Version v24.08
v24.08 adds VRRP support for L3 router mode, the ability to switch traffic with the TAP
interface in the OS, interaction via SNMP, support for JA4 fingerprints, password policy
management, increases graph rendering accuracy and acquisition robustness,
made multiple UX improvements.
Enhanced functionality of countermeasures VAL, TBL, FRAG, SLOB, ATLS, DNS, SPLI, HCA
and also Collector, Logan and Web Challenger.
Follow the special instructions to update MITIGATOR to v24.08.
Changes in v24.08.1
Core. Added settings for LACP operation parameters in passive mode.
Now in dataplane.conf you can set parameters for LACP operation in passive mode.
# LACP system ID.
# Set to local MAC address if not specified.
lacp_system_id: <auto-detect>
# LACP port operational key.
# [0, 65535]
lacp_oper_key: 1000Incidents. Added values for average and maximum traffic dropped by countermeasures.
A table of average and maximum traffic dropped during the incident by each countermeasure has been added to the incident report.
UX. Added export and import of widget presets.
Now, on “Dashboard” tab of the “Flow Analysis” page and on “Flow Analysis” tab in the protection policy you can copy the set and location of widgets to the clipboard, as well as add a preset from the clipboard. This allows you to share your dashboard configuration with other users.
Changes in v24.08
Deploy. Added VRRP support for Layer 3 router mode.
In L3 router mode, VRRP support is implemented for all connection modes at the physical level:
- Inline;
- On a stick;
- Common LAN.
Deploy. Added the ability to switch traffic with the TAP interface.
Now the operating system has a TAP interface available, which will receive traffic from dataplane interfaces when switching is enabled. This allows, among other things, to raise a BGP session using the dataplane interface.
VAL. The operation of the countermeasure during checksum validation has been optimized and accelerated.
VAL. Added optional drop for UDP without checksum.
SLOB. Added a graph of connections that passed the initial check.
FRAG. Added processing rules for fragmented packets in IPv4.
Now reassembly can be applied not to all incoming packets, but only to those that match the specified rules. All other packets will be dropped. This allows processing only legitimate fragmented traffic, if it is present in the protected network. The syntax of the rules is similar to the ACL countermeasure, but does not contain any action on traffic. The L4 header is contained only in the first fragment, this should be taken into account when writing rules.
FRAG. Optimized and accelerated packet reassembly.
ATLS. Added a limiter for segmented ClientHellos.
ATLS. Added support for JA4 fingerprints.
ATLS. Added the "Connection Monitoring" function usage.
DNS. The sizes of the whitelist and the allowed list have been increased.
DNS. Added processing of UDP traffic from port 53.
SPLI. Added mode selection for Zero window size connection.
SPLI. The operation of the countermeasure in "Check only first request" mode changed.
Now expired connections established from an IP address in the first request check mode are closed by sending RST+ACK. The sending of such packets can be limited.
HCA. Added support for active synchronization.
Now, when active synchronization is configured between packet processors, data from the HCA countermeasure forward and reverse broadcast session tables is synchronized. This allows multiple packet processors to work on a single Web Challenger, for example when traffic to and from the Web Challenger passes through different MITIGATOR instances.
HCA. Added protected domains.
Now the countermeasure needs to specify the protected domains that are specified for the group of challenge servers.
TBL. Added support for adding IP addresses to a named list with the "Temporary" source type.
NamedLists. Added a new source type.
Now for named lists of IP addresses filled from TBL, you can select “Temporary” source type. IP addresses will only be on this list for as long as they are in the TBL. When an IP address leaves the TBL, it will be removed from the named list. If an IP address is blocked by several TBLs at the same time, for example in different protection policies, it will be removed from the named list when it exits all. The algorithm for filling lists with the “Input” type from TBL is left unchanged.
NamedLists. Added support for JA4 fingerprints.
Both JA3 and JA4 are now supported in named TLS fingerprint lists.
NamedLists. Changed User-Agent to connect to named list source via http.
LOGAN. Statistics calculation has been optimized and accelerated.
LOGAN. Added the ability to exclude requests from specific IP addresses from processing for alert rules.
allowed-src action now also affects rules with the alert action.
Web challenger. Scenarios for Web-challenger working behind NAT, FW and Load balancer are supported.
