RE: automatic rtbh trigger using flow data

[Michel Py]

> Aaron Gould wrote :
> I'm really surprised that you all are doing this based on source ip, simply 
> because I thought the distribution of botnet members around
> the world we're so extensive that I never really thought it possible to 
> filter based on sources, if so I'd like to see the list too.

I emailed you. For years I ran it at home on a Cisco 1841, 100,000 BGP prefixes 
is nothing these days. I am not surprised that Joe pushes that to some CPEs.

> Even so, this would not stop the attacks from hitting my front door, my side 
> of my Internet uplink...when paying for a 30 gigs CIR
> and paying double for megabits per second over that, up to the ceiling of 100 
> gig every bit that hits my front door over 30 gig
> would cost me extra, remotely triggering based on my victim IP address inside 
> my network would be my solution to saving money.

I agree. If you want to get a real use of source blacklisting, to save 
bandwidth, you probably went to rent a U in a rack at your upstream(s) to block 
it there.
I never did it past 1GE, and I have never measured seriously the bandwidth it 
would save, would be curious to know.
I think the two approaches are complementary to each other though.

Michel.


On Aug 30, 2018, at 6:43 PM, Michel Py  wrote:

>> Joe Maimon wrote :
>> I use a bunch of scripts plus a supervisory sqlite3 database process all 
>> injecting into quagga
> 
> I have the sqlite part planned, today I'm using a flat file :-( I know :-(
> 
>> Also aimed at attacker sources. I feed it with honeypots and live servers, 
>> hooked into fail2ban and using independent host scripts. Not very 
>> sophisticated, the remotes use ssh executed commands to add/delete. I also 
>> setup a promiscuous ebgp RR so I can extend my umbrella to CPE with diverse 
>> connectivity.
> 
> I would like to have your feed. How many attacker prefixes do you currently 
> have ?
> 
>> Using flow data, that sounds like an interesting direction to take this 
>> into, so thank you!
> 
> The one thing we can share here is the attacker prefixes. The victim prefixes 
> are unique to each of us but I expect our attacker prefixes to be very close.
> 
> Michel.
> 
> TSI Disclaimer:  This message and any files or text attached to it are 
> intended only for the recipients named above and contain information that may 
> be confidential or privileged. If you are not the intended recipient, you 
> must not forward, copy, use or otherwise disclose this communication or the 
> information contained herein. In the event you have received this message in 
> error, please notify the sender immediately by replying to this message, and 
> then delete all copies of it from your system. Thank you!...

Re: automatic rtbh trigger using flow data

[Roland Dobbins]

On 31 Aug 2018, at 6:47, Aaron Gould wrote:

I'm really surprised that you all are doing this based on source ip, 
simply because I thought the distribution of botnet members around the 
world we're so extensive that I never really thought it possible to 
filter based on sources, i


Using S/RTBH to drop attack sources has been a valid and useful 
mitigation tactic for close to 20 years.  Any kind of modern router 
scales up to large numbers of sources; and note that S/RTBH isn't 
limited to /32s.


It's discussed in this .pdf preso:



---
Roland Dobbins 

Re: automatic rtbh trigger using flow data

[Aaron Gould]

I'm really surprised that you all are doing this based on source ip, simply 
because I thought the distribution of botnet members around the world we're so 
extensive that I never really thought it possible to filter based on sources, 
if so I'd like to see the list too

Even so, this would not stop the attacks from hitting my front door, my side of 
my Internet uplink...when paying for a 30 gigs CIR and paying double for 
megabits per second over that, up to the ceiling of 100 gig every bit that hits 
my front door over 30 gig would cost me extra, remotely triggering based on my 
victim IP address inside my network would be my solution to saving money

But stopping the attack even on my side of my Internet up like would at least 
stop it from proliferating throughout my internal network which is also costing 
me when it affects cell towers, etc.

