Traffic Enforcement Configuration ================================= Once the application is up and running, it’s time to configure it for enabling traffic mitigation. This means we need to create virtual scrubbers (objects containing protection policies based on target), each virtual scrubber inspects the traffic matching one, or more, destination subnets. Each virtual scrubber, identified by a target ID, has its own traffic enforcement profiles that can be configured/changed/inspected at runtime using the API. This sections provides some basic knowledge for configuring the engine using the REST API. Please refer to the API documentation for the full API specifications. Note that although this section covers the configuration using the REST API, a few command line tools (see Appendix A) are also available to ease the configuration, including: - *nscrub-cli*, implementing a console with autocompletion with all the functionalities implemented by the REST API. - *nscrub-add*, a wizard tool for creating new victims with a basic configuration (further customisations are usually needed using nscrub-cli or the API). - *nscrub-export*, a tool for dumping the current configuration for a specific victim. Default credentials for configuring nscrub: +-----------------+-----------+ | Username | admin | +-----------------+-----------+ | Password | admin | +-----------------+-----------+ | HTTP port | 8880 | +-----------------+-----------+ | HTTPs port | 4443 | +-----------------+-----------+ | Socket binding | localhost | +-----------------+-----------+ .. note:: nScrub listens on localhost by default, please configure a different address (-G option) to use the REST API from a remote machine. If you lost the admin password, you can reset it following the instructions below: 1. shutdown nscrub 2. run "redis-cli del nscrub.user.admin.password" 3. restart nscrub Victims definition ------------------ Victims can be dynamically added, removed and configured at runtime. This section shows some examples of the most common runtime settings, focusing on the REST API. The below sections describe all the available API calls to configure the engine using both the CLI and the REST API. Read active victims: .. code-block:: console curl -u : "http://:/targets?action=list" or do the same using the command line tool: .. code-block:: console nscrub-cli localhost:8880> list targets Add a new victim: .. code-block:: console curl -u : "http://:/targets?action=add&target_id=&subnet=" Each victim is bound to a few profiles: default, black, white, gray. The default profile applies to all unknown sources, while the other profiles apply to the corresponding lists of source IPs (attackers). In essence black, white and gray are just placeholders for defining different traffic enforcement policies based on source IP "colour". The white profile is a special profile, in fact source IPs recognised as real and legitimate are automatically added to this special list. .. note:: This section provides only a few examples of victim configuration, for the full settings please refer to the API documentation. It is a common practice to set the "drop all" policy to the black profile: .. code-block:: console curl -u : "http://:/profile/all/drop?target_id=&profile=black&action=enable" It is also a common practice to set the "accept all" policy to the white profile: .. code-block:: console curl -u : "http://:/profile/all/accept?target_id=&profile=white&action=enable" The gray profile is usually used for applying special policies to "special" IPs. For instance it is a common practice to set the "default" policy to "drop" and then specify more specific policies to let specific traffic types through. .. code-block:: console curl -u : "http://:/profile/default?target_id=&profile=gray&action=update&value=drop" The default profile is where the real traffic enforcement policies go, for checking unknown traffic. For instance it is also a common practice to set the default policy to drop: .. code-block:: console curl -u : "http://:/profile/default?target_id=&profile=default&action=update&value=drop" Accept ICMP: .. code-block:: console curl -u : "http://:/profile/icmp/accept?target_id=&profile=default&action=enable" Drop UDP: .. code-block:: console curl -u : "http://:/profile/udp/drop?target_id=&profile=default&action=enable" Accept UDP port 53 (DNS): .. code-block:: console curl -u : "http://:/profile/udp/src/53/accept?target_id=&profile=default&action=enable" Check TCP traffic: .. code-block:: console curl -u : "http://:/profile/tcp/syn/check_method?target_id=&profile=default&action=update&value=rfc" It is also possible to set a rate limiter (in this example per source) to set a threshold to the traffic rate. .. code-block:: console curl -u : "http://:/profile/rate?target_id=&profile={black, white, gray, default}[&action=update&value=]" Many more policies are available, please refer to the full API documentation. Please note all the settings can also be read, omitting the action (and value) parameter. In order to temporarily disable traffic checks, it is possible to put the system in bypass state, both globally: .. code-block:: console curl -u : "http://:/bypass?