Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fastnetmon and QUIC #785

Closed
shagy234 opened this issue Dec 26, 2019 · 3 comments
Closed

Fastnetmon and QUIC #785

shagy234 opened this issue Dec 26, 2019 · 3 comments

Comments

@shagy234
Copy link

Hello,

I have im seeing some "false positive" DDoS alerts, aparently caused by clients that use Google's QUIC protocol (UDP traffic on ports 80/443 from Chrome users to Google servers).

I would apreciate any ideas to get around this "issue".

Thank you.

Here is an example of the alerts:

IP: XXX.XXX.200.66
Attack type: udp_flood
Initial attack power: 216090 packets per second
Peak attack power: 216090 packets per second
Attack direction: incoming
Attack protocol: udp
Total incoming traffic: 2278 mbps
Total outgoing traffic: 0 mbps
Total incoming pps: 216090 packets per second
Total outgoing pps: 0 packets per second
Total incoming flows: 0 flows per second
Total outgoing flows: 0 flows per second
Average incoming traffic: 2278 mbps
Average outgoing traffic: 0 mbps
Average incoming pps: 216090 packets per second
Average outgoing pps: 0 packets per second
Average incoming flows: 0 flows per second
Average outgoing flows: 0 flows per second
Incoming ip fragmented traffic: 0 mbps
Outgoing ip fragmented traffic: 0 mbps
Incoming ip fragmented pps: 0 packets per second
Outgoing ip fragmented pps: 0 packets per second
Incoming tcp traffic: 0 mbps
Outgoing tcp traffic: 0 mbps
Incoming tcp pps: 68 packets per second
Outgoing tcp pps: 0 packets per second
Incoming syn tcp traffic: 0 mbps
Outgoing syn tcp traffic: 0 mbps
Incoming syn tcp pps: 0 packets per second
Outgoing syn tcp pps: 0 packets per second
Incoming udp traffic: 2278 mbps
Outgoing udp traffic: 0 mbps
Incoming udp pps: 216019 packets per second
Outgoing udp pps: 0 packets per second
Incoming icmp traffic: 0 mbps
Outgoing icmp traffic: 0 mbps
Incoming icmp pps: 0 packets per second
Outgoing icmp pps: 0 packets per second

Average packet size for incoming traffic: 1382.2 bytes
Average packet size for outgoing traffic: 0.0 bytes
Incoming

UDP flows: 1
XXX.XXX.200.66:26392 < 216.58.222.33:443 3138494000 bytes 2270000 packets

My fastnetmon threshold settings are:

enable_connection_tracking = on

Different approaches to attack detection

ban_for_pps = off
ban_for_bandwidth = on
ban_for_flows = on

Limits for Dos/DDoS attacks

threshold_pps = 100000
threshold_mbps = 3000
threshold_flows = 3500

Per protocol attack thresholds

We don't implement per protocol flow limits, sorry :(

These limits should be smaller than global pps/mbps limits

threshold_tcp_mbps = 1000
threshold_udp_mbps = 600
threshold_icmp_mbps = 300

threshold_tcp_pps = 100000
threshold_udp_pps = 70000
threshold_icmp_pps = 50000

ban_for_tcp_bandwidth = off
ban_for_udp_bandwidth = on
ban_for_icmp_bandwidth = on

ban_for_tcp_pps = off
ban_for_udp_pps = off
ban_for_icmp_pps = off
@pavel-odintsov
Copy link
Owner

pavel-odintsov commented Dec 26, 2019
edited
Loading

Hello!

I'm sorry but I do not think that we offer any options to whitelist QUIC in community edition.

@shagy234
Copy link
Author

Ok, thank you very much for the fast response.
Regards

Ramiro.

@pavel-odintsov
Copy link
Owner

It's part of #937

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pavel-odintsov @shagy234