Hi Spiros please read my answers below. > On 3 Dec 2017, at 08:15, Spiros Papageorgiou <[email protected]> wrote: > > HI all, > > I have an nscrub setup on an LTS16. The config is routing/assymetric mode. I > have a few problems and questions: > - When I stop nscrub the nscrub-VM is left at a cripppled state where it > can't even ping IPs that are on connected interfaces (ex the gateway). Why is > that? How can i avoid this? > Please provide your nscrub configuration file (or cli), ifconfig, and cat /proc/net/pf_ring/dev/ethX/info for the interface you are using in nscrub. (feel free to write to my email address directly if you don’t want to share your data on the ml) > - The white/black/gray dynamic lists are always empty when mitigating even > when nscrub drops attack packets. I'm reading with > attackers?target_id=pc\&action=list\&profile=black\&list=dynamic > Please send me your target configuration, you can dump it with nscrub-export > - When pinging from the internet a host defined as a target in scrub, I can > see many packets are delayed. > 64 bytes from x.y.z.130: icmp_seq=1 ttl=125 time=2.42 ms > 64 bytes from x.y.z.130: icmp_seq=2 ttl=125 time=3002 ms > 64 bytes from x.y.z.130: icmp_seq=3 ttl=125 time=2002 ms > 64 bytes from x.y.z.130: icmp_seq=4 ttl=125 time=1002 ms > 64 bytes from x.y.z.130: icmp_seq=5 ttl=125 time=3.09 ms > This also happens when the target is in bypass enabled mode. Why this happens > and how can i avoid this? > I need to see the nscrub configuration as above. > - UDP packets are dropped even when I have default action "drop disable". Is > this a bug? See the below snippet, where I try to disable udp/src/53/drop. It > accepts the command but it there is not result. > root@nscrub:~# nscrub-export all > > target pc profile DEFAULT udp src 53 drop enable > > root@nscrub:~# curl -u admin:admin > http://127.0.0.1:8880/profile/udp/src/53/accept?target_id=pc\&profile=default\&action=disable > > <http://127.0.0.1:8880/profile/udp/src/53/accept?target_id=pc\&profile=default\&action=disable> > { "envelope_ver": "1.0", "hostname": "katharistis", "epoch": 1512284852, > "status": 200, "description": "OK", "data": { "function": > "\/profile\/udp\/src\/53\/accept", "return": "success" } }root@nscrub:~# > root@nscrub:~# nscrub-export all > target pc profile DEFAULT udp src 53 drop enable > http://127.0.0.1:8880/profile/udp/src/53/accept?target_id=pc\&profile=default\&action=disable <http://127.0.0.1:8880/profile/udp/src/53/accept?target_id=pc%5C&profile=default%5C&action=disable>
Please note that you are using “accept" instead of “drop” in the url, I recommend you using nscrub-cli which is more clear. > - What is the suggested config for mitigating DNS attacks? The victim still > needs to be able to do DNS requests and get the answers. Keep in mind that > nscrub does not see the DNS requests from the victim (assym mode). > There are a few settings to mitigate DNS attacks that apply to requests: dns request check_method <method> dns request rate src [PPS] dns request rate transaction_id [PPS] dns request threshold [PPS] dns request type NUM drop [enable|disable] As of answers, all you can do is to configure UDP rating: udp rate src [PPS] udp rate dst [PPS] > - Is the mitigation capabilities of nscrub efficient when I redirect an > attacked IP, through nscrub in realtime or nscrub needs time to profile a > "first seen IP" before mitigating attacks? > With the current algorithms, you can redirect the IP on demand. > - As far as i understand, nscrub tests IPs using some algorithms and > classifies the IPs to the white/black/grey list. Is that right? > Yes, some of the algorithms work this way. Alfredo > Sp > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
