In this article:

Contents Search
   

 

Alert Mitigation

The management of mitigation in Kentik Detect is covered in the following topics:

Notes:
- For general information on policy alerting, see Policy Alert Overview.
- For information on settings for alert policies, see Alert Policies.
- For information on active or historical alerts, see Alert Dashboards.
- For information on alert-related notifications, see Alert Notifications.

 

 
 top

About Mitigation

The Platforms and Methods pages are used to define mitigations that can be assigned to a threshold in an alert policy (see Threshold Mitigations) and triggered when conditions match those specified in the threshold.

Note: Mitigations can also be applied manually (not associated with an alert). See Manual Mitigation.

Each mitigation involves two main components:

  • Mitigation Platform: The platform on which a mitigation will run, which could be Remotely Triggered Black-Hole routing (RTBH) or a third party system like Radware DefensePro or A10 Thunder TPS.
  • Mitigation Method: An individual mitigation configuration to be run on a mitigation platform.

Deploying mitigation involves:

  • Creating a mitigation platform.
  • Creating a mitigation method.
  • Linking the two together, after which the combination is available to assign to a threshold.

To better understand how configuration of the mitigation method differs from configuration of the mitigation platform, consider a scenario where RTBH policies are differentiated based on transit providers, interface capacities, or available peers. Being able to create multiple methods for the same platform enables you to tailor your use of the RTBH platform for each different deployment scenario.

Note: For a walk-through of how to create and assign a mitigation, see Configuring RTBH Mitigation.

 

 
 top

Platforms Page UI

The platforms page includes the following UI elements:

  • Filter field: Filters the Mitigation Platforms List to show only rows containing the entered text in one of the following fields: ID, Name, Platform Type.
  • Add Mitigation Platform: A button that opens the Add Mitigation Platform dialog. (see Mitigation Platform Dialogs).
  • Mitigation Platforms List: A list of your organization’s existing mitigation platforms (see Mitigation Platforms List).

 

 
 top

Mitigation Platforms List

The Mitigation Platforms List is a table that lists all of the mitigation platforms that have been created by users in your organization. The table includes the following columns:

  • ID: System-assigned unique ID (numeric) for the mitigation platform.
  • Name: User-assigned name for the mitigation platform.
  • Platform Type: The type of mitigation platform (e.g. RTBH, A10, or Radware).
  • Methods: The mitigation methods (from the Mitigation Methods List) that have been associated with this platform.
  • Status: Opens the Platform Status Dialog.

 

 
 top

Platform Status Dialog

The Platform Status dialog contains information, presented as JSON, about the current status of the mitigation platform.

More information coming soon.

 

 
 top

Mitigation Platform Dialogs

Adding or editing a mitigation platform via the Kentik portal involves specifying information in the fields of the mitigation platform dialogs, which are covered in the following topics.

 

 
 top  |  section

About Mitigation Platform Dialogs

The Kentik portal uses the mitigation platform dialogs to enable management of mitigation platform settings. The settings are entered into the fields of either of the following dialogs:

  • Add Mitigation Platform when registering a new platform with Kentik Detect.
  • Edit Mitigation Platform when editing an already registered platform.

 

 
 top  |  section

Mitigation Platform Dialogs UI

The Add Mitigation Platform and Edit Mitigation Platform dialogs share the same layout and the following common UI elements:

  • Close button: Click the X in the upper right corner to close the dialog. All elements will be restored to their values at the time the dialog was opened.
  • Remove button (Edit Mitigation Platform dialog only): Remove the user from your organization’s collection of Kentik-registered users. This button is only present if the user being edited was manually added.
  • Cancel button: Cancel the add user or edit user operation and exit the dialog. All elements will be restored to their values at the time the dialog was opened.
  • Add Mitigation Platform button (Add Mitigation Platform dialog only): Save settings for the new user and exit the dialog.
  • Save button (Edit Mitigation Platform dialog only): Save changes to user settings and exit the dialog.

 

 
 top  |  section

Mitigation Platform Settings

Mitigation platform dialogs (Add Mitigation Platform and Edit Mitigation Platform) contain the settings and controls shown below.

 

Common Platform Settings

The following settings are common to all mitigation platform types:

  • Name: User-specified name for the mitigation platform.
  • Description: Optional user-provided description text.
  • Platform: A drop-down menu for choosing the type of the mitigation platform from the various platform types supported by Kentik Detect (e.g. RTBH, A10, or Radware).
    Note: This list includes all supported types, which may include types to which your organization does not actually have access (i.e. if you do not have an A10 or Radware mitigation system). Kentik Detect does not automatically verify your choice of mitigation type.
  • Mitigation Methods: Click to add methods that have already been created on the Methods page (see Adding a Mitigation Method).
    Note: If the method you want to use with this platform doesn’t already exist you can come back to this setting after the method is created.