Aaron

On Aug 30, 2018, at 6:43 PM, Michel Py  wrote:

>> Joe Maimon wrote :
>> I use a bunch of scripts plus a supervisory sqlite3 database process all 
>> injecting into quagga
> 
> I have the sqlite part planned, today I'm using a flat file :-( I know :-(
> 
>> Also aimed at attacker sources. I feed it with honeypots and live servers, 
>> hooked into fail2ban and using independent host scripts. Not very 
>> sophisticated, the remotes use ssh executed commands to add/delete. I also 
>> setup a promiscuous ebgp RR so I can extend my umbrella to CPE with diverse 
>> connectivity.
> 
> I would like to have your feed. How many attacker prefixes do you currently 
> have ?
> 
>> Using flow data, that sounds like an interesting direction to take this 
>> into, so thank you!
> 
> The one thing we can share here is the attacker prefixes. The victim prefixes 
> are unique to each of us but I expect our attacker prefixes to be very close.
> 
> Michel.
> 
> TSI Disclaimer:  This message and any files or text attached to it are 
> intended only for the recipients named above and contain information that may 
> be confidential or privileged. If you are not the intended recipient, you 
> must not forward, copy, use or otherwise disclose this communication or the 
> information contained herein. In the event you have received this message in 
> error, please notify the sender immediately by replying to this message, and 
> then delete all copies of it from your system. Thank you!...

RE: automatic rtbh trigger using flow data

[Michel Py]

> Joe Maimon wrote :
> I use a bunch of scripts plus a supervisory sqlite3 database process all 
> injecting into quagga

I have the sqlite part planned, today I'm using a flat file :-( I know :-(

> Also aimed at attacker sources. I feed it with honeypots and live servers, 
> hooked into fail2ban and using independent host scripts. Not very 
> sophisticated, the remotes use ssh executed commands to add/delete. I also 
> setup a promiscuous ebgp RR so I can extend my umbrella to CPE with diverse 
> connectivity.

I would like to have your feed. How many attacker prefixes do you currently 
have ?

> Using flow data, that sounds like an interesting direction to take this into, 
> so thank you!

The one thing we can share here is the attacker prefixes. The victim prefixes 
are unique to each of us but I expect our attacker prefixes to be very close.

Michel.

TSI Disclaimer:  This message and any files or text attached to it are intended 
only for the recipients named above and contain information that may be 
confidential or privileged. If you are not the intended recipient, you must not 
forward, copy, use or otherwise disclose this communication or the information 
contained herein. In the event you have received this message in error, please 
notify the sender immediately by replying to this message, and then delete all 
copies of it from your system. Thank you!...

Re: automatic rtbh trigger using flow data

[Joe Maimon]

Michel Py wrote:

Aaron Gould wrote :
Hi, does anyone know how to use flow data to trigger a rtbh (remotely triggered 
blackhole) route using bgp ?  ...I'm thinking we could use
quagga or a script of some sort to interact with a router to advertise to bgp 
the /32 host route of the victim under attack.

Look at Exabgp : https://github.com/Exa-Networks/exabgp
That's what I use in here : https://arneill-py.sacramento.ca.us/cbbc/ to inject 
the prefixes in BGP.
I block the attacker's addresses, not the victim but if you are willing to 
write your own scripts it does the job.

Michel.



I use a bunch of scripts plus a supervisory sqlite3 database process all 
injecting into quagga


Also aimed at attacker sources. I feed it with honeypots and live 
servers, hooked into fail2ban and using independent host scripts.


Not very sophisticated, the remotes use ssh executed commands to 
add/delete. I also setup a promiscuous ebgp RR so I can extend my 
umbrella to CPE with diverse connectivity.


Using flow data, that sounds like an interesting direction to take this 
into, so thank you!


Joe

RE: automatic rtbh trigger using flow data

[Michel Py]

> Aaron Gould wrote :
> Thanks, but what if the attacker is many... like thousands ?  ...isn't that 
> typically what we see, is tons and tons of sources (hence distributeddos) 
> ?

