Ziti Hardening IDS/IPS

Hey guys,

the topic is : Hardening of Ziti Controller / Public-Router.

The goal is to reach max. service availability, even on attacks.

I had to use Port 443 for Ziti-Router-Port and Ziti-Ctrl-Edge-Advertised-Port because from some customer networks other ports are blocked (8440, 8441 and 8442).

My Ziti Console is not public available and stays in the shadow.

@qrkourier , i linked you, because it was interesting for you.

Maybe someone from the developer can say something on that? What types of attacks are you testing?

I'll give crowdsec a try and let you know.

1 Like

Cross-link to one related threadpost: Howto Install Router - #14 by qrkourier

@rcsoleng, what are your thoughts on Ziti Firewall, GitHub - netfoundry/zfw: An ebpf based firewall for openziti edge-routers/tunnelers, and using dynamically ebpf rules to limit attacks on controller/router?

I'm happy to be corrected, but I thought zfw's function was to add INPUT rules for a host firewall where a Ziti router is configured as a LAN gateway, i.e., layer 2 peers have an IP route to the Ziti router because it's providing an infrastructure interceptor as an alternative to installing Ziti software on other member hosts in the same LAN.

I understood that zfw is being worked on for an enhancement to provide an ebpf based ddos protection mechanism for our controllers (which I figure could be use for routers too)... I do not know the status of it.

Hi @PhilipGriffiths yes you are correct as an extension to zfw I have added a DDOS protection mechanism currently only for controllers. The attacks that we are testing/mitigating right now are HTTPS flood and SYN flood attacks. A DDOS monitoring service scans specific controller logs for previously authenticated identities and routers IP addresses and updates an ebpf hash map which acts as a white list. ZFW records SYN packet counts for externally exposed controller listening ports and the counts are stored in a ebpf MAP which the monitoring service checks and if the SYS count is over a certain configurable threshold during the monitoring period it determines that the controller is under an active attack and informs zfw that it should operate in restricted mode and only allow TLS connections from the whitelisted IPs stored in the ebpf MAP by the monitoring service. Once the SYN counts return to normal for a configurable period the monitoring service informs zfw it can return to open operation for the controller listen ports. Note I am still waiting on some additional logging from the controller before this functionality can be productionalized. This could be extended to routers however it might need some additional logging to be added.