[action={enable, disable}]" or per victim: .. code-block:: console curl -u : "http://:/profile/bypass?target_id=&profile=default[&action={enable, disable}]" Global Settings --------------- Application version, configuration and status ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *CLI* .. code-block:: console > status *REST* .. code-block:: console curl -u : http://:/status Example: .. code-block:: console curl -u admin:admin http://localhost:8880/ Stats ~~~~~ *CLI* .. code-block:: console > stats *REST* .. code-block:: console curl -u : http://:/stats Example: .. code-block:: console curl -u admin:admin http://localhost:8880/stats Configure system name ~~~~~~~~~~~~~~~~~~~~~ *CLI* .. code-block:: console > hostname [NAME] *REST* .. code-block:: console curl -u : http://:/hostname?[action=update\&value=] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/hostname Configure system description ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *CLI* .. code-block:: console > desc [DESCRIPTION] *REST* .. code-block:: console curl -u : http://:/desc?[action=update\&value=] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/desc Configure global bypass ~~~~~~~~~~~~~~~~~~~~~~~ Hardware bypass is used when available. Note: this is a full bypass, does not handle routing (when enabled). *CLI* .. code-block:: console > bypass [enable|disable] *REST* .. code-block:: console curl -u : http://:/bypass?[action={enable, disable}] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/bypass .. code-block:: console curl -u admin:admin http://localhost:8880/bypass?action=enable .. code-block:: console curl -u admin:admin http://localhost:8880/bypass?action=disable Read the neighbor table ~~~~~~~~~~~~~~~~~~~~~~~ Read the ARP Table. Note that nScrub automatically learns neighbors reading the system arp table, thus you can manage neighbors using the standard arp commands. Example of manually adding an entry: $ arp -i eth1 -s 192.168.1.85 00:b1:ac:50:17:00 Example of manually deleting an entry: $ arp -d 192.168.1.85 *CLI* .. code-block:: console > neigh *REST* .. code-block:: console curl -u : http://:/neigh?action=list Example: .. code-block:: console curl -u admin:admin http://localhost:8880/neigh?action=list Set WAN/LAN IP ~~~~~~~~~~~~~~ Set the IP address for the WAN or LAN interfaces (changes are applied on nscrub restart) *CLI* .. code-block:: console > ip > ip WAN|LAN set IP *REST* .. code-block:: console curl -u : http://:/ip?action=update&interface={WAN, LAN}&value= Example: .. code-block:: console curl -u admin:admin http://localhost:8880/ip .. code-block:: console curl -u admin:admin http://localhost:8880/ip?action=update\&interface=WAN\&value=10.10.10.1 Read the routing table ~~~~~~~~~~~~~~~~~~~~~~ Routing mode only. *CLI* .. code-block:: console > route *REST* .. code-block:: console curl -u : http://:/route?action=list Example: .. code-block:: console curl -u admin:admin http://localhost:8880/route?action=list Update the routing table ~~~~~~~~~~~~~~~~~~~~~~~~ Routing mode only. *CLI* .. code-block:: console > route add SUBNET gw IP > route del SUBNET *REST* .. code-block:: console curl -u : http://:/route?[action={add, del}\&destination=[\&gw=]] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/route .. code-block:: console curl -u admin:admin http://localhost:8880/route?action=add\&destination=default\&gw=192.168.1.1 .. code-block:: console curl -u admin:admin http://localhost:8880/route?action=add\&destination=10.10.10.0/24\&gw=10.10.10.1 .. code-block:: console curl -u admin:admin http://localhost:8880/route?action=del\&destination=10.10.10.0/24 Configure VLAN reforging ~~~~~~~~~~~~~~~~~~~~~~~~ This is used to map ingress VLAN to egress VLAN. Note: to remove a mapping set Src-ID = Dest-ID *CLI* .. code-block:: console > vlan id SRC-VLAN-ID reforge [DST-VLAN-ID] *REST* .. code-block:: console curl -u : http://:/vlan/id//reforge?[action=update\&value=] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/vlan/id/2/reforge .. code-block:: console curl -u admin:admin http://localhost:8880/vlan/id/2/reforge?action=update\&value=3 Read the VLAN reforging list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *CLI* .. code-block:: console > vlan *REST* .. code-block:: console curl -u : http://:/vlan/id?action=list Example: .. code-block:: console curl -u admin:admin http://localhost:8880/vlan/id?action=list Configure traffic mirroring ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Define how traffic is sent to the auxiliary queues. *CLI* .. code-block:: console > mirror ID > mirror ID type [forwarded|discarded|all] > mirror ID sampling [RATE] *REST* .. code-block:: console curl -u : http://:/mirror//type[?action=update\&value={forwarded, discarded, all}] .. code-block:: console curl -u : http://:/mirror//sampling[?action=update\&value=] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/mirror/0/type?action=update\&value=all .. code-block:: console curl -u admin:admin http://localhost:8880/mirror/0/sampling?action=update\&value=1 Configure the runtime debug level ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *CLI* .. code-block:: console > debug [LEVEL] *REST* .. code-block:: console curl -u : http://:/debug[?action=update\&value=] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/debug .. code-block:: console curl -u admin:admin http://localhost:8880/debug?action=update\&value=2 Configure peer (MAC) policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~ This is usually not needed unless you want to blacklist a peer. *CLI* .. code-block:: console > peer > peer add MAC policy pass|drop > peer del MAC *REST* .. code-block:: console curl -u : http://:/peers?action={add,del,list}[\&address=[\&value={pass, drop}]] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/peers?action=list .. code-block:: console curl -u admin:admin http://localhost:8880/peers?action=add\&address=00:11:22:33:44:55\&policy=drop .. code-block:: console curl -u admin:admin http://localhost:8880/peers?action=del\&address=00:11:22:33:44:55 Targets Management ------------------ Read targets list ~~~~~~~~~~~~~~~~~ *CLI* .. code-block:: console > list targets *REST* .. code-block:: console curl -u : http://:/targets?action=list Example: .. code-block:: console curl -u admin:admin http://localhost:8880/targets?action=list Add/del subnets from targets ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If the target does not exists, it creates a new target. *CLI* .. code-block:: console > add target ID SUBNET > del target ID SUBNET *REST* .. code-block:: console curl -u : http://:/targets?action={add, del}\&target_id=\&subnet= Example: .. code-block:: console curl -u admin:admin http://localhost:8880/targets?action=add\&target_id=SCRBR1\&subnet=10.10.11.1/32 .. code-block:: console curl -u admin:admin http://localhost:8880/targets?action=del\&target_id=SCRBR1\&subnet=10.10.11.1/32 Delete a target by name ~~~~~~~~~~~~~~~~~~~~~~~ Delete a target and its configuration. Use * for all targets. *CLI* .. code-block:: console > purge target ID|* *REST* .. code-block:: console curl -u : http://:/targets?action=target_del\&target_id={,*} Example: .. code-block:: console curl -u admin:admin http://localhost:8880/targets?action=target_del\&target_id=SCRBR1 Set a description for the target ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *CLI* .. code-block:: console > target ID desc [DESCRIPTION] *REST* .. code-block:: console curl -u : http://:/targets/desc?target_id=[\&action=update\&value=] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/targets/desc?target_id=SCRBR1 Configure VLAN reforging for traffic towards the target ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This can be used as an alternative to the global mapping /vlan/id/{Src-ID}/reforge Note: to disable reforging set Dest-ID = 0 *CLI* .. code-block:: console > target ID vlan reforge [DST-VLAN-ID] *REST* .. code-block:: console curl -u : http://:/targets/vlan/reforge?target_id=[\&action=update\&value=] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/targets/vlan/reforge?target_id=SCRBR1 .. code-block:: console curl -u admin:admin http://localhost:8880/targets/vlan/reforge?target_id=SCRBR1\&action=update\&value=16 Configure target type ~~~~~~~~~~~~~~~~~~~~~ Target types (Web server, Game server, DNS server, ISP clients, etc) are used to give hints to the engine and optimise the protection algorithms. *CLI* .. code-block:: console > target ID type [web|dns|game|isp] *REST* .. code-block:: console curl -u : http://:/targets/type?target_id=[\&action=update\&value={web,dns,game,isp}] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/targets/type?target_id=SCRBR1 .. code-block:: console curl -u admin:admin http://localhost:8880/targets/type?target_id=SCRBR1\&action=update\&value=web Read target stats ~~~~~~~~~~~~~~~~~ Read (inbound traffic only) stats for a target. Note: this accepts regexp (e.g. 'webserver_[0-9]*') as target id. *CLI* .. code-block:: console > target ID stats *REST* .. code-block:: console curl -u : http://:/targets/stats?target_id= Example: .. code-block:: console curl -u admin:admin http://localhost:8880/targets/stats?target_id=SCRBR1 Attackers Management -------------------- Read attackers ~~~~~~~~~~~~~~ Read the attackers for a specific target, specifying the list name, and filtering by profile Note: - profile=* means all the attackers, profile=white/black/gray to select IPs matching a profile - list=* means all the lists - up to 100 items are returned by default, or limit if provided. The offset parameter can be used to handle pagination. *CLI* .. code-block:: console > target ID attackers show LISTNAME|* white|gray|black|* *REST* .. code-block:: console curl -u : http://:/attackers?target_id=\&action=list\&profile={black, white, gray, *}\&list={, *}[\&offset=][\&limit=] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/attackers?target_id=SCRBR1\&action=list\&profile=*\&list=Test .. code-block:: console curl -u admin:admin http://localhost:8880/attackers?target_id=SCRBR1\&action=list\&profile=*\&list=*\&offset=0\&limit=500 Add/Delete attackers ~~~~~~~~~~~~~~~~~~~~ Add/del items from an attacker list (optionally you can specify a lifetime for adding attackers to the dynamic list, in this case attackers are not persistent on application restart) *CLI* .. code-block:: console > target ID attackers add LISTNAME SUBNET white|gray|black [SEC] > target ID attackers del LISTNAME SUBNET *REST* .. code-block:: console curl -u : http://:/attackers?target_id=\&action={add, del}\&list=\&subnet=[\&profile={black, white, gray}][\&lifetime=] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/attackers?target_id=SCRBR1\&action=add\&list=Test\&subnet=10.10.11.1/32\&profile=black .. code-block:: console curl -u admin:admin http://localhost:8880/attackers?target_id=SCRBR1\&action=del\&list=Test\&subnet=10.10.11.1/32 Delete an attacker list ~~~~~~~~~~~~~~~~~~~~~~~ *CLI* .. code-block:: console > *REST* .. code-block:: console curl -u : http://:/attackers?target_id=\&action=list_del\&list= Example: .. code-block:: console curl -u admin:admin http://localhost:8880/attackers?target_id=SCRBR1\&action=list_del\&list=Test Purge all attackers ~~~~~~~~~~~~~~~~~~~ This also deletes all lists. *CLI* .. code-block:: console > target ID attackers purge all *REST* .. code-block:: console