sflow/ddos-blackhole

By sflow

Updated almost 2 years ago

Real-time detection and blocking of DDoS flood attacks using BGP RTBH.

Image

50K+

What is ddos-blackhole?

DDoS Blackhole is a real-time distributed denial of service (DDoS) detection and mitigation tool. The software receives a continuous stream of telemetry from standard sFlow agents embedded in network devices, detects distributed denial of service attacks (DDoS), and pushes BGP remote triggered blackhole messages to block the attack upstream. ddos-blackhole

How to use this image

docker run --net=host sflow/ddos-blackhole -Dddos_blackhole.router=<ip> -Dddos_blackhole.as=<ASN>

Access web user interface on port 8008. Configure routers/switches to send sFlow to UDP port 6343. Configure router BGP session to connect on port 1179 (host network privileges are need to establish the BGP connection).

docker run -p 6343:6343/udp -p 8008:8008 sflow/ddos-blackhole

Monitor without BGP and automated mitigation.

The software can be fully configured using -D startup parameters. A configuration file makes it easier to manage a large number of startup settings.

ddos_blackhole.router=<ip>
ddos_blackhole.as=<ASN>
ddos_blackhole.threshold=500000
ddos_blackhole.blockminutes=180
ddos_blackhole.actions=automatic
ddos_blackhole.group.exclude=<CIDR>,<CIDR>
ddos_blackhole.group.servers=<CIDR>
ddos_blackhole.syslog.host=<ip>

The above, ddos.conf file, provides an example.

docker run --net=host \
-v $PWD/ddos.conf:/sflow-rt/ddos.conf \
sflow/ddos-blackhole -Dsystem.propertyFiles=ddos.conf

Run image using configuration file. Application settings are documented in the help table in the web user interface.

See sflow/sflow-rt for additional settings available in the base image.

License

Please read and accept the License Agreement before downloading this software.

Docker Pull Command

docker pull sflow/ddos-blackhole