Differences

This shows you the differences between two versions of the page.

--- ddos:flowspec [2019/07/25 11:05]
rb
+++ ddos:flowspec [2020/07/30 10:12] (current)
rb ↷ Page moved and renamed from ddos-flowspec to ddos:flowspec
@@ Line 5: / Line 5: @@
 Правила для фильтрации:
-  * destination prefix (подсеть, хост который защищаем) - обязательное поле
+  * Destination prefix
-  * source prefix (подсеть с которой хотим фильтровать трафик)
+  * Source prefix
-  * IP protocols (список протоколов которые хотим фильтровать)
+  * IP protocols
-  * TCP/UDP ports (список исходящих портов или портов на которые защищать)
+  * Source or Destination port
+  * Destination port
+  * Source port
   * ICMP Type
   * ICMP Code
   * TCP Flags
   * Packet Length
-  * Diffserv Codepoint
+  * DSCP
-  * Fragmentation
+  * Fragment encoding
 Действия которые можем применять:
-  * Rate Limit
+  * traffic-rate (0 for drop)
-  * Traffic-Action - Sample, Accept, Drop
+  * Traffic-Action (sampling)
-  * Redirect - change route VRF or other
+  * Redirect to VRF
-  * Traffic-Marking - Modify DSCP Value
+  * Traffic-Marking
 ==== Пример настройки на Juniper ====
@@ Line 39: / Line 42: @@
 <code>
 firewall-install-disable
+</code>
+Создаем policy-option для принятия нужного правила
+<code>
+set policy-options policy-statement p1 term a from rib inetflow.0
+set policy-options policy-statement p1 term a from route-filter 10.13.0.0/16 orlonger
+set policy-options policy-statement p1 term a then accept
+set policy-options policy-statement p1 term b then reject
 </code>
@@ Line 46: / Line 58: @@
 set protocol bgp group TestFlowBgp neighbor 111.222.333.444 family inet unicast
 set protocol bgp group TestFlowBgp neighbor 111.222.333.444 family inet flow
+set protocol bgp group TestFlowBgp neighbor 111.222.333.444 export p1
+</code>
+Проверить список правил которые мы добавили в FlowSpec
+<code>
+show route table inetflow.0 detail
+</code>
+Посмотреть нагрузку на FPC картах
+<code>
+show system resource-monitor fpc
+</code>
+==== Пример автоматизации с PyEZ ====
+set-flow-routes.py
+<code>
+# $Id$
+# Simple Python script using YAML and Junos PyEz
+# to configure local flow routes as per template
+from jnpr.junos.utils.config import Configfrom
+jnpr.junos import Device
+from pprint import pprint
+from jnpr.junos.factory import loadyaml
+from jnpr.junos.op import *
+import yaml
+import sys
+from glob import glob
+from jinja2 import Template
+# YAML file.
+with open(glob('set-flow-route.yml')[0]) as fh:
+    data = yaml.load(fh.read())
+# Jinja2 template file.
+with open(glob('set-flow-route.j2')[0]) as t_fh:
+    t_format = t_fh.read()
+routesnippet = Template(t_format)
+print (routesnippet.render(data))
+</code>
+Set-flow-routes.py (contd)
+<code>
+# Open netconf connection with RR
+dev = Device(host='r6', user='juniper', password='Clouds')
+dev.open()
+# Bind and lock configuration and load it
+dev.bind(cfg=Config)
+dev.cfg.lock()
+dev.cfg.load(template_path='set-flow-route.j2', template_vars=data, format='text', merge=True)
+# Commit and unlock
+dev.cfg.commit()
+dev.cfg.unlock()
+# Close netconf connection
+dev.close()
+</code>
+Set-flow-route.yml
+<code>
+---
+# $Id$
+# YAML file covering all possible variables
+# Name of flow route
+flow_route_name: foo2
+# Destination prefix and mask in format: A.B.C.D/Z
+destination_address_and_mask: 198.51.100.1/32
+# DSCP in decimal format
+dscp:
+# Destination port as alias or in decimal format
+destination_port: 53
+# Fragment Junos OS knobs
+fragment:
+# ICMP code as alias or in decimal format
+icmp_code:
+# ICMP type as alias or in decimal format
+icmp_type:
+</code>
+Set-flow-route.yml (contd)
+<code>
+# Full L3 length in bytes
+packet_length:
