MITIGATOR Installation

All files are supposed to be placed in the /srv/mitigator working directory:

mkdir -p /srv/mitigator
cd /srv/mitigator

1. Docker Compose

  1. Place base Docker Compose configuration in the working directory:


    For Mellanox network cards you need to use other base configuration:

    wget -O docker-compose.yml
  2. Download base variable file and save it as .env:

    wget -O /srv/mitigator/.env
  3. In the .env file, specify:

    • System version (VERSION).
    • The microarchitecture of the processor from the list specified in the (ARCH) example file.
    • The maximum number of IPv4 protection policies (DATA_PLANE_NR_POLICIES).
    • The maximum number of IPv6 protection policies (DATA_PLANE_NR_POLICIES_IPV6).
    • Instance name in the cluster (MITIGATOR_OWN_NAME, required).
    • External address of MITIGATOR (MITIGATOR_HOST_ADDRESS, required).
    • Proxy for the license server (, mail notifications and the Vestochka service.
    • Time zone (TZ).
    • Token for interaction between the backend and the detection subsystem (TOKEN). The .env file is set to TOKEN by default. It is required to change it.

These settings are described in detail inside the example file.

2. Packet processor

Processor architecture

For maximum performance of MITIGATOR, you need to use a build that is optimized for the architecture and instruction set of the target machine’s CPU.

The .env file must contain a line like this:


Available options:

  • nehalem - CPUs with SSE4.2 support,
  • haswell - modern CPUs with AVX2 support.

You can find your CPU in the Intel catalog, the microarchitecture is indicated in the line Code Name.

Processing parameters

You need to create a data-plane.conf file that describes the launch options for the packet processor:

touch data-plane.conf

The configuration file is empty by default. You only need to edit it if you need to specify settings other than those automatically selected. Settings description.

Port selection

Ports in an application are called ext0, int0, ext1, int1, and so on. ext - ports of the external network, int - ports of the internal (protected) network. Combined into ext-int pairs by index in the name. ext-int port pairs are used to route traffic in an «inline» connection scheme. In the «on-a-stick» scheme, ext-int pairs are not used and can be anything.

If no ports are specified in the settings, all ports on the system available to DPDK are used. In this case, the ports are listed according to the ascending order of their PCI addresses. ext-int port pairs are formed only for ports from a shared NUMA node.

If the default port listing order does not match the physical connection of the links, or if you want to limit the list of ports used, you can explicitly configure the ports:

ext0: 04:00.1
int0: 04:00.0
ext1: 84:00.1
int1: 84:00.0

3. Binding drivers to network ports

Before starting MITIGATOR, the network ports assigned to it must be controlled by the driver chosen during system preparation.

For systems running systemd, bind before starting the MITIGATOR service (see next section).

  • Download the binding script and make it executable:

    wget -O /usr/local/bin/dpdk-devbind
    chmod +x /usr/local/bin/dpdk-devbind
  • Create /etc/systemd/system/mitigator.service.d directory:

    mkdir -p /etc/systemd/system/mitigator.service.d

    In it, place a nics.conf file of the following form:

    ExecStartPre=/usr/local/bin/dpdk-devbind -b vfio-pci 04:00.0 04:00.1 84:00.0 84:00.1

    Change the driver and PCI addresses to the required ones.

4. Downloading images and launching

MITIGATOR is started with the docker-compose up -d command.

For systems running systemd, you need to configure a ready service:

  • Place Mitigator service file:

    wget \
        -O /etc/systemd/system/mitigator.service
  • Configure MITIGATOR autorun:

    systemctl enable mitigator
  • When you first start or update, you need to log in to the image store with your credentials::

    docker login
  • Launch MITIGATOR:

    systemctl start mitigator

    It will take some time for the images to load on the first run. The process can be observed in the output of docker-compose logs -f or, for systemd:

    journalctl -u mitigator -f

    After some time, the MITIGATOR web-interface will be available at the address of the control interface.

After installation and launch, configure the system for stable and secure operation.