Now Web-challenger can notify all MITIGATOR instances about IP addresses that have passed the challenge via VPN over the mgmt network. Dataplane network notification ability saved.
BGP. Changed names of some amplification lists.
Some amplification lists names have been changed in order to bring into line with a single template:
| Before | Now |
|---|---|
| system.policy.flowspec.blackhole.rules.hpd.ips | system.policy.flowspec.blackhole.hpd.ips.rules |
| system.policy.flowspec.blackhole.rules.ips | system.policy.flowspec.blackhole.ips.rules |
| system.policy.flowspec.signaling.rules.hpd.ips | system.policy.flowspec.signaling.hpd.ips.rules |
| system.policy.flowspec.signaling.rules.ips | system.policy.flowspec.signaling.ips.rules |
| system.policy.flowspec.amplification.ip_fragment.prefixes | system.policy.flowspec.amplification.ipfragment.ips |
| system.policy.flowspec.amplification.ip_fragment.ips | system.policy.flowspec.amplification.ipfragment.prefixes |
| system.policy.flowspec.amplification.mssql_rs.prefixes | system.policy.flowspec.amplification.mssqlrs.ips |
| system.policy.flowspec.amplification.mssql_rs.ips | system.policy.flowspec.amplification.mssqlrs.prefixes |
Syslog. Syslog sending on dropped packets mechanism optimized and accelerated.
Active Sync. Added the ability to specify a destination MAC.
You can now specify the MAC address of the synchronization message destination instance when the source and destination instances are on the same L2 network segment.
Collector. Added separation of exporter IP addresses for Flow and SNMP reception.
Now, when configuring the exporter, you can specify different IP addresses for receiving Flow from it and for receiving SNMP.
Collector. The settings for traffic collectors are placed in a separate item in the main menu.
Collector. Added flow graphs on connected collectors and performance graphs.
Collector. Expanded statistics on exporter interfaces.
Complex speeds have been added on the “Dashboard” tab of the “Flow Analysis” page and on the “Flow Analysis” tab in the protection policy:
- Flow exporter IP + Ingress interface
- Flow exporter IP + Egress interface
Also, the “Exporter” field has been added to the “Ingress interface” and “Egress interface” widgets.
Incidents. Added statistics on drops from Flow.
Incidents now display statistics on drops received from Collector. Also, statistics in packets and bits are now displayed simultaneously.
SNMP. Added receiving metrics via SNMP.
Now MITIGATOR can send metrics via SNMP. For the mechanism to work, you need to enable sending in the “Common Settings” panel of the “Settings” page.
Setting up receiving statistics from SNMP agent.
Graph. Changed graph storage scheme.
Requires migration to be performed. Ref. special instructions.
Precomputed speed (change per second) is now stored instead of cumulative counters. This increases the accuracy of graph values rendered for time ranges in the past; and reduces the risk of data point loss caused by network issues between cluster nodes.
Docker. Docker compose v2 supported.
Users. Added password policy management.
System administrators can now configure password policies for user accounts.
UX. "Settings" and "Instances" pages changed.
Now the sections of the “Settings” and “Instances” pages are placed in a submenu.
UX. Added display of autodetection thresholds in countermeasure.
Now, when you click on the gear next to the autodetection switch in the protection policy countermeasures, you can see what autodetection thresholds are set for it. In the same window you can change the thresholds set and values. To apply the changes, you need to click on the button with a checkmark.
UX. "sFlow Generation" panel changed.
Now sFlow sending settings for IPv4 and IPv6 are displayed on the same tab. Also added the ability to apply uniform sFlow sending settings regardless of the IP protocol version, similar to sending information about drops via syslog.
UX. Added tooltips for widget control icons in Flow Analysis.
Now, on the “Dashboard” tab of the “Flow Analysis” page and on the “Flow Analysis” tab in the protection policy, when you hover over the widget control icons, tooltips appear that describe the icons purpose.
UX. Added a set of default widgets.
“Dashboard” tab of the “Flow Analysis” page and on “Flow Analysis” tab in the protection policy now display a basic set of widgets.
UX. Added graphs of traffic received from challenge servers.
Traffic graphs from Web Challenger, which is created when working through the management interface, have been added to the “Active Sync” tab of the “System State” page.
UX. Added the ability to reduce the countermeasure list area in the protection policy.
Improves the ease of viewing graphs on small screens.