curl -u : http://:/attackers?target_id=\&action=purge Example: .. code-block:: console curl -u admin:admin http://localhost:8880/attackers?target_id=SCRBR1\&action=purge List all attackers list ~~~~~~~~~~~~~~~~~~~~~~~ List all attackers lists for a target (this also returns the number of entries in each list) *CLI* .. code-block:: console > target ID attackers showlists *REST* .. code-block:: console curl -u : http://:/attackers?target_id=\&action=list_ls Example: .. code-block:: console curl -u admin:admin http://localhost:8880/attackers?target_id=SCRBR1\&action=list_ls Search attackers ~~~~~~~~~~~~~~~~ Search for an attacker in a specific list (by name), all lists (using '*'), all configured lists (using 'static') or all dynamically whitelisted/blacklisted IPs (using 'dynamic'). Returns the list names where the subnet is defined. *CLI* .. code-block:: console > target ID attackers search LISTNAME|dynamic|* white|gray|black|* SUBNET *REST* .. code-block:: console curl -u : http://:/attackers?target_id=\&action=search\&list={, dynamic, static, *}\&profile={black, white, gray, *}\&subnet= Example: .. code-block:: console curl -u admin:admin http://localhost:8880/attackers?target_id=SCRBR1\&action=search\&list=*\&profile=*\&subnet=10.10.11.1/32 .. code-block:: console curl -u admin:admin http://localhost:8880/attackers?target_id=SCRBR1\&action=search\&list=dynamic\&profile=*\&subnet=10.10.11.1/32 Read dynamic list ~~~~~~~~~~~~~~~~~ This will also include subnets in static lists. *CLI* .. code-block:: console > target ID attackers show dynamic white|gray|black|* *REST* .. code-block:: console curl -u : http://:/attackers?target_id=\&action=list\&profile={black, white, gray}\&list=dynamic Example: .. code-block:: console curl -u admin:admin http://localhost:8880/attackers?target_id=SCRBR1\&action=list\&profile=white\&list=dynamic Purge dynamic list ~~~~~~~~~~~~~~~~~~ *CLI* .. code-block:: console > target ID attackers purge dynamic *REST* .. code-block:: console curl -u : http://:/attackers/dynamic?target_id=\&action=purge Example: .. code-block:: console curl -u admin:admin http://localhost:8880/attackers/dynamic?target_id=SCRBR1\&action=purge Configure dynamic list autopurging ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (auto remove dynamically whitelisted IPs on idle timeout) *CLI* .. code-block:: console > target ID attackers dynamic autopurging [enable|disable] *REST* .. code-block:: console curl -u : http://:/attackers/dynamic/autopurging?target_id=[\&action={enable, disable}] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/attackers/dynamic/autopurging?target_id=SCRBR1 .. code-block:: console curl -u admin:admin http://localhost:8880/attackers/dynamic/autopurging?target_id=SCRBR1\&action=enable Configure dynamic list expiration for autopurging ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *CLI* This is the idle timeout for IPs which are automatically whitelisted or blacklisted by the engine. .. code-block:: console > target ID attackers dynamic expiration [SEC] *REST* .. code-block:: console curl -u : http://:/attackers/dynamic/expiration?target_id=[\&action=update\&value=] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/attackers/dynamic/expiration?target_id=SCRBR1 .. code-block:: console curl -u admin:admin http://localhost:8880/attackers/dynamic/expiration?target_id=SCRBR1\&action=update\&value=3600 Batch add/delete attackers ~~~~~~~~~~~~~~~~~~~~~~~~~~ Add/del multiple items in a single call from an attacker list (JSON array via POST) Note: add-fast action updates the datapath faster (less impact on traffic), however it flushed all dynamically-added IPs and does not handle duplicate items across lists *CLI* .. code-block:: console > target ID attackers load LISTNAME FILEPATH white|gray|black [SEC] *REST* Example: .. code-block:: console curl -u admin:admin -X POST http://localhost:8880/attackers?target_id=SCRBR1\&action={add, add-fast}\&list=Test\&profile=black -d '["1.1.1.1/32","2.2.2.2/32"]' .. code-block:: console curl -u admin:admin -X POST http://localhost:8880/attackers?target_id=SCRBR1\&action=del\&list=Test -d '["1.1.1.1/32","2.2.2.2/32"]' Targets Profiles Configuration ------------------------------ Configure bypass ~~~~~~~~~~~~~~~~ This can be set on the 'default' profile only and overwrites all more specific profiles. *CLI* .. code-block:: console > target ID profile white|gray|black|default bypass [enable|disable] *REST* .. code-block:: console curl -u : http://:/profile/bypass?target_id=\&profile=default[\&action={enable, disable}] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/bypass?target_id=SCRBR1\&profile=default .. code-block:: console curl -u admin:admin http://localhost:8880/profile/bypass?target_id=SCRBR1\&profile=default\&action=disable Configure default action ~~~~~~~~~~~~~~~~~~~~~~~~ *CLI* .. code-block:: console > target ID profile white|gray|black|default default [drop|pass] *REST* .. code-block:: console curl -u : http://:/profile/default?target_id=\&profile={black, white, gray, default}[\&action=update\&value={pass, drop}] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/default?target_id=SCRBR1\&profile=default .. code-block:: console curl -u admin:admin http://localhost:8880/profile/default?target_id=SCRBR1\&profile=default\&action=update\&value=drop Rate limiting per source/dest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Configure per-source (attacker) per-dest (victim) rate limiting (pkts/s) *CLI* .. code-block:: console > target ID