Keywords: BGP, Fastnetmon, RTBH, DDoS, DRDOS
Hextet Systems Network, 2018
Screenshot: Theodore Baschak / All Rights Reserved
Hextet Systems (as395089) is a hobby/research ASN that I operate. It operates out of 1 datacenter in downtown Winnipeg (currently). One of the users of the IP space that Hextet Systems advertises via BGP is Coldhak who operates several Tor exit relays. These Tor exit relays attract the occasional retaliatory DDoS attack.
I also operate “IPv6 Tunnels for Nerds” from my routers and route various friends IPv6 space over MikroTik EoIP Tunnels. When DDoS attacks happen this causes the tunnels to become unusable, that is, until I installed Fastnetmon to automate the injection of BGP Blackhole routes to minimize the effects of DDoS attacks on the rest of my system (and my upstreams network).
Fastnetmon is a “very fast DDoS analyzer with sflow/netflow/mirror support” (from the fastnetmon github project page).
For my uses it has a bunch of advantages:
Fastnetmon is able to look at traffic in numerous ways, including:
It is able to react in numerous ways, including:
I’m using IPFIX and injecting /32 routes into my system using exabgp. These
have the 65535:666
standard BLACKHOLE
community attached to them.
Blackholing, and then reporting on that blackhole happens automatically. This can involve anything that can be called by a shell script.
Some easy integrations include: