mirror of
https://github.com/pavel-odintsov/fastnetmon
synced 2024-05-23 04:56:12 +02:00
We've unified average calculation time between hosts and networks and removed configuration option average_calculation_time_for_subnets as we do not need it. Cleanup in unused Flow Spec code.
This commit is contained in:
Pavel Odintsov
parent
a3e5431b79
commit
bfde24946e
|
|
@ -65,33 +65,3 @@ void exabgp_ban_manage(std::string action, std::string ip_as_string, attack_deta
|
|||
}
|
||||
}
|
||||
|
||||
|
||||
bool exabgp_flow_spec_ban_manage(std::string action, std::string flow_spec_rule_as_text) {
|
||||
std::string announce_action;
|
||||
|
||||
if (action == "ban") {
|
||||
announce_action = "announce";
|
||||
} else {
|
||||
announce_action = "withdraw";
|
||||
}
|
||||
|
||||
// Trailing \n is very important!
|
||||
std::string bgp_message = announce_action + " " + flow_spec_rule_as_text + "\n";
|
||||
|
||||
int exabgp_pipe = open(exabgp_command_pipe.c_str(), O_WRONLY);
|
||||
|
||||
if (exabgp_pipe <= 0) {
|
||||
logger << log4cpp::Priority::ERROR << "Can't open ExaBGP pipe for flow spec announce " << exabgp_command_pipe;
|
||||
return false;
|
||||
}
|
||||
|
||||
int wrote_bytes = write(exabgp_pipe, bgp_message.c_str(), bgp_message.size());
|
||||
|
||||
if (wrote_bytes != bgp_message.size()) {
|
||||
logger << log4cpp::Priority::ERROR << "Can't write message to ExaBGP pipe";
|
||||
return false;
|
||||
}
|
||||
|
||||
close(exabgp_pipe);
|
||||
return true;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,4 +2,3 @@
|
|||
#include <string>
|
||||
|
||||
void exabgp_ban_manage(std::string action, std::string ip_as_string, attack_details_t current_attack);
|
||||
bool exabgp_flow_spec_ban_manage(std::string action, std::string flow_spec_rule_as_text);
|
||||
|
|
|
|||
|
|
@ -113,8 +113,10 @@ netmap_read_packet_length_from_ip_header = off
|
|||
|
||||
# Pcap mode, very slow and thus not suitable for production
|
||||
pcap = off
|
||||
|
||||
# Netflow capture method with v5, v9 and IPFIX support
|
||||
netflow = off
|
||||
|
||||
# sFLOW capture suitable for switches
|
||||
sflow = off
|
||||
|
||||
|
|
@ -126,9 +128,6 @@ interfaces = eth3,eth4
|
|||
# We use average values for traffic speed to certain IP and we calculate average over this time slice
|
||||
average_calculation_time = 5
|
||||
|
||||
# We use average values for traffic speed for subnet and we calculate average over this time slice
|
||||
average_calculation_time_for_subnets = 5
|
||||
|
||||
# Delay between traffic recalculation attempts
|
||||
speed_calculation_delay = 1
|
||||
|
||||
|
|
@ -144,7 +143,7 @@ netflow_host = 0.0.0.0
|
|||
|
||||
# Netflow v9 and IPFIX agents use different and very complex approaches for notifying about sample ratio
|
||||
# Here you could specify a sampling ratio for all this agents
|
||||
# For NetFLOW v5 we extract sampling ratio from packets directely and this option not used
|
||||
# For NetFlow v5 we extract sampling ratio from packets directely and this option not used
|
||||
netflow_sampling_ratio = 1
|
||||
|
||||
# sFlow configuration
|
||||
|
|
@ -218,7 +217,7 @@ exabgp_announce_whole_subnet = off
|
|||
# Please use ExaBGP v4 only (Git version), for more details: https://github.com/pavel-odintsov/fastnetmon/blob/master/docs/BGP_FLOW_SPEC.md
|
||||
exabgp_flow_spec_announces = off
|
||||
|
||||
# GoBGP intergation
|
||||
# GoBGP integration
|
||||
gobgp = off
|
||||
|
||||
# Configuration for IPv4 announces
|
||||
|
|
|
|||
|
|
@ -294,9 +294,6 @@ int global_ban_time = 1800;
|
|||
// We calc average pps/bps for this time
|
||||
