HI all,
I have an nscrub setup on an LTS16. The config is routing/assymetric
mode. I have a few problems and questions:
- When I stop nscrub the nscrub-VM is left at a cripppled state where it
can't even ping IPs that are on connected interfaces (ex the gateway).
Why is that? How can i avoid this?
- The white/black/gray dynamic lists are always empty when mitigating
even when nscrub drops attack packets. I'm reading with
attackers?target_id=pc\&action=list\&profile=black\&list=dynamic
- When pinging from the internet a host defined as a target in scrub, I
can see many packets are delayed.
64 bytes from x.y.z.130: icmp_seq=1 ttl=125 time=2.42 ms
64 bytes from x.y.z.130: icmp_seq=2 ttl=125 time=3002 ms
64 bytes from x.y.z.130: icmp_seq=3 ttl=125 time=2002 ms
64 bytes from x.y.z.130: icmp_seq=4 ttl=125 time=1002 ms
64 bytes from x.y.z.130: icmp_seq=5 ttl=125 time=3.09 ms
This also happens when the target is in bypass enabled mode. Why this
happens and how can i avoid this?
- UDP packets are dropped even when I have default action "drop
disable". Is this a bug? See the below snippet, where I try to disable
udp/src/53/drop. It accepts the command but it there is not result.
root@nscrub:~# nscrub-export all
target pc profile DEFAULT udp src 53 drop enable
root@nscrub:~# curl -u admin:admin
http://127.0.0.1:8880/profile/udp/src/53/accept?target_id=pc\&profile=default\&action=disable
{ "envelope_ver": "1.0", "hostname": "katharistis", "epoch": 1512284852,
"status": 200, "description": "OK", "data": { "function":
"\/profile\/udp\/src\/53\/accept", "return": "success" } }root@nscrub:~#
root@nscrub:~# nscrub-export all
target pc profile DEFAULT udp src 53 drop enable
- What is the suggested config for mitigating DNS attacks? The victim
still needs to be able to do DNS requests and get the answers. Keep in
mind that nscrub does not see the DNS requests from the victim (assym mode).
- Is the mitigation capabilities of nscrub efficient when I redirect an
attacked IP, through nscrub in realtime or nscrub needs time to profile
a "first seen IP" before mitigating attacks?
- As far as i understand, nscrub tests IPs using some algorithms and
classifies the IPs to the white/black/grey list. Is that right?
Sp
I have an nscrub setup on an LTS16. The config is routing/assymetric
mode. I have a few problems and questions:
- When I stop nscrub the nscrub-VM is left at a cripppled state where it
can't even ping IPs that are on connected interfaces (ex the gateway).
Why is that? How can i avoid this?
- The white/black/gray dynamic lists are always empty when mitigating
even when nscrub drops attack packets. I'm reading with
attackers?target_id=pc\&action=list\&profile=black\&list=dynamic
- When pinging from the internet a host defined as a target in scrub, I
can see many packets are delayed.
64 bytes from x.y.z.130: icmp_seq=1 ttl=125 time=2.42 ms
64 bytes from x.y.z.130: icmp_seq=2 ttl=125 time=3002 ms
64 bytes from x.y.z.130: icmp_seq=3 ttl=125 time=2002 ms
64 bytes from x.y.z.130: icmp_seq=4 ttl=125 time=1002 ms
64 bytes from x.y.z.130: icmp_seq=5 ttl=125 time=3.09 ms
This also happens when the target is in bypass enabled mode. Why this
happens and how can i avoid this?
- UDP packets are dropped even when I have default action "drop
disable". Is this a bug? See the below snippet, where I try to disable
udp/src/53/drop. It accepts the command but it there is not result.
root@nscrub:~# nscrub-export all
target pc profile DEFAULT udp src 53 drop enable
root@nscrub:~# curl -u admin:admin
http://127.0.0.1:8880/profile/udp/src/53/accept?target_id=pc\&profile=default\&action=disable
{ "envelope_ver": "1.0", "hostname": "katharistis", "epoch": 1512284852,
"status": 200, "description": "OK", "data": { "function":
"\/profile\/udp\/src\/53\/accept", "return": "success" } }root@nscrub:~#
root@nscrub:~# nscrub-export all
target pc profile DEFAULT udp src 53 drop enable
- What is the suggested config for mitigating DNS attacks? The victim
still needs to be able to do DNS requests and get the answers. Keep in
mind that nscrub does not see the DNS requests from the victim (assym mode).
- Is the mitigation capabilities of nscrub efficient when I redirect an
attacked IP, through nscrub in realtime or nscrub needs time to profile
a "first seen IP" before mitigating attacks?
- As far as i understand, nscrub tests IPs using some algorithms and
classifies the IPs to the white/black/grey list. Is that right?
Sp