 

RTBH Platform Settings

If the mitigation platform is set to RTBH, the following additional field will be shown in the modal:

  • Devices: A drop-down list of routers in your organization on which you can choose to implement RTBH mitigation. Click in the selection box multiple times to choose multiple devices. These must be routers whose BGP setting (see Device BGP Settings) is Peer with Device, which will be indicated in the list with a checkmark icon in the BGP Enabled column.

 

Third-party Platform Settings

If the mitigation type is set to a third-party mitigation system (e.g. A10 or Radware), the following additional fields will be shown in the modal:

  • IP Address: The IP address or URL (https://ip or ip or https://name or name) of the management interface of the third-party mitigation device.
  • API login: User name for the third-party mitigation system.
  • API password: Password for the third-party mitigation system.
  • Delete: A checkbox that specifies whether information related to the setup of this mitigation platform that has been transmitted to a third-party mitigation system will be retained on that system even if the mitigation platform itself is deleted from Kentik Detect.

Note: Kentik Detect does not automatically verify the provided login username or password. Providing incorrect login information for your third-party mitigation system will cause mitigations based on this mitigation platform to fail.

 

 
 top

Add or Edit Mitigation Platform

Users are added and edited via the Users page of the Kentik Detect portal (choose Alerting from the Kentik navbar, then Platforms from the sidebar at left). Adding and editing users is covered in the following sections:

 

 
 top  |  section

Adding a Mitigation Platform

To add a new mitigation platform:

  1. Open the Platforms page (choose Alerting from the Kentik navbar, then Platforms from the sidebar at left).
  2. Click the Add Mitigation Platform button to open the Add Mitigation Platform dialog.
  3. Specify the values of the fields in the dialog (see Mitigation Platform Settings).
  4. Save the new platform by clicking the Add Mitigation Platform button (lower right).

 

 
 top  |  section

Editing a Mitigation Platform

To edit the settings for an existing mitigation platform:

  1. In the Mitigation Platforms List, click in the row of the platform that you’d like to edit. The Edit Mitigation Platform dialog will open.
  2. Edit the platform’s settings by changing any fields that you’d like to modify (see Mitigation Platform Settings).
  3. To save changes, click the Save button (lower right).

To remove the platform from your organization’s collection of mitigation platforms, click Remove (lower left).

 

 
 top

Methods Page UI

The methods page includes the following UI elements:

  • Filter field: Filters the Mitigation Methods List to show only rows containing the entered text (case insensitive) in one of the following fields: ID, Name, Method Type.
  • Add Mitigation Method: A button that opens the Add Mitigation Method dialog. (see Mitigation Method Dialogs).
  • Mitigation Methods List: A list of your organization’s existing mitigation methods (see Mitigation Methods List).

 

 
 top

Mitigation Methods List

The Mitigation Methods List is a table that lists all of the mitigation methods that have been created by users in your organization. The table includes the following columns:

  • ID: System-assigned unique ID (numeric) for the mitigation method.
  • Name: User-assigned name for the mitigation method.
  • Method Type: The type of mitigation method (e.g. RTBH, A10, or Radware).
  • Remove (trash icon): Removes the method from your organization’s available methods.

 

 
 top

Mitigation Method Dialogs

Adding or editing a mitigation method via the Kentik portal involves specifying information in the fields of the mitigation method dialogs, which are covered in the following topics.

 

 
 top  |  section

About Mitigation Method Dialogs

The Kentik portal uses the mitigation method dialogs to enable management of mitigation method settings. The settings are entered into the fields of either of the following dialogs:

  • Add Mitigation Method when registering a new method with Kentik Detect.
  • Edit Mitigation Method when editing an already registered method.

 

 
 top  |  section

Mitigation Method Dialogs UI

The Add Mitigation Method and Edit Mitigation Method dialogs share the same layout and the following common UI elements:

  • Close button: Click the X in the upper right corner to close the dialog. All elements will be restored to their values at the time the dialog was opened.
  • Remove button (Edit Mitigation Method dialog only): Remove the user from your organization’s collection of Kentik-registered users. This button is only present if the user being edited was manually added.
  • Cancel button: Cancel the add user or edit user operation and exit the dialog. All elements will be restored to their values at the time the dialog was opened.
  • Add Mitigation Method button (Add Mitigation Method dialog only): Save settings for the new user and exit the dialog.
  • Save button (Edit Mitigation Method dialog only): Save changes to user settings and exit the dialog.