+# Source or destination port as alias or in decimal format
+port:
+# Protocol as alias or in decimal format
+protocol: udp
+# Source prefix and mask in format: A.B.C.D/Z
+source_address_and_mask:
+# Source port as alias or in decimal format
+source_port:
+# TCP flags with Junos OS knobs
+tcp_flags:
+# Include 'accept' action
+accept:
+# Include existing community to be tagged action
+community_name:
+# Include 'discard' action
+discard: discard
+# Include 'next-term' action
+next_term:
+# Include policer name to be applied as action
+rate_limit:
+# Include existing RT community to select VRF for redirection
+redirect_RT:
+# Include 'sample' action
+sample:
+</code>
+set-flow-route.j2
+<code>
+# Flow-route configure via vRR
+routing-options {
+  flow {
+    route {{flow_route_name}} {
+      match {
+        destination {{destination_address_and_mask}};
+        {%-if destination_port is defined and destination_port !=None %}
+        destination-port {{ destination_port }};
+        {%-endif %}
+        {%-if dscp is defined and dscp !=None %}
+        dscp {{dscp}};
+        {%-endif %}
+        {%-if fragment is defined and fragment !=None %}
+        fragment {{fragment}};
+        {%-endif %}
+        {%-if icmp_code is defined and icmp_code !=None %}
+        icmp-code {{icmp_code}};
+        {%-endif %}
+        {%-if icmp_type is defined and icmp_type !=None %}
+        icmp-type {{icmp_type}};
+        {%-endif %}
+        {%-if packet_length is defined and packet_length !=None %}
+        packet-length {{packet_length}};
+        {%-endif %}
+        {%-if port is defined and port !=None %}
+        port {{port}};
+        {%-endif %}
+        {%-if protocol is defined and protocol !=None %}
+        protocol {{protocol}};
+        {%-endif %}
+        {%-if source_address_and_mask is defined and source_address_and_mask !=None %}
+        source {{source_address_and_mask}};
+        {%-endif %}
+        {%-if source_port is defined and source_port !=None %}
+        source-port {{source_port}};
+        {%-endif %}
+        {%-if tcp_flags is defined and tcp_flags !=None %}
+        tcp-flags {{tcp_flags}};
+        {%-endif %}
+      }
+    then {
+      {%-if accept is defined and accept !=None %}
+      {{accept}};
+      {%-endif %}
+      {%-if community_name is defined and community_name !=None %}
+      community {{community_name}};
+      {%-endif %}
+      {%-if discard is defined and discard !=None %}
+      {{discard}};
+      {%-endif %}
+      {%-if next_term is defined and next_term !=None %}
+      {{next_term}};
+      {%-endif %}
+      {%-if rate_limit is defined and rate_limit !=None %}
+      rate-limit {{rate_limit}};
+      {%-endif %}
+      {%-if redirect_RT is defined and redirect_RT !=None %}
+      routing-instance {{redirect_RT}};
+      {%-endif %}
+      {%-if sample is defined and sample !=None %}
+      {{sample}};
+      {%-endif %}
+    }
+  }
+}
+}
 </code>
@@ Line 54: / Line 259: @@
 === Advanced community ===
-:666 - традиционный blackhole для префикса, и \\ 9002:667 для фильтрации всего udp трафика \\ 9002:668 фильтрафия известных амплифаеров (source-port 19,53,123,161,1900)
+:666 - традиционный blackhole для префикса, и\\
+:667 для фильтрации всего udp трафика\\
+:668 фильтрафия известных амплифаеров (source-port 19,53,123,161,1900)
 === Flowspec ===
@@ Line 61: / Line 268: @@
   * лимит 10 правил
+  * destination обязательно, тип трафика опционально, как банальный \\ блэкхол оно тоже может работать
   * best path до этого адреса/префикса должен смотреть туда, откуда получено правило
   * в правилах может быть только discard
 ===== Fiord =====

R.B. wiki

User Tools

Site Tools

Differences

Page Tools