profile white|gray|black|default rate src [PPS] > target ID profile white|gray|black|default rate dst [PPS] *REST* .. code-block:: console curl -u : http://:/profile/rate/{src, dst}?target_id=\&profile={black, white, gray, default}[\&action=update\&value=] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/rate/src?target_id=SCRBR1\&profile=default .. code-block:: console curl -u admin:admin http://localhost:8880/profile/rate/src?target_id=SCRBR1\&profile=default\&action=update\&value=100 Configure all traffic drop/accept ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *CLI* .. code-block:: console > target ID profile white|gray|black|default all drop [enable|disable] > target ID profile white|gray|black|default all accept [enable|disable] *REST* .. code-block:: console curl -u : http://:/profile/all/{accept, drop}?target_id=\&profile={black, white, gray, default}[\&action={enable, disable}] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/all/drop?target_id=SCRBR1\&profile=black .. code-block:: console curl -u admin:admin http://localhost:8880/profile/all/drop?target_id=SCRBR1\&profile=black\&action=enable Read UDP/TCP/ICMP policies ~~~~~~~~~~~~~~~~~~~~~~~~~~ Read a summary of the configured policies for each protocol. *CLI* .. code-block:: console > target ID profile white|gray|black|default [ip|udp|tcp|icmp|dns] *REST* .. code-block:: console curl -u : http://:/profile/{udp, tcp, icmp}?target_id=\&profile={black, white, gray, default} Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/udp?target_id=SCRBR1\&profile=default Configure UDP/TCP/ICMP drop/accept ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This applies to all ports/types. *CLI* .. code-block:: console > target ID profile white|gray|black|default [udp|tcp|icmp] > target ID profile white|gray|black|default [udp|tcp|icmp] drop [enable|disable] > target ID profile white|gray|black|default [udp|tcp|icmp] accept [enable|disable] *REST* .. code-block:: console curl -u : http://:/profile/{udp, tcp, icmp}/{accept, drop}?target_id=\&profile={black, white, gray, default}[\&action={enable, disable}] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/udp/drop?target_id=SCRBR1\&profile=default\&action=enable Configure GRE Signaling drop/accept ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This works when decapsulation is enabled only. *CLI* .. code-block:: console > target ID profile white|gray|black|default gre > target ID profile white|gray|black|default gre drop [enable|disable] > target ID profile white|gray|black|default gre accept [enable|disable] *REST* .. code-block:: console curl -u : http://:/profile/gre/{accept, drop}?target_id=\&profile={black, white, gray, default}[\&action={enable, disable}] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/gre/accept?target_id=SCRBR1\&profile=default\&action=enable Configure SYN check engage mode ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enable to force always on, disable to disable tcp check in any condition, threshold to enable tcp check on traffic threshold, auto to enable tcp check when an attack is automatically detected or thredhold is exceeded. *CLI* .. code-block:: console > target ID profile white|gray|black|default tcp syn check [disable|threshold|auto|enable] *REST* .. code-block:: console curl -u : http://:/profile/tcp/syn/check?target_id=\&profile={black, white, gray, default}[\&action=update\&value={disable, threshold, auto, enable}] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/tcp/syn/check?target_id=SCRBR1\&profile=default .. code-block:: console curl -u admin:admin http://localhost:8880/profile/tcp/syn/check?target_id=SCRBR1\&profile=default\&action=update\&value=auto Configure TCP traffic threshold ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Set the maximum expected TCP traffic rate to feed the detection algorithm (Mbit/s). *CLI* .. code-block:: console > target ID profile white|gray|black|default tcp threshold [MBITPS] *REST* .. code-block:: console curl -u : http://:/profile/tcp/threshold?target_id=\&profile={black, white, gray, default}[\&action=update\&value=] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/tcp/threshold?target_id=SCRBR1\&profile=default\&action=update\&value=1000 Configure SYN check method ~~~~~~~~~~~~~~~~~~~~~~~~~~ *CLI* .. code-block:: console > target ID profile white|gray|black|default tcp syn check_method [rfc|proxy|disable] *REST* .. code-block:: console curl -u : http://:/profile/tcp/syn/check_method?target_id=\&profile={black, white, gray, default}[\&action=update\&value={rfc, proxy, bypass}] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/tcp/syn/check_method?target_id=SCRBR1\&profile=default .. code-block:: console curl -u admin:admin http://localhost:8880/profile/tcp/syn/check_method?target_id=SCRBR1\&profile=default\&action=update\&value=rfc Configure SYN RFC check method threshold ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Maximum expected new TCP connections per second) to feed the mitigation algorithm (syn/s). *CLI* .. code-block:: console > target ID profile white|gray|black|default tcp syn rfc threshold [PPS] *REST* .. code-block:: console curl -u : http://:/profile/tcp/syn/rfc/threshold?target_id=\&profile={black, white, gray, default}[\&action=update\&value= Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/tcp/syn/rfc/threshold?target_id=SCRBR1\&profile=default .. code-block:: console curl -u admin:admin http://localhost:8880/profile/tcp/syn/rfc/threshold?target_id=SCRBR1\&profile=default\&action=update\&value=100 