TCP Protection with ISN Synchronization
MITIGATOR has a TCP protection mode with ISN synchronization, in which after checking the client, the connection is not interrupted, filtering is transparent and convenient. To do this, you need to install a kernel module on the protected server, that will provide the necessary information, and a synchronization agent that will be polled by the MITIGATOR system.
Module code: https://github.com/ddos-mitigator/tcpsecrets.
System requirements:
-
MITIGATOR v20.12.0 or higher.
-
On the protected server: Linux kernel 4.13 and higher (Shown by
uname -r
command). -
The time on the protected server and MITIGATOR should be synchronized. Practically this means that NTP must be configured on both servers.
Installation of the kernel module and service (sync agent)
On the protected server running Debian or Ubuntu:
wget -O- https://docs.mitigator.ru/v23.08/dist/mitigator-agent | sh
The script downloads the source code of the module from GitHub and installs the module into the system.
If a firewall is used, TCP connections to port 7100 must be allowed.
The administrator of the MITIGATOR system will provide a public key of the following form:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDO7P4aiE3fgdsVieFiFaUKjU54yFpU9FdiimsFHd6eZ mitigator1
Here mitigator1
is the name of the MITIGATOR instance in the cluster.
The key must be added to the file /opt/mitigator_agent/keys
:
head -1 >> /opt/mitigator_agent/keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDO7P4aiE3fgdsVieFiFaUKjU54yFpU9FdiimsFHd6eZ mitigator1
The mitigator1
tag is optional,
but it helps to identify in the logs which instance was polling the agent.
The installation script on this page is completely safe.
In general, it is dangerous to run wget -O- https://… | sh
as root.
Feel free to download the file and study it before running.
Configuration via Web UI
The mechanism requires a list of servers running synchronization agents. Server IP addresses are listed one per line. When a client connects via MITIGATOR to an IP address from the list, the session parameters are generated based on the data acquired for the agent at that IP address.
Sometimes the management interface IP address used to access the agent
differs from IP addresses of the protected services accessed via MITIGATOR.
In this case, service IP addresses can be specified on the same line.
For example, 192.0.2.1(192.0.2.3,192.0.2.4)
means that session parameters
for 192.0.2.1, 192.0.2.3, and 192.0.2.4 will be generated based on the data
acquired from the agent at 192.0.2.1.
Whitespace, empty lines, and comments starting with #
character
are ignored in the settings text box.
Every policy countermeasure that can use synchronized ISN has a relevant option in its settings.
Synchronization agent update
Run the install command again. The configured keys will be saved.
Uninstalling the sync agent
Run sh mitigator-agent -d
.