 

 
 top  |  section

Mitigation Method Settings

Mitigation method dialogs (Add Mitigation Method and Edit Mitigation Method) contain the settings and controls shown below.

 

Common Method Settings

The following settings are common to all mitigation method types:

  • Name: User-specified name for the mitigation method.
  • Description: Optional user-provided description text.
  • Notification Channels: A drop-down list from which to choose one or more notification channels for the mitigation method. Notification channels are created on the Channels page; see Alert Notifications.
  • Acknowledgement Required: If this switch is on, a mitigation alarm from this method must be manually (rather than automatically) cleared from the Alarms List on the Alarms Dashboard (Active page) after the mitigation itself is complete.
  • IPs/CIDRs Excluded From Mitigation: IP addresses that should be excluded from being mitigated with this method, for example infrastructure addresses, point-to-point networks, or other addresses critical to the normal functioning of your network. Enter as a comma-separated list.
  • Grace period: The grace period that Kentik should honor prior to ending mitigation (e.g. withdrawing a blackhole route). Default is 30 minutes.
  • Platform: The type of the mitigation platform on which this method will be run (e.g. Radware, RTBH, A10 TPS).

 

RTBH Method Settings

If the mitigation platform is set to RTBH, the following additional fields will be shown in the modal:

  • Pre-defined Community Reference: A list of communities commonly used in RTBH; provided as a helpful reminder (you are not required to use these communities).
  • Community to Advertise: The community that has been programmed on the customer’s router to induce a black hole next hop for the IPv4 address attached to the community.
  • Next Hop: A next-hop IP address. In some environments this will be the destination IP to blackhole. This number has traditionally been selected from the 192.0.2.0/24 CIDR block, but may be any IP address.
  • Local Preference: Set the priority for the RTBH route. A high setting helps ensure that when there is more than one route the RTBH route will be preferred by the BGP best path selection process.
  • Convert IP to a /24: A switch that tells Kentik Detect to convert the provided next-hop IP address to CIDR notation. Use if you plan to withdraw blocks from certain routers and re-advertise in other locations (otherwise, leave unchecked).

 

Third-party Method Settings

If the mitigation type is set to a third-party mitigation system (e.g. A10 or Radware), the additional (non-common) fields shown in the dialog will vary depending on the third-party system. These settings should be made in consultation with Kentik support (support@kentik.com) or a support representative of the third-party vendor.

 

 
 top

Add or Edit Mitigation Method

Users are added and edited via the Users page of the Kentik Detect portal (choose Alerting from the Kentik navbar, then Methods from the sidebar at left). Adding and editing users is covered in the following sections:

 

 
 top  |  section

Adding a Mitigation Method

To add a new mitigation method:

  1. Open the Methods page (choose Alerting from the Kentik navbar, then Methods from the sidebar at left).
  2. Click the Add Mitigation Method button to open the Add Mitigation Method dialog.
  3. Specify the values of the fields in the dialog (see Mitigation Method Settings).
  4. Save the new method by clicking the Add Mitigation Method button (lower right).

 

 
 top  |  section

Editing a Mitigation Method

To edit the settings for an existing mitigation method:

  1. In the Mitigation Methods List, click in the row of the method that you’d like to edit. The Edit Mitigation Method dialog will open.
  2. Edit the method’s settings by changing any fields that you’d like to modify (see Mitigation Method Settings).
  3. To save changes, click the Save button (lower right).

To remove the method from your organization’s collection of mitigation methods, click Remove (lower left).

 

 
 top

Configuring RTBH Mitigation

The following steps outline the general process of creating, configuring, and deploying an RTBH mitigation. If this is your first time working through the process, we recommend that you contact support@kentik.com before starting so that we can assist you.