At this very moment I blacklist ~ 56,000 individual /32s and historically it 
has been up to 135,000 at times. It's not a problem for most routers, unless 
you're on one of these old clunkers with un-upgradable TCAM and a full feed (if 
you are, you don't have much time left anyway).

> Ryan Hamel wrote :
> Exactly Aaron. No provider will allow a customer to null route a source IP 
> address.

Yes, unless you have your own router on their side of the link and pay for it, 
or have your own VRF on their router which is not going to be cheap either.

> I could only assume that a null route on Michel's network is tanking the 
> packets at their edge to 192.0.2.1 (discard/null0).

Correct, and I clearly understand its limitations, paragraph below taken from 
https://arneill-py.sacramento.ca.us/cbbc/
There indeed is a value in blacklisting the IP address of the host being 
attacked and feed that with the appropriate community to the upstream that will 
accept it as it is part of your own space. You sacrifice one host to save the 
bandwidth to the rest.
That being said, if the DDOS targets your entire IP range, none of these will 
help.

I have to withstand DDOS attacks all the time, can the CBBC feed help ?
It depends on the type of attack; the CBBC feed is not designed as DDOS 
mitigation tool. There is no such thing as a free lunch : your ISP will not 
take the full CBBC feed for free when they can make you pay big bucks for their 
own one. The CBBC does not prevent the DDOS attack to get to you, it may help 
with attacks that are based on PPS, not raw bandwidth. What the CBBC does is to 
block the offending traffic at the router level, so it is blocked before it 
even reaches your server / firewall. However, the CBBC does not prevent the 
DDOS traffic from coming to you, so if you have a slow connection to the 
Internet and the DDOS sends more bandwidth than you have, you still are down. 
However, if the DDOS is based not on bandwidth but on a higher-level protocol 
such as DNS or HTTPS, it helps by taking the load off the server.

Michel.

-Aaron

-Original Message-
From: Michel Py [mailto:michel...@tsisemi.com] 
Sent: Thursday, August 30, 2018 3:17 PM
To: Aaron Gould; Nanog@nanog.org
Subject: RE: automatic rtbh trigger using flow data 

> Aaron Gould wrote :
> Hi, does anyone know how to use flow data to trigger a rtbh (remotely
triggered blackhole) route using bgp ?  ...I'm thinking we could use
> quagga or a script of some sort to interact with a router to advertise to
bgp the /32 host route of the victim under attack.

Look at Exabgp : https://github.com/Exa-Networks/exabgp
That's what I use in here : https://arneill-py.sacramento.ca.us/cbbc/ to
inject the prefixes in BGP.
I block the attacker's addresses, not the victim but if you are willing to
write your own scripts it does the job.

Michel.

TSI Disclaimer:  This message and any files or text attached to it are
intended only for the recipients named above and contain information that
may be confidential or privileged. If you are not the intended recipient,
you must not forward, copy, use or otherwise disclose this communication or
the information contained herein. In the event you have received this
message in error, please notify the sender immediately by replying to this
message, and then delete all copies of it from your system. Thank you!...

RE: automatic rtbh trigger using flow data

[Ryan Hamel]

Exactly Aaron. No provider will allow a customer to null route a source IP 
address. I could only assume that a null route on Michel's network is tanking 
the packets at their edge to 192.0.2.1 (discard/null0).

-- 
Ryan Hamel
Senior Support Engineer
ryan.ha...@quadranet.com | +1 (888) 578-2372
QuadraNet Enterprises, LLC. | Dedicated Servers, Colocation, Cloud

-Original Message-
From: NANOG  On Behalf Of Aaron Gould
Sent: Thursday, August 30, 2018 1:38 PM
To: 'Michel Py' ; Nanog@nanog.org
Subject: RE: automatic rtbh trigger using flow data

Thanks, but what if the attacker is many... like thousands ?  ...isn't that 
typically what we see, is tons and tons of sources (hence
distributeddos) ?

