Version v24.04
v24.04 redesigned host protection detector and “Flow Analysis” page, added support for IP
address ranges in routing rules, supplemented incident reports, added separate sFlow sending
parameters, made multiple UX improvements.
Enhanced functionality of countermeasures TBL, MSSB, ATLS, RTS, DNS, DNS6, SLOB, RETR
and also Collector, Logan and Web challenger.
v24.04 removed the docker-compose.hostmode.yml
file with a separate base configuration
for Mellanox network cards. The docker-compose.yml
file is now suitable for any configuration.
Before updating MITIGATOR instance, make sure that the correct IP address is specified
in MITIGATOR_HOST_ADDRESS
variable in .env
file.
Changes in v24.04.9
Core. Added settings for LACP operation parameters in passive mode.
Now in dataplane.conf you can set parameters for LACP operation in passive mode.
# LACP system ID.
# Set to local MAC address if not specified.
lacp_system_id: <auto-detect>
# LACP port operational key.
# [0, 65535]
lacp_oper_key: 1000
Changes in v24.04
HPD. Host Protection Detector redesigned.
Now host protection detector counts network packets arriving at each IP address over a period, according to the specified rules. Packets are checked for compliance with rules in the order in which the rules are listed. A rule may contain a threshold and a filter consisting of an ACL and a REX. First, traffic matching the pattern is checked, and only after that the traffic matching the pattern is counted by the rule.
In addition to the threshold in packets or bits per second, you can set thresholds by the number of TCP flags or by the number of UDP traffic per period, as well as several thresholds at the same time.
After checking against the rules, another set of counters can be activated that count all traffic that does not comply with the rules.
The ability to mark traffic coming from untrusted prefixes has been retained.
Routing Rules. Added support for IP address ranges.
IP address ranges can now be specified in the source or destination prefixes in routing
rules for protection policies.
For example, the entry 178.163.234.0-178.163.236.89
is equivalent to the following set
of subnets in CIDR notation:
178.163.234.0/23
178.163.236.0/26
178.163.236.64/28
178.163.236.80/29
178.163.236.88/31
MSSB. Added the ability to set different thresholds for TCP and UDP traffic.
ATLS. Added calculation of ClientHello metrics when countermeasure is disabled.
Added a ClientHello metric collection switch to the countermeasure. This allows the autodetection mechanism to enable other countermeasures based on ATLS metrics, even if the ATLS countermeasure itself is disabled.
RTS. Added viewing of generated rules list.
Now you can view all generated rules, even if it were not applied for filtering.
DNS. Added transport protocol selection for which a limit on requests number by DNS record type is applied.
Now the specified limitations can be applied only for TCP requests, only for UDP requests, or for both in total.
DNS6. DNS countermeasure added to IPv6 protection policy.
The countermeasure is similar to DNS from IPv4 protection policies, but does not yet support operation in the mode of ISN parameters synchronizing with the agent on the protected server.
SLOB. Added the "Connection Monitoring" function usage.
RETR. Added the "Connection Monitoring" function usage.
TBL. Added logging for IP addresses putted in TBL by REST API request.
An optional parameter items=true
has been added to the request to add IP addresses to the TBL,
which allows you to log the list of added IP addresses in the event log “custom” field and send it
via syslog.
Incidents. Added protection policy comment.
The expanded information on the incident includes a comment on the policy that the policy had at the time of the incident. Also, a policy comment has now been added to the incident syslog message.
Detect. Added test drop thresholds.
Added auto-detection thresholds *.TestDrop.Policy.{Pps,Bps}.{On,Off}
that monitor traffic
marked for drop by countermeasures in test mode.
Detect. Added protection policy status thresholds based on Collector data.
Added autodetection thresholds Policy.Status.Flow.Input{Bps, Pps}
and
Policy.Status.Flow.Drop{Bps, Pps}
, which control the protection policy status.
Reports. Added ATLS and DTLS blocking reasons to the incident report.
Information about IP address block reasons from the ATLS and DTLS countermeasures block logs can now be added to the exported incident report.
Reports. The number of event log entries when uploading a report is limited.
The report now displays only the first 50 and last 50 event log entries for the incident duration.
Reports. Added information on data from the collector to exported incident reports.
Added information on data from the collector on incoming and dropped traffic in a table view for Top 10 pps and bps by:
- source IP;
- destination IP;
- protocol-source port;
- protocol-destination port;
- source country;
- source AS;
- packet length;
- TCP flags.
There are 32 different tops in total.
Reports. Added graphs of incoming and dropped traffic from the “Collector” tab in the protection policy to exported incident reports.
LOGAN. Added the ability to exclude requests from certain IP addresses from processing.
The allowed-src
action has been added to the rules, allowing you to specify prefixes
from which requests will not be taken into account by Logan rules.
LOGAN. Added the ability to apply a rule with request, user-agent and referrer specifying the number of repetitions.
Now for rules with request, user-agent and referrer you can specify the number of repetitions for the rule to trigger.
For example:
block 300 request ^POST\s/\s.{8}
- will block the source IP at the first time it encounters
a request matching the regular expression.
block 300 request ^POST\s/\s.{8} limit 3 period 1
- will block the source IP if detects three
requests matching the regular expression in a second.
LOGAN. Added domain resolve management option.
LOGAN DNS RESOLVE
available values:
- none - disables resolving;
- all - resolving works in all protection policies;
- crawlers - resolving only works in protection policies with allowed-crawlers.
Default is crawlers
.
Web challenger. Added HTTP support.
Web challenger can now process http requests.
sFlow. Added the ability to specify the destination MAC in the sFlow sending parameters.
sFlow. Added separate settings for sending sflow for traffic from external and internal networks.
You can now configure sFlow to be sent for incoming and dropped traffic coming from the external and internal networks independently and with different sampling parameters.
Collector. "Flow Analysis" redesigned.
The “Traffic” and “Speeds” tabs have been combined into one new “Dashboard” tab.
Now user can create his own dashboard presets, in which he defines a custom set and layout of widgets.
Widgets can be traffic graphs or tables with statistics in various sections. The user can filter the Flow on which statistics are built in the section widgets.
It is possible not only to choose from pre-installed widgets, but also to create your own.
Also added statistics download on source IP addresses for a selected interval, taking into account the entered filters.
Collector. "Flow Analysis" tab in the protection policy redesigned.
The display of information from the collector is the same as on the “Flow Analysis” page.
Collector. Added polling of exporter interfaces by the collector via SNMP.
Now the collector can poll the Flow exporter interfaces and display their names, numbers and statuses in the Web interface.
Collector. Added a single loading point for GeoIP databases.
Now the same GeoIP databases by country and ASN are simultaneously loaded onto packet processors and connected collectors. Uploading to collectors occurs automatically and only if both the country database and the ASN database are loaded into MITIGATOR.
Core. Added manual re-initialization of the packet processor.
A button has been added to the instance settings that reloads all settings from the “Primary” database to the packet processor. Should be used to synchronize packet processor settings when a cluster is restored after a collapse.
Core. The operating mode of the dataplane container changed.
Now the dataplane container starts in host network mode by default.
The docker-compose.hostmode.yml
file with the basic configuration for Mellanox
network cards removed, the settings moved to docker-compose.yml
.
UX. Updated time period filter.
- The interval selected in the calendar is applied only by clicking the “OK” button.
- Added the ability to set the display period on charts by specifying custom number of minutes, hours or days from the current moment.
- Added the ability to save the selected display period to the clipboard and apply it from the clipboard.
UX. Added test drop graphs to top policies.
Test drop graphs have been added to the “Top Policies” tab of the “Dashboard” page.
UX. Added indication of running packet capture on the policy list page.
Now on the list of protection policies, protection policies that have packet capture running display a PCAP icon.
UX. Added filtering on the incident list page.
Filters by countermeasures, attack type, tags and comments are available.
UX. Added display of traffic rates in the system.
The top panel of the Web interface now displays the rate of incoming, passed, and dropped traffic for the entire cluster. Clicking on the counters opens advanced statistics.
UX. Added visual separation of auto-detection thresholds.
Now blocks of auto-detection thresholds for different countermeasures and mechanisms are separated from each other by an empty line.
UX. Added option to display graphs with gradient fill.
UX. Added traffic rate display according to Collector data on the protection policies list.
The policy list page now display incoming and dropped traffic rates as measured by Collector.
If the thresholds are exceeded, a dot is displayed next to the rate value.
Added filtering by status, allowing to display only protection policies that exceed the thresholds for incoming or dropped traffic, according to MITIGATOR or Collector data.
Sorting by speed values is also available.
UX. Added current traffic rates display based on Collector data to the protection policy page.
Now in the upper left corner of the top panel the rates of incoming, passed and dropped traffic according to the packet processor and incoming and dropped traffic according to Collector are displayed.
UX. BGP page changed.
Now the BGP sections are placed in a separate submenu.