Version v25.06
Follow the special instructions to update MITIGATOR to v25.06.
Version v25.06 adds: monitoring objects, flow accounting rules in protection policies, service analyzer, new TCP6 and LCON6 countermeasures, thresholds auto-tuning in countermeasures, forced leadership change button.
Enhanced functionality of countermeasures TBL, TBL6, TWL, TWL6, CRB, CRB6, LCON, RETR, TCP, MINE, SLOB, ATLS, HTTP, DNS, FRB, SERB, SORB, SORB6, BPF, USF, NCL, NCL6, HCA, and also BGP, incidents, named lists, Logan, Collector, WebC and Active Sync.
Multiple UX improvements made.
Changes in v25.06
MO. Monitoring objects added.
In addition to the principle of flow association with protection policies by routing rules, a new principle of traffic association with monitoring objects is introduced.
Within the monitoring object, traffic statistics are calculated for detection and visualization purposes.
The fundamental difference between associating a flow to a monitoring object and a protection policy is that:
- flow can be associated with only one protection policy, but with several monitoring objects. For example, different monitoring objects describe AS, a prefix in it, a host and a service, then the traffic of the connection to the service can be taken into account in all four monitoring objects;
- the order in which association rules (routing rules) are specified is important for policies, but not for monitoring objects.
- for monitoring objects, there are the concepts of network boundaries and the flow deduplication procedure.
Added mechanisms for automatic classification of interfaces and network boundaries definition.
Policy. Added threshold auto-tuning in protection policy countermeasures.
To solve the problem of setting thresholds that do not affect the passage of legitimate traffic, a mechanism for threshold auto-tuning in protection policy countermeasures has been added.
When auto-tuning is launched, the countermeasure is enabled in test mode, and the function of adding IP addresses to the temporary blocking list of the TBL countermeasure is disabled.
Then the mechanism tunned threshold values.
After the auto-tuning is complete, the threshold values can be applied manually or automatically.
The mechanism is supported in CRB, CRB6, LCON, LCON6, FRB, SERB, SORB, SORB6, NCL, NCL6 countermeasures.
Policy. Added flow accounting rules in protection policies.
Now in the protection policy, using FlowDesc rules, you can describe which flows should be processed (accept) and which ones should be ignored (ignore) in counters and detection.
For example, in this way the operator can describe the flow from which interface and direction should be taken into account in policies.
TBL. Added filtering by prefix when downloading the TBL log.
It is now possible to export the contents of the TBL block log with a prefix filter.
TBL6. Added filtering by prefix when downloading the TBL6 log.
TCP6. Added TCP countermeasure to IPv6 protection policies.
LCON6. Added LCON countermeasure to IPv6 protection policies.
ATLS. dded optional filter by TLS record version.
Now in the countermeasure you can specify a list of allowed versions separately for TLS Handshake and other TLS records.
HTTP. Added mode of operation with redirection to HTTPS.
Added mode for redirecting HTTP request to HTTPS. Redirection can be performed either after completing any challenge or without it.
DNS. Added nxdomain response mode for requests to domains not on the allowed lists.
An option has been added that, when activated, will send nxdomain to requests for domain names that are not in allowed list or learning list.
Multi. Added a button to change the leader.
Added a button to force change the Backend leadership. The button works similarly to the existing API request.
Active Sync. Added periodic GARP sending.
For correct operation of sending MDP traffic in L2 modes of network integration, periodic sending of Gratuitous ARP packets to the internal or external network has been added.
Incidents. Added filtering of incidents list by maximum drop rate
Now in the list of incidents you can apply filtering by the maximum drop rate in packets and bits per second.
EventLog. Added logging of changes to routing rules.
Now when you create, delete, change the contents of a routing rule, or change the order of rules, the changes made are displayed in the Details field of the event log.
Journals. Added data retention setting for routing rules change log.
BGP. Added default IPv6 next-hop.
Now in the neighbor settings you can specify the default next-hop for the IPv6 protocol.
BGP. Added environment variable to disable IPv6 listening in BGP.
Added environment variable BACKEND_BGP_DISABLE_IPV6
, which can be used to disable
IPv6 listening in BGP.
services:
backend:
...
environment:
BACKEND_BGP_DISABLE_IPV6: "true"
NamedACL. Added the ability to create and manage named sets of filtering rules in a group.
Now on the Group page, in the Named ACL Rule Sets submenu item, group users can create lists of rules and independently manage their contents.
The maximum number of lists in a group can be limited in the group settings.
Rights. Added separate rights to BGP.
Added independent read and write permissions for different pages of the BGP section. By default, the system user does not have BGP permissions set.
Rights. Added the ability to view the named list usage table for a group user.
Now a group user can see which of their policies and countermeasures use system IP address and TLS fingerprint lists, as well as named rule sets.
Core. Updated DPDK to v25.03
Core. Changed the count of system internal router drops.
To simplify debugging, the Router Discard
counter has been split into two:
Input Router Discard
and Output Router Discard
.
The Input Router Discard
graph now displays L3 routing discards of incoming
packets and invalid LACP packets.
The Output Router Discard
graph now displays L3 routing discards of outgoing
packets.
Docker. Container deployment parameters have been changed to meet CIS Benchmarks requirements.
Web challenger. Added disabling of Web challenger availability check by mgmt.