double average_calculation_amount = 15;
|
||||
|
||||
// We calc average pps/bps for subnets with this time, we use longer value for calculation average network traffic
|
||||
double average_calculation_amount_for_subnets = 30;
|
||||
|
||||
// Key used for sorting clients in output. Allowed sort params: packets/bytes/flows
|
||||
std::string sort_parameter = "bytes";
|
||||
|
||||
|
|
@ -312,9 +309,6 @@ unsigned int number_of_packets_for_pcap_attack_dump = 500;
|
|||
// log file
|
||||
log4cpp::Category& logger = log4cpp::Category::getRoot();
|
||||
|
||||
// We store all active BGP Flow Spec announces here
|
||||
active_flow_spec_announces_t active_flow_spec_announces;
|
||||
|
||||
/* Configuration block ends */
|
||||
|
||||
// We count total number of incoming/outgoing/internal and other traffic type packets/bytes
|
||||
|
|
@ -445,7 +439,6 @@ bool process_outgoing_traffic = true;
|
|||
|
||||
logging_configuration_t read_logging_settings(configuration_map_t configuration_map);
|
||||
std::string get_amplification_attack_type(amplification_attack_type_t attack_type);
|
||||
std::string generate_flow_spec_for_amplification_attack(amplification_attack_type_t amplification_attack_type, std::string destination_ip);
|
||||
ban_settings_t read_ban_settings(configuration_map_t configuration_map, std::string host_group_name = "");
|
||||
bool load_configuration_file();
|
||||
void free_up_all_resources();
|
||||
|
|
@ -657,11 +650,6 @@ bool load_configuration_file() {
|
|||
average_calculation_amount = convert_string_to_integer(configuration_map["average_calculation_time"]);
|
||||
}
|
||||
|
||||
if (configuration_map.count("average_calculation_time_for_subnets") != 0) {
|
||||
average_calculation_amount_for_subnets =
|
||||
convert_string_to_integer(configuration_map["average_calculation_time_for_subnets"]);
|
||||
}
|
||||
|
||||
if (configuration_map.count("speed_calculation_delay") != 0) {
|
||||
recalculate_speed_timeout = convert_string_to_integer(configuration_map["speed_calculation_delay"]);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -62,7 +62,6 @@ extern blackhole_ban_list_t<subnet_ipv6_cidr_mask_t> ban_list_ipv6_ng;
|
|||
extern uint64_t total_ipv6_packets;
|
||||
extern map_of_vector_counters_t SubnetVectorMapSpeed;
|
||||
extern double average_calculation_amount;
|
||||
extern double average_calculation_amount_for_subnets;
|
||||
extern bool print_configuration_params_on_the_screen;
|
||||
extern uint64_t our_ipv6_packets;
|
||||
extern map_of_vector_counters_t SubnetVectorMap;
|
||||
|
|
@ -100,7 +99,6 @@ extern total_counter_element_t total_speed_average_counters_ipv6[4];
|
|||
extern host_group_ban_settings_map_t host_group_ban_settings_map;
|
||||
extern bool exabgp_announce_whole_subnet;
|
||||
extern subnet_to_host_group_map_t subnet_to_host_groups;
|
||||
extern active_flow_spec_announces_t active_flow_spec_announces;
|
||||
extern bool collect_attack_pcap_dumps;
|
||||
|
||||
extern std::mutex ban_list_details_mutex;
|
||||
|
|
@ -726,39 +724,6 @@ bool we_should_ban_this_entity(subnet_counter_t* average_speed_element,
|
|||
return false;
|
||||
}
|
||||
|
||||
std::string generate_flow_spec_for_amplification_attack(amplification_attack_type_t amplification_attack_type,
|
||||
std::string destination_ip) {
|
||||
exabgp_flow_spec_rule_t exabgp_rule;
|
||||
|
||||
bgp_flow_spec_action_t my_action;
|
||||
|
||||
// We drop all traffic by default
|
||||
my_action.set_type(FLOW_SPEC_ACTION_DISCARD);
|
||||
|
||||
// Assign action to the rule
|
||||
exabgp_rule.set_action(my_action);
|
||||
|
||||
// TODO: rewrite!