Enable whitelisting of sessions only ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enable session whitelisting instead of IPs on traffic verified by the TCP check. *CLI* .. code-block:: console > target ID profile white|gray|black|default tcp syn wl_session_only [enable|disable] *REST* .. code-block:: console curl -u : http://:/profile/tcp/syn/wl_session_only?target_id=\&profile={black, white, gray, default}[\&action={enable, disable}] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/tcp/syn/wl_session_only?target_id=SCRBR1\&profile=default\&action=enable Auto-engage whitelisting of sessions only ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Configure whitelisting of sessions only instead of IPs on traffic verified by the TCP check to automatically engage on threshold The maximum number of whitelisted IPs should be specified to trigger it. The /tcp/syn/wl_session_only option is ignored when using this. *CLI* .. code-block:: console > target ID profile white|gray|black|default tcp syn wl_threshold [NUM] *REST* .. code-block:: console curl -u : http://:/profile/tcp/syn/wl_threshold?target_id=\&profile={black, white, gray, default}[\&action=update\&value=] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/tcp/syn/wl_threshold?target_id=SCRBR1\&profile=default\&action=update\&value=10000 Configure SYN rate limiting ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Limit per source or dest (pkts/s) *CLI* .. code-block:: console > target ID profile white|gray|black|default tcp syn rate src [PPS] > target ID profile white|gray|black|default tcp syn rate dst [PPS] *REST* .. code-block:: console curl -u : http://:/profile/tcp/syn/rate/{src, dst}?target_id=\&profile={black, white, gray, default}[\&action=update\&value=] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/tcp/syn/rate/src?target_id=SCRBR1\&profile=default .. code-block:: console curl -u admin:admin http://localhost:8880/profile/tcp/syn/rate/src?target_id=SCRBR1\&profile=default\&action=update\&value=20 Configure Auto-Blacklist ~~~~~~~~~~~~~~~~~~~~~~~~ Blacklist sources exceeding SYN rate for some time or not passing the TCP-Check. It is recommended to also enable /attackers/autopurging. *CLI* .. code-block:: console > target ID profile white|gray|black|default tcp syn auto_blacklist [enable|disable] *REST* .. code-block:: console curl -u : http://:/profile/tcp/syn/auto_blacklist?target_id=\&profile={black, white, gray, default}[\&action={enable, disable}] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/tcp/syn/auto_blacklist?target_id=SCRBR1\&profile=default\&action=enable Configure SYN-ACK rate limiting ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Limit per source or dest (pkts/s) *CLI* .. code-block:: console > target ID profile white|gray|black|default tcp synack rate src [PPS] > target ID profile white|gray|black|default tcp synack rate dst [PPS] *REST* .. code-block:: console curl -u : http://:/profile/tcp/synack/rate/{src, dst}?target_id=\&profile={black, white, gray, default}[\&action=update\&value=] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/tcp/synack/rate/src?target_id=SCRBR1\&profile=default .. code-block:: console curl -u admin:admin http://localhost:8880/profile/tcp/synack/rate/src?target_id=SCRBR1\&profile=default\&action=update\&value=20 Configure SYN-ACK session whitelisting ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *CLI* .. code-block:: console > target ID profile white|gray|black|default tcp synack wl_session [enable|disable] *REST* .. code-block:: console curl -u : http://:/profile/tcp/synack/wl_session?target_id=\&profile={black, white, gray, default}[\&action={enable, disable}] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/tcp/synack/wl_session?target_id=SCRBR1\&profile=default\&action=enable Configure SYN-ACK TCP-Amplification protection ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *CLI* .. code-block:: console > target ID profile white|gray|black|default tcp synack tcp_amp_protection [enable|disable] *REST* .. code-block:: console curl -u : http://:/profile/tcp/synack/tcp_amp_protection?target_id=\&profile={black, white, gray, default}[\&action={enable, disable}] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/tcp/synack/tcp_amp_protection?target_id=SCRBR1\&profile=default\&action=enable Drop TCP SYN with seq num 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ *CLI* .. code-block:: console > *REST* .. code-block:: console curl -u : http://:/profile/tcp/syn/noseqnum/drop?target_id=\&profile={black, white, gray, default}[\&action={enable, disable}] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/tcp/syn/noseqnum/drop?target_id=SCRBR1\&profile=default .. code-block:: console curl -u admin:admin http://localhost:8880/profile/tcp/syn/noseqnum/drop?target_id=SCRBR1\&profile=default\&action=enable Drop TCP SYN with no options ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *CLI* .. code-block:: console > target ID profile white|gray|black|default tcp syn nooption drop [enable|disable] *REST* .. code-block:: console curl -u : http://:/profile/tcp/syn/nooption/drop?target_id=\&profile={black, white, gray, default}[\&action={enable, disable}] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/tcp/syn/nooption/drop?target_id=SCRBR1\&profile=default .. code-block:: console curl -u admin:admin http://localhost:8880/profile/tcp/syn/nooption/drop?target_id=SCRBR1\&profile=default\&action=enable Drop TCP SYN packets with