Hello,
I am setting up a FreeBSD server to act as a router/firewall for an ISP that is experiencing a DDoS attack.
All services are up and running smoothly, but now I need to configure a flow packet exporter for an attack detector to monitor link turnovers and take real-time protection actions.
So far, I have managed to enable netflow, configure it, and perform the export. However, there seems to be a delay in the packet transmission/reception between FreeBSD and Wanguard, and I haven't been able to identify the cause of this delay.
I am using netgraph/netflow based on some articles I found here on the forum, and it worked very well.
However, there is now a delay of almost 5 minutes. I have opened a support ticket with Wanguard, but they have confirmed that everything is fine on their end and there are no parameters to be modified.
The issue with this delay lies in the time it takes for the attack to start, for Wanguard to detect it, and for it to execute the protection actions. The time it takes for Wanguard to detect the attack is high, as by the time it tries to execute the protection actions, the attack has already stopped.
Here is my configuration:
If anyone can provide me with a tip or has experienced something similar, I would greatly appreciate it.
Thank you in advance for your attention.
I am setting up a FreeBSD server to act as a router/firewall for an ISP that is experiencing a DDoS attack.
All services are up and running smoothly, but now I need to configure a flow packet exporter for an attack detector to monitor link turnovers and take real-time protection actions.
So far, I have managed to enable netflow, configure it, and perform the export. However, there seems to be a delay in the packet transmission/reception between FreeBSD and Wanguard, and I haven't been able to identify the cause of this delay.
I am using netgraph/netflow based on some articles I found here on the forum, and it worked very well.
However, there is now a delay of almost 5 minutes. I have opened a support ticket with Wanguard, but they have confirmed that everything is fine on their end and there are no parameters to be modified.
The issue with this delay lies in the time it takes for the attack to start, for Wanguard to detect it, and for it to execute the protection actions. The time it takes for Wanguard to detect the attack is high, as by the time it tries to execute the protection actions, the attack has already stopped.
Here is my configuration:
Code:
mkpeer lagg0_615: netflow lower iface615
name lagg0_615:lower netflow615
connect lagg0_615: netflow615: upper out615
mkpeer netflow615: ksocket export9 inet/dgram/udp
msg netflow615: setconfig {iface=615 conf=1}
msg netflow615: settimeouts { inactive=15 active=1 }
msg netflow615: settemplate { time=10 packets=1000 }
name netflow615:export9 nfsock615
msg nfsock615: connect inet/172.17.11.6:6255Thank you in advance for your attention.