Blocked DDoS Metrics

Bauer3139 · April 20, 2022, 6:26pm

Thanks to CrowdSec, we were able to block an apparent DDoS against a school district’s sites. After reviewing logs, etc I was wondering if there’s a way with CrowdSec or another way to see how much traffic has been blocked. With the WAF we use, we can see all blocked traffic, but with CrowdSec firewalling the traffic, we don’t have a good metric of its impact.

smu44 · April 23, 2022, 3:16pm

Only way I see is to have your bouncer verbose about blocked traffic (deny-log here).
Then render the logs, using something like Iptables Montoring Dashboard dashboard for Grafana | Grafana Labs.

xathuo · October 1, 2022, 2:40pm

late to the party but for future reference:

imho easier is to only use crowdsec-bounce to only manage the firewall set and use custom rules with a “counter” at the drop rule.

bouncer yaml file:

[...]
## nftables
nftables:
  ipv4:
    enabled: true
    set-only: true
    table: crowdsec
    chain: crowdsec-chain
  ipv6:
    enabled: true
    set-only: true
    table: crowdsec6
    chain: crowdsec6-chain

and in the nftables example from Firewall Bouncer | CrowdSec

- ip6 saddr @crowdsec6-blacklists drop
+ ip6 saddr @crowdsec6-blacklists counter drop

(has of cource also be done for the ipv4 drop rule).

Then you can see the counters with “sudo nft list ruleset” and scrape the metrics with e.g. GitHub - metal-stack/nftables-exporter: prometheus exporter for nftables metrics

Imho this is easier than log counting.

Topic		Replies	Views
Firewall bouncer: blocking outgoing traffic? crowdsec	1	513	January 31, 2023
CrowdSec setup feedback and general questions crowdsec	1	408	October 19, 2023
Crowdsec-blacklists empty	10	1782	November 28, 2020
Ipset, performance, whitelist, api, dashboard, postfix logs crowdsec	4	997	October 16, 2020
IP is not blocked after banning by hand crowdsec	3	1131	June 4, 2022

Blocked DDoS Metrics

Related Topics