TCP Protection with ISN Synchronization

MITIGATOR has a TCP protection mode with ISN synchronization, in which after checking the client, the connection is not interrupted, filtering is transparent and convenient. To do this, you need to install a kernel module on the protected server, that will provide the necessary information, and a synchronization agent that will be polled by the MITIGATOR system.

Protection mode with ISN synchronization is supported in countermeasures TCP, MINE, ATLS, DNS and BPF.

System requirements

  • MITIGATOR v23.08.0 or higher.

  • On the protected server:

    • Linux kernel 4.13 or higher.
    • FreeBSD 12 or 13.

  • The time on the protected server and MITIGATOR should be synchronized.
    Practically this means that NTP must be configured on both servers.

Installation

  1. Download the archive with the kernel module and the synchronization agent for your OS.
Download archive
Download archive

  1. Unpack the archive and switch to the extracted directory.

  2. Install synchronization agent with the script. Must be run as root. Existing synchronization agent will be uninstalled automatically.

    ./install

  3. Allow TCP connections to port 7100 if a firewall is used.

  4. The administrator of the MITIGATOR system will provide a public key of the following form:

    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDO7P4aiE3fgdsVieFiFaUKjU54yFpU9FdiimsFHd6eZ mitigator1

    Append provided key to the /opt/mitigator_agent/keys file:

    head -1 >> /opt/mitigator_agent/keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDO7P4aiE3fgdsVieFiFaUKjU54yFpU9FdiimsFHd6eZ mitigator1

    Here mitigator1 is the name of the MITIGATOR instance in the cluster. Helps to identify in the logs the instance, that polls the agent.

Configuration via Web UI

Parameter synchronization allows MITIGATOR countermeasures to perform client verification without additional packet exchange or session interruption, because TCP session handshake parameters are generated based on the data acquired from the synchronization agent.

The management interface IP address used to access the synchronization agent may differ from an IP address of the protected service accessed via MITIGATOR. In this case, you should specify relation between IP addresses of the services and the synchronization agents installed on hosts of this services. One synchronization agent can be related to several IP address of services, or, conversely, several synchronization agents can be installed on different hosts, that relate to a single IP address of the service. IP address, specified only for the synchronization agent, considered as an IP address of the service as well.

Set corresponding protection mode in every policy countermeasure, that supports ISN synchronization.

Upgraing the synchronization agent

Run the installation script again. All configured keys will be kept.

./install

Uninstalling the synchronization agent

Run the installation script with -u option.

./install -u