| Next revision | Previous revision |
| en:dpi:dpi_options:opt_ddos:qoe_ddos [2026/02/17 14:31] – created elena.krasnobryzh | en:dpi:dpi_options:opt_ddos:qoe_ddos [2026/04/03 13:02] (current) – [7. Attack Analysis] elena.krasnobryzh |
|---|
| {{indexmenu_n>3}} | {{indexmenu_n>3}} |
| ====== DDoS and BotNet Detector Configuration Based on QoE ====== | ======Configuring DDoS and BotNet Detector Based on QoE====== |
| | The detector allows automatic monitoring of incoming traffic, identifying DDoS attacks, and quickly taking measures to protect the network. When a threat is detected, the system can fully isolate the malicious stream or clean the traffic while maintaining service availability for users.\\ |
| | The solution requires SSG version BASE, COMPLETE, or BNG with additional options and is deployed on an existing server with QoE. |
| | <note> |
| | [[en:dpi:dpi_options:opt_ddos:ddos_description|More about tools for DDoS protection and BotNet detection]] |
| | </note> |
| |
| ===== 1. QoE Update ===== | =====1. Updating QoE===== |
| **On the QoE server.** | **On the QoE server.** |
| |
| Update QoE to the latest version, stopping the receivers beforehand. | [[en:dpi:qoe_analytics:implementation_administration:installation_update:update|Update QoE]] to the latest version, stopping the receivers beforehand. Before starting receivers, patch ClickHouse: |
| Before starting the receivers, patch ClickHouse: | <code>dnf --refresh install clickhouse-patched</code> |
| | |
| <code> | |
| dnf --refresh install clickhouse-patched | |
| </code> | |
| Start the receivers. | Start the receivers. |
| |
| ===== 2. GUI Update ===== | =====2. Updating GUI===== |
| **On the GUI server.** | **On the GUI server.** |
| |
| Update GUI to the latest version. Connect GUI to VAS Cloud if it is not already connected. | [[en:dpi:dpi_components:dpiui:install_and_update:update|Update GUI]] to the latest version. Connect GUI to VAS Cloud if not already connected. Enable the aniddos license option. |
| Grant the **antiddos** license option. | |
| |
| In the file ''/var/www/html/dpiui2/frontend/env.js'', add the following option: | In the file ''/var/www/html/dpiui2/frontend/env.js'' set the option ''AppEnv.DDoSAttack_isVisible = 1;'' |
| |
| <code> | =====3. Installing the Detector===== |
| AppEnv.DDoSAttack_isVisible = 1; | **On the QoE server.** |
| </code> | |
| |
| ===== 3. Detector Installation ===== | Install the mitigator package ''fastm_qoe'' on all nodes: <code>dnf install fastm_qoe</code> |
| **On the QoE server.** | |
| |
| Install the mitigator package ''fastm_qoe'' on all nodes: | Switch Python version: <code>dnf install -y python39 python39-devel -y |
| | |
| <code> | |
| dnf install fastm_qoe | |
| </code> | |
| | |
| Switch the Python version: | |
| | |
| <code> | |
| dnf install -y python39 python39-devel -y | |
| sudo update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.6 60 | sudo update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.6 60 |
| sudo update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 70 | sudo update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 70 |
| sudo update-alternatives --config python3 | sudo update-alternatives --config python3</code> |
| </code> | |
| |
| Select version 3.9 and verify: | Select version 3.9: <code>python3 --version</code> |
| |
| <code> | =====4. Configuring the Detector===== |
| python3 --version | **On the QoE server.** |
| </code> | |
| | |
| ===== 4. Detector Configuration ===== | |
| **On the QoE server.** | |
| |
| On all nodes, or on selected ones: | On all nodes, or on selected ones: |
| FM_ATTACKS_METRICS_BY_SUBS_LIMIT=1 | FM_ATTACKS_METRICS_BY_SUBS_LIMIT=1 |
| FM_ATTACKS_METRICS_BY_SUBS_COLLAPSE=1 | FM_ATTACKS_METRICS_BY_SUBS_COLLAPSE=1 |
| FM_ATTACKS_METRICS_BY_SUBS_DAY='day_' | FM_ATTACKS_METRICS_BY_SUBS_DAY='day_'</code> |
| </code> | - Update schema: <code>fastm-db-scheme</code> |
| - Update the database schema:<code>fastm-db-scheme</code> | - Enable metrics collection\\ Add to file ''/var/qoestor/backend/.env'' the following: <code>FM_FULLFLOW_HOOK_ENABLE=1 |
| - Enable metrics collection.\\ In the file ''/var/qoestor/backend/.env'', add:<code>FM_FULLFLOW_HOOK_ENABLE=1</code>Collect metrics for several hours (preferably 24 hours).\\ Then edit ''/var/fastm_qoe/etc/.env'' again and change two parameters: <code>IDLE_MODE=0 | GEO_IP_DIC_AUTOLOAD_ENABLED=1</code> Execute the daily cron: <code>sh /var/qoestor/backend/app_bash/cron_daily.sh</code> Collect metrics for several hours, ideally 24 hours. Then edit ''/var/fastm_qoe/etc/.env'' again and change 2 parameters:<code>IDLE_MODE=0 |
