ddos-protect threshold in bps

[channdy keo]

I have used ddos-protect for a while in our network and I think the threshold of bps is missing and I am interesting to develop for our own use. Can anyone give me some clue or any sample app to achieve this requirement.

[Peter Phaal]

Packets per second tends to be a more robust indicator of DDoS traffic so that you get fewer false positives. It’s also easier to set the thresholds since high packet rates shouldn’t normally appear. On the other hand bits per second thresholds are harder. A large file transfer will result in high bits per second and trigger the threshold. The packets per second threshold wouldn’t trigger since legitimate traffic will use maximum size packets.

If you want to simply ignore threshold events with a low bps rate, it would be a simple change to modify the eventHandler():

  var [target,group,protocol] = evt.flowKey.split(',');
  var [attackers,packetsize] = evt.values ? evt.values : [0,0];

  if(pktsize * evt.value * 8) < bps_threshold return;

Add an extra check to calculate bps for event and ignore them if below threshold (https://github.com/sflow-rt/ddos-protect/blob/master/scripts/ddos.js#L590-L591). This is similar to the option to ignore events if there is only one attacker (likely a large flow, not a DDoS attack), see https://github.com/sflow-rt/ddos-protect/blob/master/scripts/ddos.js#L593-L599

If you do want to change DDoS Protect to trigger on bits/second rather than packets/second thresholds, then the ddos.js script in the app would need to be modified.

// IPv4 attacks
var keys = 'ipdestination,group:ipdestination:ddos_detect';
var value = 'frames';
var values = 'count:ipsource,avg:ipbytes';

Changing the values settings in the original script (https://github.com/sflow-rt/ddos-protect/blob/master/scripts/ddos.js#L339-L340) from frames to bytes means that the metric will now be in bytes/second.

To work in bits/second, you need to take the bits/second threshold and divide by 8 before settings:

  setThreshold('ddos_protect_ip_flood',
    {metric:'ddos_protect_ip_flood', value:settings.ip_flood.threshold / 8, byFlow:true, timeout:threshold_t}
  );

For example, the above code modifies the ip_flood threshold (https://github.com/sflow-rt/ddos-protect/blob/master/scripts/ddos.js#L469-L471)

Finally you need to apply a scale factor of 8 when reporting metrics to get bits/second:

    topN[top[i].key] = top[i].value * 8;

For example, the above code modifies the calculateTopN() function (https://github.com/sflow-rt/ddos-protect/blob/master/scripts/ddos.js#L789)

[Peter Phaal]

Please don't drop the group, I think the discussion will be of use to others.

Answers to your questions inline.

On Fri, Jul 28, 2023 at 7:21 PM channdy keo <keo.c...@gmail.com> wrote:

Thanks a lot for your prompt response and this is a good starting point for me. I also have a few more points in mind for your advise

1/ I am also looking for a way to to define the pps/bps threshold per group level and this is essential for ISP that provide ddos protect to the downstream customers. Please kindly give me some help.

We developed the following script for another customer that you might find useful. It’s a pared down (removed BGP, user settings, etc) version of the DDoS Protect application (https://github.com/sflow-rt/ddos-protect).

The new application is ddos-detect, so settings use the ddos_detect prefix, but otherwise it’s basically a stripped down ddos-protect.

wget https://inmon.com/products/sFlow-RT/ddos-detect.tgz

unpack the tarball in the sFlow-RT/app/ directory.

Settings are no longer done through user interface, but instead are pushed via REST API.

Set address groups:

curl -d @groups.json -X PUT -H "Content-Type: application/json" http://localhost:8008/app/ddos-detect/scripts/ddos.js/groups/json

Get address groups:

curl -o groups.json http://localhost:8008/app/ddos-detect/scripts/ddos.js/groups/json

Set thresholds:

curl -d @settings.json -X PUT -H "Content-Type: application/json" http://localhost:8008/app/ddos-detect/scripts/ddos.js/settings/json

Get thresholds:

curl -o settings.json http://localhost:8008/app/ddos-detect/scripts/ddos.js/settings/json

There are three threshold per attack sm,md,lg for small medium and large attacks. The three thresholds are shown in the charts and an attack will generate an event for each threshold it crosses

Add code to the sendEvent() method to push events into your controller.

 

2/ I am also looking for a way to replace our current network analyzer with faster time analysis and I think sflow-rt can be used to achieve this. I am sending the flow via syslog to Logstash for processing and then parse to Elasticsearch. The flow data are needed to have some necessary fields such as src ip, dst ip, src asn, dst asn..etc and also metric field such as bps and pps. I did not see any pps or bps flowkeys for each flow record so are those the calculated flowkeys? Please kindly share me some clue to get pps and bps metric. Here is my script to send flow to Logstash for your review.

var server = '172.16.60.39';
var port = 5514;
var facility = 16; // local0
var severity = 5;  // notice

var flowkeys = [
  'ipsource',
  'ipdestination',
  'country:ipsource',
  'country:ipdestination',
  'asn:ipsource',
  'asn:ipdestination',
  'bytes',
  'frames',
  'agent',
  'direction',
  'inputifindex',
  'outputifindex',
  'macsource',
  'macdestination',
  'null:vlansource:unknown',
  'null:vlandestination:unknown',
  'null:ethernetprotocol:unknown',
  'null:ipprotocol:unknown',
  'null:tcpsourceport:unknown',
  'null:tcpdestinationport:unknown',
  'null:udpsourceport:unknown',
  'null:udpdestinationport:unknown']

setFlow('uport', {
  keys: flowkeys,
  value:'frames',
  log:true,
  flowStart:true
});

setFlowHandler(function(rec) {
  var keys = rec.flowKeys.split(',');
  var msg = {};
  for(var i = 0; i < flowkeys.length; i++) msg[flowkeys[i]] = keys[i];
  syslog(server,port,facility,severity,msg);
},['uport']);

You can add the flow value to the syslog message :

msg.value = rec.value;

The flowStart:true flag means that the flow will be generated with the first packet of the flow, so the value for frames reported in the flow will always be 1 * sampling_rate. Leave out the argument, or set to false for more traditional flows. Set the activeTimeout to specify how often you want to wait before a flow record is generated. You can set values:['bytes'] in your setFlow() definition so that you have both byte and packet counts in the flow records.

Logging flow records to Elasticsearch is going to delay metrics. You might want to try the Browse Flows app (https://github.com/sflow-rt/browse-flows) for real-time troubleshooting and then the Prometheus app (https://github.com/sflow-rt/prometheus) for near real-time dashboards. Browse Flows is a good way to experiment and find useful flow definitions before creating a Prometheus flow metric.