Attack detection using Collector
Collector is currently in beta testing and active development.
For all comments and suggestions, please write to
support.
Scenario Overview
Collector allows you to detect attacks without directing traffic to MITIGATOR and enable protection for individual policies (protected resources):
Autodetection provides two main features:
- Enable and disable countermeasures depending on the traffic in the policy according to flow sources.
- Assign and remove BGP announcements that direct traffic to the policy via MITIGATOR.
Global MITIGATOR countermeasures can be enabled and disabled by thresholds associated with counters on device interfaces and their combinations:
The functionality is advanced and is currently not available from the interface.
Interaction settings
For integration, you must have a working MITIGATOR and Collector that accepts flow from network devices. Scheme of interaction with default parameters:
Collector Setup
All settings are made through environment variables, which are set in the .env file.
The picture and listing show the same default values:
COLLECTOR_NETFLOW_V5_PORT=9555
COLLECTOR_NETFLOW_V9_PORT=9995
COLLECTOR_IPFIX_UDP_PORT=4739
COLLECTOR_IPFIX_TCP_PORT=4739
COLLECTOR_SFLOW_PORT=6343
COLLECTOR_CLICKHOUSE_ADDRESS=clickhouse.mitigator:9000
COLLECTOR_METRICS_PORT=50054
COLLECTOR_API_PORT=50055
Ports for IPv6 traffic are set automatically as one more than the port for IPv4, for example, for netflow v5, port 9556 will be used by default.
MITIGATOR Setup
On the MITIGATOR side, the list of Collector units is configured via the web interface or API.
For example, to specify parameters as in the picture, you need to specify the address
collector-backend.mitigator and port 8853.