Hey guys, I got the following situation:
Every month or two we get a volumetric DDOS attack that overwhelms our network edge (A 10Gbps link to Cogent).While it doesn't last long, its pretty pesky to be knocked offline for an hour at a time, and manually contact our provider to null route the IP (We have a backup 1Gbps link for monitoring and finding the affected IP).
In addition, we have some clients (not that brightest) that leave their servers open to various attack methods, or have improperly configured services. (We had someone use the number 4 as a password for root SSH). After their machine gets taken over, they start sending out DOSes themselves, or start brute-forcing other IPs over SSH.
To combat this, we plan to setup a BGP session designated for blackholing to our provider to speed up the blackholing process. So here's my question, what do you guys use to automate blackholing an IP via BGP?
Iv'e done some research and looked into the following solutions:https://www.andrisoft.com/software/wanguardhttps://fastnetmon.com/
While we are a pretty small shop, I don't mind paying for a license if its reasonable (FastNetMon for example is $115 a month which is reasonable for our budget).
I'm looking for the following features:
- Quick detection time (1-3 seconds)
- Ability to monitor ingress / egress
- IPV6 support (Finally got clients to start using it)
- Blackhole an IP if they are transmitting a DOS attack (Would like support for as many attack types as possible)
- Blackhole an IP based on PPS or Bps (egress / ingress)
- Monitor total traffic of each individual IP (Or the top ten in total Bps / PPs)
Bonus Points If:
- We can do traffic analysis (Monitor flows between ASs, see traffic information per IP, etc)
- Can call a script on detection (Could use this to send alerts to us / the client)
- Can see if the client's server is doing other bad things (brute-forcing, scanning, etc)
Basic Infrastructure Maphttps://i.imgur.com/hWWRWRU.png
No comments:
Post a Comment