Files related to AnsibleFest 2018 Session
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

AnsibleFest 2018 - Ansible for Network Distributed Denial of Service Mitigation

Files related to AnsibleFest 2018 Session

If you find the topic of DDoS of interest to you, you can download the related O'Reilly book in the following links:

This repository contains the files for the demonstration of the AnsibleFest 2018 session titled Ansible for Network Distributed Denial of Service Mitigation. Please let us know your thoughts in the comments below!!

If you are the impatient kind, skip to the bottom of the page for the combined video for the demonstration. However, since there is no narratives involved in the video, I personally feel it is better to watch the videos one-by-one in the order listed below.

For the DDoS detector in the topology, we use the community version of FastNetMon. It receives NetFlow v5 from the edge router on the customer site. FastNetMon is a high performance DDoS detector built by Pavel Odintsov ( They offer both a commercial and community version, you can find more information about it

You can find the VIRL topology file as well as the device configuration in this repository.

The lab topology involved with video 1 to 6 are listed here:

alt text

The lab topology involved with video 7 for on-premise mitigation is here:

alt text

1. Lab Topology

In the video, the web server uses the Python simple http module to host a web server. The client will generate traffic that traverse thru Transit-3 to Provider-Upstream and Customer-Edge to arrive at the web server. There is a flowspec-server (IOS-XR) that is BGP peered with the Provider-Upstream router as well as the Customer-Edge router.

The management station and FastNetMon host are both located on the management network not shown in the VIRL design panel.

1. Lab Topology

2. FastNetMon Banned Action

In this video, you will see the FastNetMon process along with the FastNetMon froent-end client started. Note that FastNetMon can be started as a daemon, but in this case it is started in standard out for demonstration. The FastNetMon configuration under /etc/fastnetmon.conf is modified so that a low PPS count will trigger the banned action.

I find the client script sometimes do not show the ban or unban, the log under /var/log/fastnetmon.log is a better indication of action.

2. FastNetMon Banned

3. Ansible Playbook Integration

When the banned action is triggered, a script is triggered. By default, this is a shell script. We can place our Playbook inside of this shell script.

3. First Playbook Example

4. Banned and Unbanned actions

Once the device is banned, you can configure the duration of banned time. Once the timer is up, FastNetMon will continue to check if the violation traffic is still active and determine if it will trigger unban or continue to ban.

This is where the Ansible idempotent characteristic is really handy.

4. Ban and Unban Actions

5. Banned and Unbanned Python Script

You can also use a Python script as the banned / unbanned trigger. Ansible's Python API can be a really powerful tool in this scenario.

5. Ban and Unban Python Script

6. Making Flowspec Changes

FastNetMon has built-in ExaBGP support for Flowspec announcement (and RTBH capability), but in this case, we will use the IOS-XR flowspec speaker to trigger the announcement. Note:

  • The banned host is stored as an environmental variable that is read by Ansible Playbook during run time.
  • In the virtual environment, the device cannot program flows into hardware, therefore you will receive and error for the client both in IOS-XR and IOS. However, the control plane works as expected.
  • I found what I suspect is a bug with iosxr-v where if the destination host is the same as existing, the commit action will error out.

6. Making Flowspec Changes

7. On-Premise DDoS Scrubbing

In the second scenario, we will program a DDoS scrubbing device on-premise. The device is sitting off to the side without being involved in the normal traffic flow. When attack happens, the scrubbing device will announce the prefix via BGP to redirect the particular traffic toward itself and pass back the clean traffic. Note:

  • The scrubbing devices is an A10 TPS device with AxAPI v3.
  • I am using a custom module that you can find in this repository. We are using the cli.deploy capability that executes any CLI commands on the device. You can find the module under the library directory.
  • The playbook is bgp_on_ram.yml.
  • We are assuming the mitigation configuration was already configured, we only need to advertise the BGP host route in order to on-ramp the traffic.

7. On-Premise DDoS Scrubbing

(Extra) Bonus: more detailed A10 Integration

  1. Someone at AnsibleFest asked about a more detail description on the A10 integration. Here is a more detailed screencast for an on-premise A10 TPS scrubbing (a bit dated):

Bonus 1. On-Premise DDoS Scrubbing

  1. FastNetMon with Ubuntu 18.04 installation is straight forward with APT. However, for installation on other platforms or with previous Ubuntu releases, here is a video showing the installation steps:

Bonus 2. FastNetMon Installation (non-Ubuntu 18.04)

Combined Videos

This is a video that combines the previous 7 videos.

Combined Demonstration

Thanks for watching, let us know what you think in the comments below!