| DB_DROP_TABLES=0</code>This activates the detector. | DB_DROP_TABLES=0</code> This activates the detector. |
| | |
| ===== 5. Trigger Thresholds ===== | |
| In the file ''/var/fastm_qoe/lib/rules/config.json'', edit the ''avg-based-z-score-any'' section as follows: | |
| |
| | =====5. Trigger Thresholds===== |
| | In the file ''/var/fastm_qoe/lib/rules/config.json'', edit the section ''avg-based-z-score-any'' as follows: |
| <code> | <code> |
| "avg-based-z-score-any": { | "avg-based-z-score-any": { |
| </code> | </code> |
| |
| ===== 6. Metrics Storage (DDoS Attack Logs) ===== | =====6. Metrics Storage (DDoS Attack Logs)===== |
| In the GUI web interface, configure storage for raw and aggregated metrics, as well as raw and aggregated attack logs. | In the GUI web interface, configure storage of raw and aggregated metrics, as well as raw and aggregated attack logs. |
| | |
| In **Administrator → GUI Configuration → QoE Stor: Database Lifetime Settings**, set the following parameters: | |
| |
| | In Admin → GUI Configuration → QoE Stor: set DB retention time values as follows: |
| * ''QOESTOR_FM_ATTACKS_MAIN_LOG_PARTITIONS_LIFE_TIME_HOUR'' = ''720'' | * ''QOESTOR_FM_ATTACKS_MAIN_LOG_PARTITIONS_LIFE_TIME_HOUR'' = ''720'' |
| * ''QOESTOR_FM_ATTACKS_AGG_LOG_PARTITIONS_LIFE_TIME_DAYS'' = ''30'' | * ''QOESTOR_FM_ATTACKS_AGG_LOG_PARTITIONS_LIFE_TIME_DAYS'' = ''30'' |
| * ''QOESTOR_FM_METRICS_AGG_LOG_PARTITIONS_LIFE_TIME_DAYS'' = ''7'' | * ''QOESTOR_FM_METRICS_AGG_LOG_PARTITIONS_LIFE_TIME_DAYS'' = ''7'' |
| |
| {{:dpi:dpi_options:opt_ddos:qoe_ddos_1.png?direct&1100|}} | {{:en:dpi:dpi_options:opt_ddos:qoe_ddos_1.png?direct&1100|}} |
| |
| ===== 7. Attack Analysis ===== | =====7. Attack Analysis===== |
| Detected attacks can be analyzed in the **DDoS Attacks** section of QoE Analytics. | Detected attacks can be examined in the DDoS attack sections in QoE Analytics. |
| |
| - Start with the **“TOP Attacks”** section for the last 24 hours.\\ Sort attacks by number of sessions and note several IPs with the highest session count.\\ {{:en:dpi:dpi_options:opt_ddos:qoe_ddos_3.png?direct&700|}} | - Start with the "TOP Attacks" section for the last 24 hours.\\ Sort attacks by number of sessions and note a few IPs with the highest session count.\\ {{:en:dpi:dpi_options:opt_ddos:qoe_ddos_3.png?direct&700|}} |
| - Review the **“TOP Attacks by Protocols”** section.\\ Also sort by number of sessions and note the relevant protocols. | - Check the "TOP Attacks by Protocols" section\\ Also sort by session count. Note these protocols. |
| - Review the **“TOP Attacking IP Addresses”** section and record several IPs with the highest number of sessions. \\ {{:en:dpi:dpi_options:opt_ddos:qoe_ddos_2.png?direct&700|}} | - Check the "TOP Attacking IP Addresses" section, note a few IPs with the highest session count\\ {{:en:dpi:dpi_options:opt_ddos:qoe_ddos_2.png?direct&700|}} |
| - Check the **Attack Log** section.\\ Apply filters for the previously selected subscribers and protocols.\\ This section provides detailed attack information to support decision-making.\\ For example, in the screenshot below, it is clearly visible that UDP port scanning is being performed against the same address. In this case, it is sufficient to place the attacking IP into a separate AS and apply a drop action. | - Analyze the Attack Log with a filter by previously selected subscribers and protocol.\\ You can extract attack details and make additional conclusions to take appropriate actions.\\ For example, in the screenshot below it is clearly visible that there is port scanning on the same address using the UDP protocol. In this case, it is sufficient to assign a ''drop'' policy for the application protocol ''udp unknown'' to the attacking subscriber profile using session policing (service 18).\\ \\ This means that for the selected subscriber, all traffic matching this protocol will be completely blocked, i.e., both UDP flood and legitimate UDP traffic identified by DPI as udp unknown. |
| |
| <note tip>AS blocking is described in detail in the scenario [[en:dpi:qoe_analytics:cases:network_health:flood#blocking_ip_with_placement_into_autonomous_system|Blocking IP by placing it into an Autonomous System]]</note> | <note tip>More details about session policing configuration: [[en:dpi:dpi_options:opt_shaping:shaping_session]]</note> |
| |
| {{:en:dpi:dpi_options:opt_ddos:qoe_ddos_4.png?direct&1100|}} | {{:en:dpi:dpi_options:opt_ddos:qoe_ddos_4.png?direct&1100|}}\\ |
| |