payload ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *CLI* .. code-block:: console > target ID profile white|gray|black|default tcp syn payload drop [enable|disable] *REST* .. code-block:: console curl -u : http://:/profile/tcp/syn/payload/drop?target_id=\&profile={black, white, gray, default}[\&action={enable, disable}] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/tcp/syn/payload/drop?target_id=SCRBR1\&profile=default .. code-block:: console curl -u admin:admin http://localhost:8880/profile/tcp/syn/payload/drop?target_id=SCRBR1\&profile=default\&action=enable Set drop/accept policy per UDP/TCP src/dst port ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Note: in order to block UDP-based amplification attacks set source ports for dns, ntp, snmp, nb, ssdp, cg, qotd, bt, kad, qnp, sp. *CLI* .. code-block:: console > target ID profile white|gray|black|default [udp|tcp] [src|dst] PORT [drop|accept] [enable|disable] *REST* .. code-block:: console curl -u : http://:/profile/{udp, tcp}/{src, dst}/{port}/{accept, drop}?target_id=\&profile={black, white, gray, default}[\&action={enable, disable}] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/udp/src/53/drop?target_id=SCRBR1\&profile=default .. code-block:: console curl -u admin:admin http://localhost:8880/profile/udp/src/53/drop?target_id=SCRBR1\&profile=default\&action=enable Set min/max UDP payload length ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *CLI* .. code-block:: console > target ID profile white|gray|black|default udp payload min_len [BYTES] > target ID profile white|gray|black|default udp payload max_len [BYTES] *REST* .. code-block:: console curl -u : http://:/profile/udp/payload/{min, max}_len?target_id=\&profile={black, white, gray, default}[\&action=update\&value=] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/udp/payload/min_len?target_id=SCRBR1\&profile=default .. code-block:: console curl -u admin:admin http://localhost:8880/profile/udp/payload/min_len?target_id=SCRBR1\&profile=default\&action=update\&value=2 Drop UDP fragments ~~~~~~~~~~~~~~~~~~ *CLI* .. code-block:: console > target ID profile white|gray|black|default udp fragment drop [enable|disable] *REST* .. code-block:: console curl -u : http://:/profile/udp/fragment/drop?target_id=\&profile={black, white, gray, default}[\&action={enable, disable}] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/udp/fragment/drop?target_id=SCRBR1\&profile=default .. code-block:: console curl -u admin:admin http://localhost:8880/profile/udp/fragment/drop?target_id=SCRBR1\&profile=default\&action=enable Set min/max UDP fragments payload length ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *CLI* .. code-block:: console > target ID profile white|gray|black|default udp fragment payload min_len [BYTES] > target ID profile white|gray|black|default udp fragment payload max_len [BYTES] *REST* .. code-block:: console curl -u : http://:/profile/udp/fragment/payload/{min, max}_len?target_id=\&profile={black, white, gray, default}[\&action=update\&value=] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/udp/fragment/payload/min_len?target_id=SCRBR1\&profile=default .. code-block:: console curl -u admin:admin http://localhost:8880/profile/udp/fragment/payload/min_len?target_id=SCRBR1\&profile=default\&action=update\&value=64 Drop UDP with checksum0 ~~~~~~~~~~~~~~~~~~~~~~~ *CLI* .. code-block:: console > target ID profile white|gray|black|default udp checksum0 drop [enable|disable] *REST* .. code-block:: console curl -u : http://:/profile/udp/checksum0/drop?target_id=\&profile={black, white, gray, default}[\&action={enable, disable}] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/udp/checksum0/drop?target_id=SCRBR1\&profile=default .. code-block:: console curl -u admin:admin http://localhost:8880/profile/udp/checksum0/drop?target_id=SCRBR1\&profile=default\&action=enable Configure UDP rate limiting ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Limit all UDP traffic (pkts/s) per source or destination *CLI* .. code-block:: console > target ID profile white|gray|black|default udp rate src [PPS] > target ID profile white|gray|black|default udp rate dst [PPS] *REST* .. code-block:: console curl -u : http://:/profile/udp/rate/{src, dst}?target_id=\&profile={black, white, gray, default}[\&action=update\&value=] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/udp/rate/src?target_id=SCRBR1\&profile=default .. code-block:: console curl -u admin:admin http://localhost:8880/profile/udp/rate/src?target_id=SCRBR1\&profile=default\&action=update\&value=100 Set drop policy per ICMP type ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *CLI* .. code-block:: console > target ID profile white|gray|black|default icmp type TYPE drop [enable|disable] > target ID profile white|gray|black|default icmp type TYPE accept [enable|disable] *REST* .. code-block:: console curl -u : http://:/profile/icmp/type//{accept, drop}?target_id=\&profile={black, white, gray, default}[\&action={enable, disable}] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/icmp/type/0/drop?target_id=SCRBR1\&profile=default .. code-block:: console curl -u admin:admin http://localhost:8880/profile/icmp/type/0/drop?target_id=SCRBR1\&profile=default\&action=disable Set drop policy per TTL values ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *CLI* .. code-block:: console > target ID profile white|gray|black|default ip > target ID profile white|gray|black|default ip ttl TTL drop [enable|disable] > target