RTBH/Flowspec advertisements not working

[gaston gutierrez]

Do I need to add additional tools to generate RTBH/Flowspec advertisements to routers? I'm generating events, but I don't see BGP advertisements on the other end.

ddos.conf:

ddos_protect.router=XXX.XXX.XXX.XXX,YYY.YYY.YYY.YYY
ddos_protect.as=ASN
ddos_protect.mode=automatic
ddos_protect.id=ZZZ.ZZZ.ZZZ.ZZZ
ddos_protect.router.0.agent=XXX.XXX.XXX.XXX
ddos_protect.router.1.agent=YYY.YYY.YYY.YYY
ddos_protect.nexthop=192.0.2.1
ddos_protect.community=ASN:666
ddos_protect.localpref=1000
ddos_protect.enable.flowspec=yes
ddos_protect.enable.flowspec6=yes

sudo docker run --rm -v sflow-rt:/sflow-rt/ --net=host --name=ddos-protect --sysctl net.ipv4.ip_unprivileged_port_start=0 sflow/ddos-protect -Dbgp.port=179 -Dsystem.propertyFiles=/sflow-rt/ddos.conf

[Peter Phaal]

You are missing the ddos_protect.bgpgroup setting. This setting tells DDoS Protect to use prefixes learned via BGP to classify traffic:

https://blog.sflow.com/2020/10/ddos-protection-of-local-address-space.html

Without the above setting,  the default is to classify traffic based on the Groups defined under the Settings tab.

[gg]

I understand, and I am running the test using the groups in the settings tab for now. But still, generating Drop events should advertise the /32 prefix to the router no matter how I am classifying them, right? I have a Juniper router on the other end.

[Peter Phaal]

Did you define a local group containing the address space you want to protect?

Does the DDoS Protect BGP chart indicate that the BGP connection has been established? The Juniper needs to be configured to establish the BGP connection and enable Flowspec.

When you simulate a DDoS attack, do you see an entry under the Control tab? You should also see an entry in the log showing that the attack has been detected.

--
You received this message because you are subscribed to the Google Groups "sFlow-RT" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sflow-rt+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sflow-rt/2770d662-a23b-402c-b62b-49e88e8bbf77n%40googlegroups.com.

[Peter Phaal]

Thanks for reporting the exception. It was a regression introduced by adding support for BGP discovered address space. I have checked in a fix to GitHub and updated the Docker Hub image.

Please reply all to keep messages on the sFlow-RT mailing list.

On Tue, Nov 3, 2020 at 7:43 AM gaston gutierrez <gastong...@gmail.com> wrote:

Regarding the GUI braking, this is what I get:

2020-11-03T15:35:11Z WARNING: app/ddos-protect/scripts/ddos.js app/ddos-protect/scripts/ddos.js#315 java.lang.ClassCastException: class java.lang.String cannot be cast to class org.mozilla.javascript.NativeObject (java.lang.String is in module java.base of loader 'bootstrap'; org.mozilla.javascript.NativeObject is in unnamed module of loader 'app')
2020-11-03T15:35:11Z INFO: app/ddos-protect/scripts/ddos.js stopped

On Tue, Nov 3, 2020 at 10:38 AM gaston gutierrez <gastong...@gmail.com> wrote:

Hi Peter,

Yes to all of the above:

- Created group "test" with the /32 target

- Tried with both Flowspec enabled/disabled, always with bgp enabled of course.

- Tried RTBH and Flowspec actions.

- BGP is up with both routers Juniper, i am receiving one prefix from them, but i am not advertising anything to them when events are generated.

- Double checked inbound policies on the Juniper routers.

- I do see events generated on both the GUI and the api endpoint, as well as on the log output.

- I have run the docker container with ddos.conf file and cmd line -D properties.

Also, I am not able to create groups on the GUI, I was with the previous version. So I added it on the command line.

This is the last test (without flowspec):

docker run --rm --net=host --name=ddos-protect --sysctl net.ipv4.ip_unprivileged_port_start=0 sflow/ddos-protect -Dbgp.port=179 -Dddos_protect.router=XXX.XXX.XXX.XXX,YYY.YYY.YYY.YYY -Dddos_protect.as=ASN -Dddos_protect.mode=automatic -Dddos_protect.id=ZZZ.ZZZ.ZZZ.ZZZ -Dddos_protect.router.0.agent=XXX.XXX.XXX -Dddos_protect.router.1.agent=YYY.YYY.YYY.YYY -Dddos_protect.nexthop=192.0.2.1 -Dddos_protect.community=ASN:666 -Dddos_protect.localpref=1000 -Dddos_protect.group.test=<target ip>/32

2020-11-03T14:55:13Z INFO: Starting sFlow-RT 3.0-1529
2020-11-03T14:55:14Z INFO: Version check, running latest
2020-11-03T14:55:14Z INFO: Listening, BGP port 179
2020-11-03T14:55:15Z INFO: Listening, sFlow port 6343
2020-11-03T14:55:15Z INFO: Listening, HTTP port 8008
2020-11-03T14:55:15Z INFO: DNS server
2020-11-03T14:55:15Z INFO: DNS server
2020-11-03T14:55:16Z INFO: app/prometheus/scripts/export.js started
2020-11-03T14:55:16Z INFO: app/browse-flows/scripts/top.js started
2020-11-03T14:55:16Z INFO: app/ddos-protect/scripts/ddos.js started
2020-11-03T14:55:37Z INFO: BGP open XXX.XXX.XXX.XXX 51908
2020-11-03T14:55:38Z INFO: BGP open YYY.YYY.YYY.YYY 57628
2020-11-03T14:56:17Z INFO: DDoS drop icmp_flood <target ip> test 8
2020-11-03T15:01:18Z INFO: DDoS release icmp_flood <target ip> test 8

I'm reviewing the js script now.

[gaston gutierrez]

Thanks Peter, the GUI works now. Do you think something else might be broken regarding BGP advertisements from sflow-rt to the routers?

[Peter Phaal]

What does the Controls chart show under the Charts page (bottom left)? If the controls are shown as active then they have been advertised to the routers and you should see if there is a filter preventing their installation. One thing to look for is BGP verification. You need to turn off verification of the Flowspec rules since sFlow-RT isn't the source of the prefixes it is filtering.

[gaston gutierrez]

Hi Peter,

Yes, on the Controls chart it is showing as active, and I can see the bgp advertisement in tcpdump. It is probably something not related to sflow-rt. Thank you for the help.

[gaston gutierrez]

Peter,

For some reason it doesn't work on an iBGP session, it does work on eBGP. The advertisement does go out on iBGP, the Juniper router receives it, but don't accept it, not even as hidden. Perhaps something not standard on iBGP session advertisement format?

[gaston gutierrez]

I believe the problem might be that you cannot define "internal" BGP, so advertisements include its own AS, and Junos don't like it.

[Peter Phaal]

Did you disable validation?

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/no-validate-edit-protocols-bgp.html

[gaston gutierrez]

Yes, for some reason it's only supported in the "inet flow" family for this box, but tried with a "filter" action, and still didn't work.

You received this message because you are subscribed to a topic in the Google Groups "sFlow-RT" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sflow-rt/f73LB26u3ig/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sflow-rt+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sflow-rt/8d1106cc-d9c6-4b98-a13a-c962011be6d8n%40googlegroups.com.

[gaston gutierrez]

Peter,

The "no-validate" feature is required for "inet flow" address family to work in eBGP. But it doesn't solve iBGP not working with Junos.

[Peter Phaal]

Is there a reason you can't use an eBGP connection?

[gaston gutierrez]

No, just noting that limitation as I started using it with iBGP.