Configuring Flowspec
FortiDDoS can create Flowspec configuration scripts based on FortiDDoS attack information. The Flowspec scripts can be entered in Cisco and Juniper routes to create Flowspec-based ACLs, which are more fine-grained than traditional Remotely-Triggered-Black-Hole IP Addresses. The standard scripts may also work with other routers supporting Flowspec.
Depending on the type of attack seen, the script may include Destination IP, Destination Port, Protocol, Fragment and/or ICMP Type/Code. The full list of supported items from RFC 5575 is detailed below.
Before you begin:
- You must have Read-Write permission for Log & Report.
To create a Flowspec script:
- Go to Log & Report > Flowspec Settings.
- Select the FortiDDoS device from the top-right device selection button.
- Complete the configuration as described in the table below.
-
Save the configuration. The Report Status field displays the date and time this or last script was generated.
Note: You must save the current setting before you download the script. Download without saving will download the previous script which remains in the memory until replaced. - Click Download under Report Status to save the generated script
to the device .
To use the generated Flowspec script:
- The script can be cut and pasted directly into the CLI of the edge/peering router to create a Flowspec ACL.
- You can determine whether the traffic filtering action will be rate-limit, re-direct or other action supported by the routers.
Flowspec configuration settings
Settings | Guidelines |
---|---|
Generate | Enable to allow script generation. |
Destination | Select the protected Destination IP address from the drop-down. |
Dropcount Threshold |
Many large attacks are multi-vector. Since FortiDDoS sees even single-drop events, selecting a Destination IP address and creating a script for the last hour’s attacks could result in very long and confusing scripts. The Dropcount Threshold limits the creation of scripts to only those attacks that exceed the entered Threshold. This Threshold should be set to a reasonably high number so you are generating scripts that make sense to use on the edge router – generally attacks that are exceeding the rate limits of the Internet links where FortiDDoS is mitigating. A reasonable Dropcount Threshold is 1,000,000. The Dropcount threshold value is in the range 1-1000000000. The default value is 10. |
Vendor | Vendor - Cisco or Juniper |
Report Status | Status of the Flowspec script. |
Flowspec
RFC 5575 | Juniper | Available |
---|---|---|
Type 1 | Destination prefix | Yes |
Destination prefix-offset | No | |
Type 2 | Source prefix | Yes |
Type 3 | Protocol number | Yes |
Type 5 | Destination-port | Yes |
Type 6 | Source-port | No |
Source prefix-offset | No | |
Type 7 | ICMP-v4/v6-code | Yes |
Type 8 | ICMP-v4/v-type | Yes |
Source-port | No | |
Source prefix-offset | No | |
Type 9 | TCP Flags | Yes |
Type 10 | Packet-length | Yes |
Type 11 | DSCP | No |
Type 12 | Fragment type | |
dont-fragment | No | |
first-fragment | No | |
is-fragment | Yes | |
last-fragment | No | |
not-a-fragment | Not Explicit |
Sample exported scripts:
Cisco configure
class-map type traffic match all block-28.0.1.200-1
match source-address 28.0.0.6/32
match destination-address 28.0.1.200/32
end-class-map
configure
class-map type traffic match all block-28.0.1.200-2
match source-address 28.0.0.7/32
match destination-address 28.0.1.200/32
end-class-map
configure
class-map type traffic match all block-28.0.1.200-3
match source-address 28.0.0.9/32
match destination-address 28.0.1.200/32
end-class-map
Juniper flow {
term-order statndard;
route block-28.0.1.200-1 {
match {
tmatch source-address 28.0.0.6/32
match destination-address 28.0.1.200/32
}
then discard;
}
}
flow {
term-order statndard;
route block-28.0.1.200-2 {
match {
tmatch source-address 28.0.0.7/32
match destination-address 28.0.1.200/32
}
then discard;
}
}
flow {
term-order statndard;
route block-28.0.1.200-3 {
match {
tmatch source-address 28.0.0.9/32
match destination-address 28.0.1.200/32
}
then discard;
}
}
|