-Aaron

-Original Message-
From: Michel Py [mailto:michel...@tsisemi.com]
Sent: Thursday, August 30, 2018 3:17 PM
To: Aaron Gould; Nanog@nanog.org
Subject: RE: automatic rtbh trigger using flow data 

> Aaron Gould wrote :
> Hi, does anyone know how to use flow data to trigger a rtbh (remotely
triggered blackhole) route using bgp ?  ...I'm thinking we could use
> quagga or a script of some sort to interact with a router to advertise 
> to
bgp the /32 host route of the victim under attack.

Look at Exabgp : https://github.com/Exa-Networks/exabgp
That's what I use in here : https://arneill-py.sacramento.ca.us/cbbc/ to inject 
the prefixes in BGP.
I block the attacker's addresses, not the victim but if you are willing to 
write your own scripts it does the job.

Michel.

TSI Disclaimer:  This message and any files or text attached to it are intended 
only for the recipients named above and contain information that may be 
confidential or privileged. If you are not the intended recipient, you must not 
forward, copy, use or otherwise disclose this communication or the information 
contained herein. In the event you have received this message in error, please 
notify the sender immediately by replying to this message, and then delete all 
copies of it from your system. Thank you!...

RE: automatic rtbh trigger using flow data

[Aaron Gould]

Thanks, but what if the attacker is many... like thousands ?  ...isn't that
typically what we see, is tons and tons of sources (hence
distributeddos) ?

-Aaron

-Original Message-
From: Michel Py [mailto:michel...@tsisemi.com] 
Sent: Thursday, August 30, 2018 3:17 PM
To: Aaron Gould; Nanog@nanog.org
Subject: RE: automatic rtbh trigger using flow data 

> Aaron Gould wrote :
> Hi, does anyone know how to use flow data to trigger a rtbh (remotely
triggered blackhole) route using bgp ?  ...I'm thinking we could use
> quagga or a script of some sort to interact with a router to advertise to
bgp the /32 host route of the victim under attack.

Look at Exabgp : https://github.com/Exa-Networks/exabgp
That's what I use in here : https://arneill-py.sacramento.ca.us/cbbc/ to
inject the prefixes in BGP.
I block the attacker's addresses, not the victim but if you are willing to
write your own scripts it does the job.

Michel.

TSI Disclaimer:  This message and any files or text attached to it are
intended only for the recipients named above and contain information that
may be confidential or privileged. If you are not the intended recipient,
you must not forward, copy, use or otherwise disclose this communication or
the information contained herein. In the event you have received this
message in error, please notify the sender immediately by replying to this
message, and then delete all copies of it from your system. Thank you!...

RE: automatic rtbh trigger using flow data

[Michel Py]

> Aaron Gould wrote :
> Hi, does anyone know how to use flow data to trigger a rtbh (remotely 
> triggered blackhole) route using bgp ?  ...I'm thinking we could use
> quagga or a script of some sort to interact with a router to advertise to bgp 
> the /32 host route of the victim under attack.

Look at Exabgp : https://github.com/Exa-Networks/exabgp
That's what I use in here : https://arneill-py.sacramento.ca.us/cbbc/ to inject 
the prefixes in BGP.
I block the attacker's addresses, not the victim but if you are willing to 
write your own scripts it does the job.

Michel.

TSI Disclaimer:  This message and any files or text attached to it are intended 
only for the recipients named above and contain information that may be 
confidential or privileged. If you are not the intended recipient, you must not 
forward, copy, use or otherwise disclose this communication or the information 
contained herein. In the event you have received this message in error, please 
notify the sender immediately by replying to this message, and then delete all 
copies of it from your system. Thank you!...

RE: automatic rtbh trigger using flow data

[Aaron Gould]

Wow, 4 replies for fastnetmon, thanks Ryan, Vincente, Job and Kushal

 

I'll look into it

 

-Aaron

 

From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Aaron Gould
Sent: Thursday, August 30, 2018 2:53 PM
To: Nanog@nanog.org
Subject: automatic rtbh trigger using flow data 

 

Hi, does anyone know how to use flow data to trigger a rtbh (remotely
triggered blackhole) route using bgp ?  .I'm thinking we could use quagga or
a script of some sort to interact with a router to advertise to bgp the /32
host route of the victim under attack.