ID profile white|gray|black|default ip ttl TTL accept [enable|disable] *REST* .. code-block:: console curl -u : http://:/profile/ip/ttl//{accept, drop}?target_id=\&profile={black, white, gray, default}[\&action={enable, disable}] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/ip/ttl?target_id=SCRBR1\&profile=default .. code-block:: console curl -u admin:admin http://localhost:8880/profile/ip/ttl/24/drop?target_id=SCRBR1\&profile=default\&action=enable Configure DNS check method ~~~~~~~~~~~~~~~~~~~~~~~~~~ *CLI* .. code-block:: console > target ID profile white|gray|black|default dns request check_method [forcetcp|disable] *REST* .. code-block:: console curl -u : http://:/profile/dns/request/check_method?target_id=\&profile={black, white, gray, default}[\&action=update\&value={forcetcp, default}] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/dns?target_id=SCRBR1\&profile=default .. code-block:: console curl -u admin:admin http://localhost:8880/profile/dns/request/check_method?target_id=SCRBR1\&profile=default\&action=update\&value=forcetcp Configure DNS rate limiting ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Limit DNS requests per source or transaction ID (pkts/s) *CLI* .. code-block:: console > target ID profile white|gray|black|default dns request rate src [PPS] > target ID profile white|gray|black|default dns request rate transaction_id [PPS] *REST* .. code-block:: console curl -u : http://:/profile/dns/request/rate/src?target_id=\&profile={black, white, gray, default}[\&action=update\&value=] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/dns/request/rate/src?target_id=SCRBR1\&profile=default .. code-block:: console curl -u admin:admin http://localhost:8880/profile/dns/request/rate/src?target_id=SCRBR1\&profile=default\&action=update\&value=20 Configure DNS traffic threshold ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This is the maximum expected number of queries per second. This is used to feed the detection algorithm. (packets/s) *CLI* .. code-block:: console > target ID profile white|gray|black|default dns request threshold [PPS] *REST* .. code-block:: console curl -u : http://:/profile/dns/request/threshold?target_id=\&profile={black, white, gray, default}[\&action=update\&value=] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/dns/request/threshold?target_id=SCRBR1\&profile=default\&action=update\&value=1000 Set drop policy per DNS request type ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *CLI* .. code-block:: console > target ID profile white|gray|black|default dns request type TYPE drop [enable|disable] *REST* .. code-block:: console curl -u : http://:/profile/dns/request/type//drop?target_id=\&profile={black, white, gray, default}[\&action={enable, disable}] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/dns/request/type/255/drop?target_id=SCRBR1\&profile=default .. code-block:: console curl -u admin:admin http://localhost:8880/profile/dns/request/type/255/drop?target_id=SCRBR1\&profile=default\&action=enable Set max DNS subdomain length ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *CLI* .. code-block:: console > target ID profile white|gray|black|default dns request subdomain_max_len [CHARACTERS] *REST* .. code-block:: console curl -u : http://:/profile/dns/request/subdomain_max_len?target_id=\&profile={black, white, gray, default}[\&action=update\&value=] Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/dns/request/subdomain_max_len?target_id=SCRBR1\&profile=default .. code-block:: console curl -u admin:admin http://localhost:8880/profile/dns/request/subdomain_max_len?target_id=SCRBR1\&profile=default\&action=update\&value=10 Hex/string pattern match ~~~~~~~~~~~~~~~~~~~~~~~~ Add pattern to match (drop). Set "" as value to delete a pattern. Note: - 'payload+' represents beginning of L7 payload (end of L4 headers), it applies to tcp/udp packets only. - when 'payload+' is not specified, 'offset' is considered from the beginning of the ethernet frame. - 'string' is case sensitive *CLI* .. code-block:: console > target ID profile white|gray|black|default pattern PATTERN drop [{hex, string},[payload+]{OFFSET, any},VALUE|-] *REST* .. code-block:: console curl -u : http://:/profile/pattern//drop?target_id=\&profile={black, white, gray, default}\&action=update\&value={hex, string},[payload+]{, any}, Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/pattern/1/drop?target_id=SCRBR1\&profile=default\&action=update\&value=hex,56,0954A03AC3320F .. code-block:: console curl -u admin:admin http://localhost:8880/profile/pattern/2/drop?target_id=SCRBR1\&profile=default\&action=update\&value=string,payload+8,Hello Read active patterns ~~~~~~~~~~~~~~~~~~~~ *CLI* .. code-block:: console > target ID profile white|gray|black|default pattern *REST* .. code-block:: console curl -u : http://:/profile/pattern?target_id=\&profile={black, white, gray, default} Example: .. code-block:: console curl -u admin:admin http://localhost:8880/profile/pattern?target_id=SCRBR1\&profile=default HTTP request field match ~~~~~~~~~~~~~~~~~~~~~~~~ Add HTTP request field to match (drop). Set "" as value to delete a field. Note: 'label' is case sensitive, instead 'value' is compared ignoring the case. *CLI* .. code-block:: console > target ID profile white|gray|black|default http request field FIELD drop [LABEL,VALUE|-] *REST* .. code-block:: console curl -u : http://:/profile/http/request/field//drop?target_id=\&profile={black, white, gray, default}\&action=update\&value=