  1. Identify your routers: In the Kentik Detect portal, go to Admin » Devices. From the Device List on this page, make a note of the names of the routers on which you wish to implement RTBH mitigation. These must be routers whose BGP Type setting (see Device BGP Settings) is Peer with Device, which will be indicated in the list with a link icon (for V4 and/or V6) in the BGP Status column (see screenshot above).
  2. Create a mitigation platform:
    -
    Go to the Platforms page (Alerting » Platforms).
    - Click the Add Mitigation Platform button.
    - In the resulting dialog, fill in the common settings for your new platform (see Mitigation Platform Settings).
    - From the drop-down Platform menu choose RTBH.
    - Click in the Devices field to open the Selected Devices dialog, then choose the routers that you identified in the previous step.
    - Click the Add Mitigation Platform button to close the modal.
  3. Create a mitigation method:
    - Go to the Methods page (Alerting » Methods).
    - Click the Add Mitigation Method button.
    - In the resulting dialog, give your method an informative name and description.
    - From the drop-down Notification Channels menu, assign a notification channel so that you can be notified when your alert triggers a mitigation.
    Note: If you’re not already part of a notification channel, go to the Channels page to add yourself to an existing channel or create a new channel for this mitigation method.
    - Turn on the Acknowledgement Required switch, which means that after a mitigation from this method is complete the corresponding alarm must be cleared manually (rather than automatically) from the Active Alerts List on the Active Alerts page.
    - Next, use the IP/CIDRs Excluded field to enter any IP address that you’d like to exclude from being blackholed with this method. Good candidates might be infrastructure addresses, point-to-point networks, or other address critical to the normal functioning of your network.
    - Now select the grace period that Kentik should honor prior to withdrawing the blackhole route. Many operators are happy with the 30-minute default because it provides enough cushion to discourage repeat attacks while not being excessively punitive to the IP that was the attack destination.
  4. Select RTBH as the platform:
    - Still in the dialog, choose RTBH from the drop-down Platform menu.
    - In the Community to Advertise field, enter the community that has been programmed on the customer’s router to induce a black hole next hop for the IPv4 address attached to the community.
    - For the Next Hop field, enter a next-hop IP address. In some environments this will be the destination IP to blackhole. This number has traditionally been selected from the 192.0.2.0/24 CIDR block, but may be any IP address.
    - If you plan to withdraw blocks from certain routers and re-advertise in other locations, you may want to turn on the Convert IP to a /24 checkbox. Otherwise, leave it off.
    - When you’re finished, click the Add Mitigation Method button to close the dialog.
  5. Link the mitigation method to a platform:
    - Go back to the Platforms page (Alerting » Platforms).
    - In the Platforms List, click the platform created in step 2 above.
    - In the resulting Edit Mitigation Platform dialog, click in the Mitigation Methods field to add the method created in step 3 above.
    - Click the Save button to close the dialog.
  6. Assign mitigation to an individual alert threshold:
    - Go to the Policies page (Alerting » Policies).
    - In the Alert Policies List, click the policy to which you’d like to assign to an RTBH mitigation.
    - In the resulting Edit Alert Policy dialog, go to the Alert Thresholds tab. In the sidebar, click on the threshold (Critical, Major, etc.) to which you’d like to assign mitigation.
    - In the Mitigations pane at bottom, choose your newly-created mitigation platform, then click the Add Mitigation button.
    - Next, use the Apply Mitigation menu to choose when you’d like to have the mitigation take effect: immediately when Kentik raises the alarm, after a user manually acknowledges the alarm, or after a timer expires where no user has acknowledged the alarm.
    - Finally, use the Clear Mitigation menu to choose when the alarm about the mitigation should be cleared from the Alarms List.
    - Click the Save button (right top or bottom).
    Note: The creation and settings of policies to which you can assign mitigations is covered in Alert Policies.

 

 
 top

Configuring Third-Party Mitigation

Kentik Detect enables integration with third party mitigation systems as Radware DefensePro or A10 Thunder TPS. The third-party system is added as a new mitigation platform and configured as a mitigation method, after which it can be added to a threshold in an alert policy. Please contact support@kentik.com for help with configuring Kentik Detect to work with a third-party mitigation system.

 

 
 top

Manual Mitigation

Note: A mitigation that’s been started manually must be stopped manually.

Kentik Detect includes the ability to trigger a mitigation manually, even without an active alert.

 

Start a Manual Mitigation

To trigger a manual mitigation:

  1. Click Alerting on the main portal navbar.
  2. Do one of the following to open the Add Manual Mitigation dialog:
    - Click the plus sign in the Mitigations tile of the Scoreboard Summary.
    - Choose Manual Mitigation from the sidebar at left.
  3. In the dialog, specify the following settings:
    - Mitigation Platform and Method: You must choose from one of the existing combinations in the drop-down menu (to add a platform or method, see Add or Edit Mitigation Platform and Add or Edit Mitigation Method).
    - IP/CIDR to Mitigate: The IP range to which you want the mitigation applied.
    - Comment: Optional comment string.
  4. Click the Add Manual Mitigation button. The manual mitigation starts immediately and appears in the Active Alerts List.

 

Stop a Manual Mitigation

Because manual mitigation is intended for use on a one-off basis, the settings in the dialog are not saved for later reuse. Instead the mitigation exists only until it is manually ended.

To stop a manual mitigation:

  1. Click Alerting on the main portal navbar.
  2. Choose Active from the sidebar at left.
  3. Find the row for the manual mitigation in the Active Alerts List.
  4. At the right of the row, click the gray square Stop button in the Actions column. The mitigation will stop.