Skip to content

Arbor|Netscout DDoS Defence Verification Tool (DDV). Conduct regular fire-drills and system tests to ensure your Arbor|Netscout Sightline and Threat Management System is operating correctly.

License

Notifications You must be signed in to change notification settings

arbor/ddos-defence-verifier

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

DDoS Defence Verifier Tool for Arbor Sightline/TMS and MSSPs

(aka DDV)

Benefits to using DDV:

  1. A consolidated testing platform for individual or multiple Sightline Deployments
  2. Routine fire-drills conducted at the click of a button
    • Verify that the Entity under Test (Webserver, DNS server, etc) is responding as expected
    • Simulate a small DDoS “attack” (from your own ‘botnets’)
      • too small to do damage, large enough for DoS Host Detection
    • Check if Sightline raises and alert, starts a TMS mitigation, and uses correct Counter Measures (CMs)
  3. Early detection of SL+TMS deployment issues that could jeopardise mitigation of real attacks
    • Routers:
      • Incorrect flow export timers, too large sampling rates or no flows at all
    • Sightline:
      • Misconfigured network boundaries or external interfaces
    • TMS:
      • Diversion/ReInjection issues

DDV Method of Operation:

  • The tool basically lets you create frequent and automated “fire drills” 
  • You define:
    • Organisation (company) under test (OuT)
    • Entities (targets) under test (EuT)
    • Traffic Generators (TG) (aka bots)
      • Any VM/VPS running Linux
        • Attacker (DDV-TG-A)
        • Verifier (DDV-TG-V)
      • Each TG sends small pps of ‘attack’ and/or legit (verification) data to the EuT
  • The DDV-Console checks if Sightline (via the Rest API) has:
    • Raised a DoS alert for the simulated ‘attack’ traffic, with expected DoS misuse types
    • if a TMS auto-mitigation was triggered or not
      • how effective said mitigation is on the malicious traffic (blocked rate)
      • while legitimate traffic is allowed to pass as expected (success rate)

Sightline Configuration using REST API:

  • DDV-C creates the following “test infrastructure” on the Sightline Leader:
    • DDV Managed Objects (MOs) – to match the EuT IPs
    • Shared Host Detection Settings (SHDS) for DDV MOs, so they will predictably trigger DoS alerts with small amount of attack pps rates from Traffic Generator (TG)
    • DDV Mitigation Template with CMs that will be enabled automatically based on DoS alerts
      • TCP SYN, UDP R/A
    • Only manual steps required on SL CLI:
      • Generate REST API key
    • Only manual steps required on SL GUI:
      • link DDV Mitigation Template to “TMS Group”, enable “Announce Route”

DDV-Console Setup Steps:

  1. Clone the git repository to your desired location, which will be the main GUI, or Console (DDV-C):
git clone https://github.com/arbor/ddos-defence-verifier.git
  1. Change to the directory containing the main python script, ddv-c.py, and run it:
python3 ddv-c.py 
  • You should see an output similar to the following:
    * Serving Flask app "ddv-c" (lazy loading)
    * Environment: production
       WARNING: This is a development server. Do not use it in a production deployment.
       Use a production WSGI server instead.
    * Debug mode: on
    * Running on https://0.0.0.0:2020/ (Press CTRL+C to quit)
    * Restarting with stat
    * Debugger is active!
    * Debugger PIN: 272-128-100
  • If you are getting a whole lot of errors for required python packages, ensure you have these installed:
sudo pip3 install -r requirements.txt
  1. Login to the DDV-C GUI:
https://127.0.0.1:2020

default username/password: admin/ddv

  1. Configuration Steps on the DDV-C GUI:
  • Define Traffic Generator Agents (TG Attacker or Verifier)
    • Automated TG-Agents using VULTR VPS and API:
      • TG-Agents > VPS
    • Manual TG-Agents using your own Linux servers:
      • TG-Agents > New
      • TG-Agents > Status
  • Define your Organisation under Test (OuT)
    • Could be a single organisation or multiple organisations
    • OuT > New
    • OuT > Status
  • Define your Entity under Test (EuT)
    • EuT > New
    • EuT > Status
  • Define your Attack and/or Verifier Tasks
    • A-Tasks > New
    • A-Tasks > Status
    • V-Tasks > New
    • V-Tasks > Status
  • Verify that the OuT Sightline has MOs, SHDS, Mitigation Templates defined
    • OuT > SL-Config
  • Verify DDV Settings
    • OuT > Status
  • Run complete set of tests to verify your Sightline+TMS DDoS deployment
    • OuT > Run

Non-VPS DDV Traffic Generator (DDV-TG-x) Setup Steps:

  1. Copy the following files to any appropriate directory on your DDV-TG (linux VPS host)
  • ddv-tg-x/ddv_tg_cfg.py

  • ddv-tg-x/ddv-tg-x.py

  • ddv-tg-x/ddv_tg_x_scapy.py

  • ddv-tg-x/requirements.txt

  • To run the DDV-TG as an Attacker, select the A role

sudo python ddv-tg-x.py -r A
  • To run the DDV-TG as a Verifier, select the V role
sudo python ddv-tg-x.py -r V
  • ddv-tg-x.py must be run as root, this is to allow the generation of packets
  • To ensure these scripts keep running in the background, even when you disconnect from the terminal:
sudo nohup python ddv-tg-x.py -r A &
sudo nohup python ddv-tg-x.py -r V &
  • If you are getting a whole lot of errors for required python packages, ensure you have these installed:
sudo pip install flask (or apt-get install python-flask)
sudo pip install pandas (or apt-get install python-pandas)
sudo pip install requests (or apt-get install python-requests)
sudo pip install pyopenssl
sudo pip install --pre scapy[basic]

or simply run:

sudo pip3 install -r requirements.txt

About

Arbor|Netscout DDoS Defence Verification Tool (DDV). Conduct regular fire-drills and system tests to ensure your Arbor|Netscout Sightline and Threat Management System is operating correctly.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published