[Ntop-misc] nscrub problems

Sat, 02 Dec 2017 23:16:55 -0800 

HI all,
I have an nscrub setup on an LTS16. The config is routing/assymetric mode. I have a few problems and questions: 


- When I stop nscrub the nscrub-VM is left at a cripppled state where it 
can't even ping IPs that are on connected interfaces (ex the gateway). 
Why is that? How can i avoid this?
- The white/black/gray dynamic lists are always empty when mitigating 
even when nscrub drops attack packets. I'm reading with


attackers?target_id=pc\&action=list\&profile=black\&list=dynamic


- When pinging from the internet a host defined as a target in scrub, I 
can see many packets are delayed.

64 bytes from x.y.z.130: icmp_seq=1 ttl=125 time=2.42 ms
64 bytes from x.y.z.130: icmp_seq=2 ttl=125 time=3002 ms
64 bytes from x.y.z.130: icmp_seq=3 ttl=125 time=2002 ms
64 bytes from x.y.z.130: icmp_seq=4 ttl=125 time=1002 ms
64 bytes from x.y.z.130: icmp_seq=5 ttl=125 time=3.09 ms

This also happens when the target is in bypass enabled mode. Why this 
happens and how can i avoid this?



- UDP packets are dropped even when I have default action "drop 
disable". Is this a bug? See the below snippet, where I try to disable 
udp/src/53/drop. It accepts the command but it there is not result.


root@nscrub:~# nscrub-export all

target pc profile DEFAULT udp src 53 drop enable


root@nscrub:~# curl -u admin:admin 
http://127.0.0.1:8880/profile/udp/src/53/accept?target_id=pc\&profile=default\&action=disable
{ "envelope_ver": "1.0", "hostname": "katharistis", "epoch": 1512284852, 
"status": 200, "description": "OK", "data": { "function": 
"\/profile\/udp\/src\/53\/accept", "return": "success" } }root@nscrub:~#

root@nscrub:~# nscrub-export all
target pc profile DEFAULT udp src 53 drop enable


- What is the suggested config for mitigating DNS attacks? The victim 
still needs to be able to do DNS requests and get the answers. Keep in 
mind that nscrub does not see the DNS requests from the victim (assym mode).



- Is the mitigation capabilities of nscrub efficient when I redirect an 
attacked IP, through nscrub in realtime or nscrub needs time to profile 
a "first seen IP" before mitigating attacks?



- As far as i understand, nscrub tests IPs using some algorithms and 
classifies the IPs to the white/black/grey list. Is that right?


Sp


_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc





















					Reply via email to