ddos:flowspec
This is an old revision of the document!
Table of Contents
FlowSpec
Описание правил
Правила для фильтрации:
- destination prefix (подсеть, хост который защищаем) - обязательное поле
- source prefix (подсеть с которой хотим фильтровать трафик)
- IP protocols (список протоколов которые хотим фильтровать)
- TCP/UDP ports (список исходящих портов или портов на которые защищать)
- ICMP Type
- ICMP Code
- TCP Flags
- Packet Length
- Diffserv Codepoint
- Fragmentation
Действия которые можем применять:
- Rate Limit
- Traffic-Action - Sample, Accept, Drop
- Redirect - change route VRF or other
- Traffic-Marking - Modify DSCP Value
Пример настройки на Juniper
FlowSpec правила определяются в routing-options flowspec и применяются для всего джунипера.
set routing-options flowroute block-10.131.1.1 match destination 10.131.1.1/32 set routing-options flow route block-10.131.1.1 match protocol icmp set routing-options flow route block-10.131.1.1 match icmp-type echo-request set routing-options flow route block-10.131.1.1 then discard set routing-options flow term-order standard
Если мы хотим чтобы правила фильтрации не применялись на нашем оборудовании нужно добавить:
firewall-install-disable
Для пира которому мы хотим анонсировать FlowSpec нужно добавить в BGP сессию flow
set protocol bgp group TestFlowBgp neighbor 111.222.333.444 family inet unicast set protocol bgp group TestFlowBgp neighbor 111.222.333.444 family inet flow
Проверить список правил которые мы добавили в FlowSpec
show route table inetflow.0 detail
Посмотреть нагрузку на FPC картах
show system resource-monitor fpc
Пример автоматизации с PyEZ
set-flow-routes.py
# $Id$
# Simple Python script using YAML and Junos PyEz
# to configure local flow routes as per template
from jnpr.junos.utils.config import Configfrom
jnpr.junos import Device
from pprint import pprint
from jnpr.junos.factory import loadyaml
from jnpr.junos.op import *
import yaml
import sys
from glob import glob
from jinja2 import Template
# YAML file.
with open(glob('set-flow-route.yml')[0]) as fh:
data = yaml.load(fh.read())
# Jinja2 template file.
with open(glob('set-flow-route.j2')[0]) as t_fh:
t_format = t_fh.read()
routesnippet = Template(t_format)
print (routesnippet.render(data))
Set-flow-routes.py (contd)
# Open netconf connection with RR dev = Device(host='r6', user='juniper', password='Clouds') dev.open() # Bind and lock configuration and load it dev.bind(cfg=Config) dev.cfg.lock() dev.cfg.load(template_path='set-flow-route.j2', template_vars=data, format='text', merge=True) # Commit and unlock dev.cfg.commit() dev.cfg.unlock() # Close netconf connection dev.close()
Set-flow-route.yml
--- # $Id$ # YAML file covering all possible variables # Name of flow route flow_route_name: foo2 # Destination prefix and mask in format: A.B.C.D/Z destination_address_and_mask: 198.51.100.1/32 # DSCP in decimal format dscp: # Destination port as alias or in decimal format destination_port: 53 # Fragment Junos OS knobs fragment: # ICMP code as alias or in decimal format icmp_code: # ICMP type as alias or in decimal format icmp_type:
Set-flow-route.yml (contd)
# Full L3 length in bytes packet_length: # Source or destination port as alias or in decimal format port: # Protocol as alias or in decimal format protocol: udp # Source prefix and mask in format: A.B.C.D/Z source_address_and_mask: # Source port as alias or in decimal format source_port: # TCP flags with Junos OS knobs tcp_flags: # Include 'accept' action accept: # Include existing community to be tagged action community_name: # Include 'discard' action discard: discard # Include 'next-term' action next_term: # Include policer name to be applied as action rate_limit: # Include existing RT community to select VRF for redirection redirect_RT: # Include 'sample' action sample:
set-flow-route.j2
# Flow-route configure via vRR
routing-options {
flow {
route {{flow_route_name}} {
match {
destination {{destination_address_and_mask}};
{%-if destination_port is defined and destination_port !=None %}
destination-port {{ destination_port }};
{%-endif %}
{%-if dscp is defined and dscp !=None %}
dscp {{dscp}};
{%-endif %}
{%-if fragment is defined and fragment !=None %}
fragment {{fragment}};
{%-endif %}
{%-if icmp_code is defined and icmp_code !=None %}
icmp-code {{icmp_code}};
{%-endif %}
{%-if icmp_type is defined and icmp_type !=None %}
icmp-type {{icmp_type}};
{%-endif %}
{%-if packet_length is defined and packet_length !=None %}
packet-length {{packet_length}};
{%-endif %}
{%-if port is defined and port !=None %}
port {{port}};
{%-endif %}
{%-if protocol is defined and protocol !=None %}
protocol {{protocol}};
{%-endif %}
{%-if source_address_and_mask is defined and source_address_and_mask !=None %}
source {{source_address_and_mask}};
{%-endif %}
{%-if source_port is defined and source_port !=None %}
source-port {{source_port}};
{%-endif %}
{%-if tcp_flags is defined and tcp_flags !=None %}
tcp-flags {{tcp_flags}};
{%-endif %}
}
then {
{%-if accept is defined and accept !=None %}
{{accept}};
{%-endif %}
{%-if community_name is defined and community_name !=None %}
community {{community_name}};
{%-endif %}
{%-if discard is defined and discard !=None %}
{{discard}};
{%-endif %}
{%-if next_term is defined and next_term !=None %}
{{next_term}};
{%-endif %}
{%-if rate_limit is defined and rate_limit !=None %}
rate-limit {{rate_limit}};
{%-endif %}
{%-if redirect_RT is defined and redirect_RT !=None %}
routing-instance {{redirect_RT}};
{%-endif %}
{%-if sample is defined and sample !=None %}
{{sample}};
{%-endif %}
}
}
}
}
Retn
Advanced community
9002:666 - традиционный blackhole для префикса, и
9002:667 для фильтрации всего udp трафика
9002:668 фильтрафия известных амплифаеров (source-port 19,53,123,161,1900)
Flowspec
Политика принятия правил flowspec:
- лимит 10 правил
- best path до этого адреса/префикса должен смотреть туда, откуда получено правило
- в правилах может быть только discard
Fiord
Flowspec
Политика принятия правил flowspec:
- лимит 20 правил
ddos/flowspec.1564044191.txt.gz · Last modified: 2020/07/08 18:20 (external edit)
