TCP Protection with ISN Synchronization

MITIGATOR has a TCP protection mode with ISN synchronization, in which after checking the client, the connection is not interrupted, filtering is transparent and convenient. To do this, you need to install a kernel module on the protected server, that will provide the necessary information, and a synchronization agent that will be polled by the MITIGATOR system.

Module code: https://github.com/ddos-mitigator/tcpsecrets.

System requirements:

  • MITIGATOR v20.12.0 or higher.

  • On the protected server: Linux kernel 4.13 and higher (Shown by uname -r command).

  • The time on the protected server and MITIGATOR should be synchronized. Practically this means that NTP must be configured on both servers.

Installation of the kernel module and service (sync agent)

On the protected server running Debian or Ubuntu:

wget -O- https://docs.mitigator.ru/v23.12/dist/mitigator-agent | sh

The script downloads the source code of the module from GitHub and installs the module into the system.

If a firewall is used, TCP connections to port 7100 must be allowed.

The administrator of the MITIGATOR system will provide a public key of the following form:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDO7P4aiE3fgdsVieFiFaUKjU54yFpU9FdiimsFHd6eZ mitigator1

Here mitigator1 is the name of the MITIGATOR instance in the cluster.

The key must be added to the file /opt/mitigator_agent/keys:

head -1 >> /opt/mitigator_agent/keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDO7P4aiE3fgdsVieFiFaUKjU54yFpU9FdiimsFHd6eZ mitigator1

The mitigator1 tag is optional, but it helps to identify in the logs which instance was polling the agent.

Info

The installation script on this page is completely safe. In general, it is dangerous to run wget -O- https://… | sh as root. Feel free to download the file and study it before running.

Configuration via Web UI

The mechanism requires a list of servers running synchronization agents. Server IP addresses are listed one per line. When a client connects via MITIGATOR to an IP address from the list, the session parameters are generated based on the data acquired for the agent at that IP address.

Sometimes the management interface IP address used to access the agent differs from IP addresses of the protected services accessed via MITIGATOR. In this case, service IP addresses can be specified on the same line. For example, 192.0.2.1(192.0.2.3,192.0.2.4) means that session parameters for 192.0.2.1, 192.0.2.3, and 192.0.2.4 will be generated based on the data acquired from the agent at 192.0.2.1.

Whitespace, empty lines, and comments starting with # character are ignored in the settings text box.

ISN synchronization settings ISN synchronization settings

Every policy countermeasure that can use synchronized ISN has a relevant option in its settings.

Synchronization agent update

Run the install command again. The configured keys will be saved.

Uninstalling the sync agent

Run sh mitigator-agent -d.