|
||||
exabgp_rule.set_destination_subnet(convert_subnet_from_string_to_binary_with_cidr_format(destination_ip + "/32"));
|
||||
|
||||
// We use only UDP here
|
||||
exabgp_rule.add_protocol(FLOW_SPEC_PROTOCOL_UDP);
|
||||
|
||||
if (amplification_attack_type == AMPLIFICATION_ATTACK_DNS) {
|
||||
exabgp_rule.add_source_port(53);
|
||||
} else if (amplification_attack_type == AMPLIFICATION_ATTACK_NTP) {
|
||||
exabgp_rule.add_source_port(123);
|
||||
} else if (amplification_attack_type == AMPLIFICATION_ATTACK_SSDP) {
|
||||
exabgp_rule.add_source_port(1900);
|
||||
} else if (amplification_attack_type == AMPLIFICATION_ATTACK_SNMP) {
|
||||
exabgp_rule.add_source_port(161);
|
||||
} else if (amplification_attack_type == AMPLIFICATION_ATTACK_CHARGEN) {
|
||||
exabgp_rule.add_source_port(19);
|
||||
}
|
||||
|
||||
return exabgp_rule.serialize_single_line_exabgp_v4_configuration();
|
||||
}
|
||||
|
||||
std::string get_amplification_attack_type(amplification_attack_type_t attack_type) {
|
||||
if (attack_type == AMPLIFICATION_ATTACK_UNKNOWN) {
|
||||
return "unknown";
|
||||
|
|
@ -1227,35 +1192,6 @@ void send_attack_details(uint32_t client_ip, attack_details_t current_attack_det
|
|||
}
|
||||
}
|
||||
|
||||
// Run flow spec mitigation rule
|
||||
void launch_bgp_flow_spec_rule(amplification_attack_type_t attack_type, std::string client_ip_as_string) {
|
||||
logger << log4cpp::Priority::INFO << "We detected this attack as: " << get_amplification_attack_type(attack_type);
|
||||
|
||||
std::string flow_spec_rule_text = generate_flow_spec_for_amplification_attack(attack_type, client_ip_as_string);
|
||||
|
||||
logger << log4cpp::Priority::INFO << "We have generated BGP Flow Spec rule for this attack: " << flow_spec_rule_text;
|
||||
|
||||
if (exabgp_flow_spec_announces) {
|
||||
active_flow_spec_announces_t::iterator itr = active_flow_spec_announces.find(flow_spec_rule_text);
|
||||
|
||||
if (itr == active_flow_spec_announces.end()) {
|
||||
// We havent this flow spec rule active yet
|
||||
|
||||
logger << log4cpp::Priority::INFO << "We will publish flow spec announce about this attack";
|
||||
bool exabgp_publish_result = exabgp_flow_spec_ban_manage("ban", flow_spec_rule_text);
|
||||
|
||||
if (exabgp_publish_result) {
|
||||
active_flow_spec_announces[flow_spec_rule_text] = 1;
|
||||
}
|
||||
} else {
|
||||
// We have already blocked this attack
|
||||
logger << log4cpp::Priority::INFO << "The same rule was already sent to ExaBGP previously";
|
||||
}
|
||||
} else {
|
||||
logger << log4cpp::Priority::INFO << "exabgp_flow_spec_announces disabled. We will not talk to ExaBGP";
|
||||
}
|
||||
}
|
||||
|
||||
void call_attack_details_handlers(uint32_t client_ip, attack_details_t& current_attack, std::string attack_fingerprint) {
|
||||
std::string client_ip_as_string = convert_ip_as_uint_to_string(client_ip);
|
||||
std::string attack_direction = get_direction_name(current_attack.attack_direction);
|
||||
|
|
@ -2269,7 +2205,7 @@ void recalculate_speed() {
|
|||
|
||||
if (enable_subnet_counters) {
|
||||
ipv4_network_counters.recalculate_speed(speed_calc_period,
|
||||
(double)average_calculation_amount_for_subnets, nullptr);
|
||||
(double)average_calculation_amount, nullptr);
|
||||
|
||||
}
|
||||
|
||||
|
|
@ -2365,7 +2301,7 @@ void recalculate_speed() {
|
|||
|
||||
// Calculate IPv6 per network traffic
|
||||
if (enable_subnet_counters) {
|
||||
ipv6_subnet_counters.recalculate_speed(speed_calc_period, (double)average_calculation_amount_for_subnets,
|
||||
ipv6_subnet_counters.recalculate_speed(speed_calc_period, (double)average_calculation_amount,
|
||||
speed_callback_subnet_ipv6);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -11,8 +11,6 @@
|
|||
#include "fastnetmon.grpc.pb.h"
|
||||
#include <grpc++/grpc++.h>
|
||||
|
||||
typedef std::map<std::string, uint32_t> active_flow_spec_announces_t;
|
||||
|
||||
void build_speed_counters_from_packet_counters(subnet_counter_t& new_speed_element, subnet_counter_t* vector_itr, double speed_calc_period);
|
||||
|
||||
void build_average_speed_counters_from_speed_counters(subnet_counter_t* current_average_speed_element,
|
||||
|
|
@ -61,7 +59,6 @@ std::string generate_simple_packets_dump(std::vector<simple_packet_t>& ban_list_
|
|||
|
||||
void send_attack_details(uint32_t client_ip, attack_details_t current_attack_details);
|
||||
|
||||
void launch_bgp_flow_spec_rule(amplification_attack_type_t attack_type, std::string client_ip_as_string);
|
||||
void call_attack_details_handlers(uint32_t client_ip, attack_details_t& current_attack, std::string attack_fingerprint);
|
||||
uint64_t convert_conntrack_hash_struct_to_integer(packed_conntrack_hash_t* struct_value);
|
||||
bool process_flow_tracking_table(conntrack_main_struct_t& conntrack_element, std::string client_ip);
|
||||
|
|
|
|||
Loading…
Reference in New Issue