобы правила фильтрации не применялись на нашем оборудовании нужно добавить:

firewall-install-disable

Создаем policy-option для принятия нужного правила

set policy-options policy-statement p1 term a from rib inetflow.0
set policy-options policy-statement p1 term a from route-filter 10.13.0.0/16 orlonger
set policy-options policy-statement p1 term a then accept
set policy-options policy-statement p1 term b then reject

Для пира которому мы хотим анонсировать FlowSpec нужно добавить в BGP сессию flow

set protocol bgp group TestFlowBgp neighbor 111.222.333.444 family inet unicast
set protocol bgp group TestFlowBgp neighbor 111.222.333.444 family inet flow
set protocol bgp group TestFlowBgp neighbor 111.222.333.444 export p1

Проверить список правил которые мы добавили в FlowSpec

show route table inetflow.0 detail

Посмотреть нагрузку на FPC картах

show system resource-monitor fpc

Пример автоматизации с PyEZ

set-flow-routes.py

# $Id$
# Simple Python script using YAML and Junos PyEz
# to configure local flow routes as per template

from jnpr.junos.utils.config import Configfrom
jnpr.junos import Device
from pprint import pprint
from jnpr.junos.factory import loadyaml
from jnpr.junos.op import *

import yaml
import sys

from glob import glob
from jinja2 import Template

# YAML file.
with open(glob('set-flow-route.yml')[0]) as fh:
    data = yaml.load(fh.read())

# Jinja2 template file.
with open(glob('set-flow-route.j2')[0]) as t_fh:
    t_format = t_fh.read()

routesnippet = Template(t_format)
print (routesnippet.render(data))

Set-flow-routes.py (contd)

# Open netconf connection with RR
dev = Device(host='r6', user='juniper', password='Clouds')
dev.open()

# Bind and lock configuration and load it
dev.bind(cfg=Config)
dev.cfg.lock()
dev.cfg.load(template_path='set-flow-route.j2', template_vars=data, format='text', merge=True)

# Commit and unlock
dev.cfg.commit()
dev.cfg.unlock()

# Close netconf connection
dev.close()

Set-flow-route.yml

---
# $Id$
# YAML file covering all possible variables

# Name of flow route
flow_route_name: foo2
# Destination prefix and mask in format: A.B.C.D/Z
destination_address_and_mask: 198.51.100.1/32
# DSCP in decimal format
dscp:
# Destination port as alias or in decimal format
destination_port: 53
# Fragment Junos OS knobs
fragment:
# ICMP code as alias or in decimal format
icmp_code:
# ICMP type as alias or in decimal format
icmp_type:

Set-flow-route.yml (contd)

# Full L3 length in bytes
packet_length:
# Source or destination port as alias or in decimal format
port:
# Protocol as alias or in decimal format
protocol: udp
# Source prefix and mask in format: A.B.C.D/Z
source_address_and_mask:
# Source port as alias or in decimal format
source_port:
# TCP flags with Junos OS knobs
tcp_flags:
# Include 'accept' action
accept:
# Include existing community to be tagged action
community_name:
# Include 'discard' action
discard: discard
# Include 'next-term' action
next_term:
# Include policer name to be applied as action
rate_limit:
# Include existing RT community to select VRF for redirection
redirect_RT:
# Include 'sample' action
sample:

set-flow-route.j2

# Flow-route configure via vRR

routing-options {
  flow {
    route {{flow_route_name}} {
      match {
        destination {{destination_address_and_mask}};
        {%-if destination_port is defined and destination_port !=None %}
        destination-port {{ destination_port }};
        {%-endif %}
        {%-if dscp is defined and dscp !=None %}
        dscp {{dscp}};
        {%-endif %}
        {%-if fragment is defined and fragment !=None %}
        fragment {{fragment}};
        {%-endif %}
        {%-if icmp_code is defined and icmp_code !=None %}
        icmp-code {{icmp_code}};
        {%-endif %}
        {%-if icmp_type is defined and icmp_type !=None %}
        icmp-type {{icmp_type}};
        {%-endif %}
        {%-if packet_length is defined and packet_length !=None %}
        packet-length {{packet_length}};
        {%-endif %}
        {%-if port is defined and port !=None %}
        port {{port}};
        {%-endif %}
        {%-if protocol is defined and protocol !=None %}
        protocol {{protocol}};
        {%-endif %}
        {%-if source_address_and_mask is defined and source_address_and_mask !=None %}
        source {{source_address_and_mask}};
        {%-endif %}
        {%-if source_port is defined and source_port !=None %}
        source-port {{source_port}};
        {%-endif %}
        {%-if tcp_flags is defined and tcp_flags !=None %}
        tcp-flags {{tcp_flags}};
        {%-endif %}
      }
    then {
      {%-if accept is defined and accept !=None %}
      {{accept}};
      {%-endif %}
      {%-if community_name is defined and community_name !=None %}
      community {{community_name}};
      {%-endif %}
      {%-if discard is defined and discard !=None %}
      {{discard}};
      {%-endif %}
      {%-if next_term is defined and next_term !=None %}
      {{next_term}};
      {%-endif %}
      {%-if rate_limit is defined and rate_limit !=None %}
      rate-limit {{rate_limit}};
      {%-endif %}
      {%-if redirect_RT is defined and redirect_RT !=None %}
      routing-instance {{redirect_RT}};
      {%-endif %}
      {%-if sample is defined and sample !=None %}
      {{sample}};
      {%-endif %}
    }
  }
}
}

Retn

Advanced community

9002:666 - традиционный blackhole для префикса, и
9002:667 для фильтрации всего udp трафика
9002:668 фильтрафия известных амплифаеров (source-port 19,53,123,161,1900)

Flowspec

Политика принятия правил flowspec:
  • лимит 10 правил
  • destination обязательно, тип трафика опционально, как банальный
    блэкхол оно тоже может работать
  • best path до этого адреса/префикса должен смотреть туда, откуда получено правило
  • в правилах может быть только discard

Fiord

Flowspec

Политика принятия правил flowspec:
  • лимит 20 правил
ddos/flowspec.txt · Last modified: 2020/07/30 10:12 by rb