 

Btw, I already have nfsen running and we receive real-time alters of various
types of attacks, high volume, high ports, etc. and then we telnet into a
cisco trigger router and drop a few lines of code into it and then bgp does
the rest within seconds, the upstream providers learn of this route via
communities and they rtbh it in their cloud, BUT, I would like my alerts to
do this automatically. that would be very nice.  Any guidance would be
appreciated.

 

-Aaron

 

RE: automatic rtbh trigger using flow data

[Ryan Hamel]

There are software that combine your needs altogether. I'm sure there are 
others.

WANGuard from Andrisoft (https://www.andrisoft.com/software/wanguard)
Fastnetmon (https://fastnetmon.com/)

From: NANOG  On Behalf Of Aaron Gould
Sent: Thursday, August 30, 2018 12:53 PM
To: Nanog@nanog.org
Subject: automatic rtbh trigger using flow data

Hi, does anyone know how to use flow data to trigger a rtbh (remotely triggered 
blackhole) route using bgp ?  ...I'm thinking we could use quagga or a script 
of some sort to interact with a router to advertise to bgp the /32 host route 
of the victim under attack.

Btw, I already have nfsen running and we receive real-time alters of various 
types of attacks, high volume, high ports, etc... and then we telnet into a 
cisco trigger router and drop a few lines of code into it and then bgp does the 
rest within seconds, the upstream providers learn of this route via communities 
and they rtbh it in their cloud, BUT, I would like my alerts to do this 
automatically... that would be very nice.  Any guidance would be appreciated.

-Aaron

Re: automatic rtbh trigger using flow data

[Vicente De Luca]

fastnetmon does exactly what you’re looking for. https://fastnetmon.com/ 

there is also an open source version 
https://github.com/pavel-odintsov/fastnetmon 


my best

—vicente

> On Aug 30, 2018, at 12:52 PM, Aaron Gould  wrote:
> 
> Hi, does anyone know how to use flow data to trigger a rtbh (remotely 
> triggered blackhole) route using bgp ?  …I’m thinking we could use quagga or 
> a script of some sort to interact with a router to advertise to bgp the /32 
> host route of the victim under attack.
>  
> Btw, I already have nfsen running and we receive real-time alters of various 
> types of attacks, high volume, high ports, etc… and then we telnet into a 
> cisco trigger router and drop a few lines of code into it and then bgp does 
> the rest within seconds, the upstream providers learn of this route via 
> communities and they rtbh it in their cloud, BUT, I would like my alerts to 
> do this automatically… that would be very nice.  Any guidance would be 
> appreciated.
>  
> -Aaron

automatic rtbh trigger using flow data

[Aaron Gould]

Hi, does anyone know how to use flow data to trigger a rtbh (remotely
triggered blackhole) route using bgp ?  .I'm thinking we could use quagga or
a script of some sort to interact with a router to advertise to bgp the /32
host route of the victim under attack.

 

Btw, I already have nfsen running and we receive real-time alters of various
types of attacks, high volume, high ports, etc. and then we telnet into a
cisco trigger router and drop a few lines of code into it and then bgp does
the rest within seconds, the upstream providers learn of this route via
communities and they rtbh it in their cloud, BUT, I would like my alerts to
do this automatically. that would be very nice.  Any guidance would be
appreciated.

 

-Aaron

 

Re: What NMS do you use and why?

[Jon Wolberg]

There are many other threads on this topic as well.  I can say +1 for
check_mk though.