In v25.02, a periodic poll of challengers was added to check mgmt availability. In case of failure, the HCA countermeasure did not forward traffic to challengers from which no response was received. Now this check can be disabled for cases when the redirection in the HCA countermeasure is performed not on the Web challenger, but on third-party L7 protection systems.
Collector. Added service analyzer to Flow Analysis.
Now on the “Flow Analysis” page and on the “Flow Analysis” tab in the protection policy, it is possible to download reports on the traffic of the protected network, which helps in setting up protection by identifying services in the protected network. The mechanism of operation and types of reports are similar to Service Analyzer on psg.mitigator.ru, but the data for building statistics is taken from Collector.
Export of reports with analysis of protected services in various criteria is performed in the same place where data on sessions, source IP addresses, Flow volume from exporters and other reports that existed earlier are downloaded. For ease of use, the selection of the downloaded report is now performed not in the drop-down list, but in a modal window.
Collector. Added widgets for rate graphs by monitoring object accounting domains.
Added graphs of inbound and outbound traffic rates by accounting domains. Flow crossing the network boundary can be accounted for in one of two domains: a and b. A domain is defined by the flow fields and the OM location relative to the boundary of its network.
The network boundary and attributes of the monitoring object must be configured so that for inbound OM traffic the flow pickup point is the last one before the traffic crosses the network boundary, and for outbound traffic it is the first one.
Thus, flow deduplication is not required in domain a.
Domain b takes into account all other flow crossings of the network boundary of the monitoring object, so flow can be duplicated in domain b.
There are 4 widgets available:
- inbound traffic in domain a,
- inbound traffic in domain b,
- outbound traffic in domain a,
- outbound traffic in domain b.
You can also select any of these fields in the complex rates widgets.
Collector. Added support for monitoring object accounting domains in Flow Analysis filters.
Now in the filter of the Flow Analysis page and on the Flow Analysis tab in the protection policy, you can specify filter on monitoring object accounting domains.
Collector. Added support for protocol names in Flow Analysis filters.
Now in the filter of the Flow Analysis page and on the Flow Analysis tab in the protection policy, you can specify protocol names: icmp, icmp6, udp, tcp.
Collector. The Policy ID graph widget has been modified.
The Policy ID graph widget in Flow Analysis has been renamed to Protection Policy. The graph legend now displays the policy name instead of the ID.
Collector. Added filter by flow accounting mark.
If flow accounting rules are set for protection policies, you can filter statistics on the Flow Analysis page by accounting mark.
Collector. Added Flow accounting mark in policy widget.
LOGAN. The work of Logan has been optimized and accelerated.
UX. The interface appearance settings tab in the profile has been changed.
Now the interface theme, graph fill and content alignment settings are applied immediately when you select the corresponding radio button and do not require confirmation.
UX. The filter selection window for flow on drops changed.
On the Flow Analysis page and on the Flow Analysis tab in the protection policy, the window for selecting filters for flow on drops has been changed. Now the setting is performed directly in the filter field without an additional modal window.
UX. The Signaling page has been changed.
Now the sections of the Signaling page are moved to a submenu.
UX. Added 95% percentile to graph legend.
Now, the legend of all graphs has an additional column that displays the 95% percentile value for the curve.
UX. Added total traffic for the interval.
Now, the legend of all graphs has an additional column that displays the amount of traffic for the selected period.
UX. Added the ability to display only one curve on the graph by click.
Now if you click on the name of a curve while holding down the Ctrl key, all other curves on the graph will be hidden.
UX. Added hiding for a large number of prefixes display in routing rules.
Now the Source Prefix and Destination Prefix fields in the routing rule display only prefixes that fit in 200 characters. To expand the full list, click on the spoiler in a specific rule or on the expand icon for all rules in the rules table header. Searching the page via Ctrl+F works even for hidden prefixes.
UX. Changed the pop-up message that appears when checking for inclusion in the list.
Some countermeasures have the functionality of checking whether an IP address is included in a list or table. Now, the pop-up message that appears when you click the Check button displays not only information about the presence of an IP address in the list, but also an indication of cluster instances.
The changes affected the countermeasures TWL, TBL, MCR, RETR, TCP, MINE, SLOB, HTTP, DNS, BPF, USF, HCA.
UX. Modal windows for selecting protection policies from the list have been changed.
Now the list controls are always visible, even if there are many protection policies.
UX. Added named lists viewing when specified in a countermeasure.
When specifying a named list in WL and BL countermeasures, an additional tooltip now appears with information about the number of records, source type, and update time. Pressing the right arrow key on the keyboard expands the full information on the named list.
Config. Added the ability to set different addresses for containers and clients to access the host.
Previously, the MITIGATOR_HOST_ADDRESS
variable in the .env
file was used both
to communicate between containers and the host, and as the instance address to which
API and UI clients were redirected.
Now the address for API and UI clients is specified in the MITIGATOR_PUBLIC_ADDRESS
variable.
It is recommended to set MITIGATOR_HOST_ADDRESS
to an IP address, so that DNS issues
do not affect container communication.
MITIGATOR_PUBLIC_ADDRESS
can be set to an IP address or a domain name.
If MITIGATOR_PUBLIC_ADDRESS
is the same as MITIGATOR_HOST_ADDRESS
,
the old behavior remains.
The procedure for adding the MITIGATOR_PUBLIC_ADDRESS
variable is described
in the special instructions.