On Thu, Aug 30, 2018 at 7:24 AM Faisal Imtiaz 
wrote:

> Having done a full circle on the number of network monitoring packages,
> dealing with pro's and con's, we ended up with  using Check_mk, moreover
> OMD http://omdisto.org
>
> We found (OMD) this to be a very powerful combination of different
> packages, each can shine for it's own strength and other compliments it for
> for the weaknesses !
>
> Regards.
>
> Faisal Imtiaz
> Snappy Internet & Telecom
> http://www.snappytelecom.net
>
> Tel: 305 663 5518 x 232
>
> Help-desk: (305)663-5518 Option 2 or Email: supp...@snappytelecom.net
>
> --
>
> *From: *"Colton Conor" 
> *To: *"nanog list" 
> *Sent: *Wednesday, August 15, 2018 9:49:12 AM
> *Subject: *What NMS do you use and why?
>
> We are looking for a new network monitoring system. Since there are so
> many operators on this list, I would like to know which NMS do you use and
> why? Is there one that you really like, and others that you hate?
> For free options (opensouce), LibreNMS and NetXMS come highly recommended
> by many wireless ISPs on low budgets. However, I am not sure the commercial
> options available nor their price points.
>
>

Re: What NMS do you use and why?

[Andrew Latham]

Additionally mention:
* https://www.centreon.com/en/solutions/centreon/

Related Tooling:
* https://www.cyphon.io/

On Wed, Aug 15, 2018 at 8:51 AM Colton Conor  wrote:

> We are looking for a new network monitoring system. Since there are so
> many operators on this list, I would like to know which NMS do you use and
> why? Is there one that you really like, and others that you hate?
>
> For free options (opensouce), LibreNMS and NetXMS come highly recommended
> by many wireless ISPs on low budgets. However, I am not sure the commercial
> options available nor their price points.
>
>
>

-- 
- Andrew "lathama" Latham -

Re: What NMS do you use and why?

[Faisal Imtiaz]

Having done a full circle on the number of network monitoring packages, dealing 
with pro's and con's, we ended up with using Check_mk, moreover OMD 
http://omdisto.org 

We found (OMD) this to be a very powerful combination of different packages, 
each can shine for it's own strength and other compliments it for for the 
weaknesses ! 

Regards. 

Faisal Imtiaz 
Snappy Internet & Telecom 
http://www.snappytelecom.net 

Tel: 305 663 5518 x 232 

Help-desk: (305)663-5518 Option 2 or Email: supp...@snappytelecom.net 

> From: "Colton Conor" 
> To: "nanog list" 
> Sent: Wednesday, August 15, 2018 9:49:12 AM
> Subject: What NMS do you use and why?

> We are looking for a new network monitoring system. Since there are so many
> operators on this list, I would like to know which NMS do you use and why? Is
> there one that you really like, and others that you hate?
> For free options (opensouce), LibreNMS and NetXMS come highly recommended by
> many wireless ISPs on low budgets. However, I am not sure the commercial
> options available nor their price points.

Re: TekSavvy (Canada) contact

[Paul Stewart]

Folks – please do *not* request “clueful neteng point of contact” on the list 
if you are really looking to place an order for residential service.  Thanks …

 

Paul

 

 

From: NANOG  on behalf of "p...@paulstewart.org" 

Date: Wednesday, August 29, 2018 at 6:09 PM
To: Mike Hammett 
Cc: "nanog@nanog.org list" 
Subject: Re: TekSavvy (Canada) contact

 

Thnx all - already reached out 

 

Paul 

 

Get Outlook for iOS



On Wed, Aug 29, 2018 at 6:05 PM -0400, "Mike Hammett"  wrote:

"Paul Stewart" 

He's on AFMUG too.



-
Mike Hammett
Intelligent Computing Solutions

Midwest Internet Exchange

The Brothers WISP
From: "Eric Kuhnke" 
To: "nanog@nanog.org list" 
Sent: Wednesday, August 29, 2018 4:48:48 PM
Subject: TekSavvy (Canada) contact

I'm looking for a clueful neteng point of contact at TekSavvy. Please contact 
me off-list. Thanks!