This family of protocols can be called PSAMP, and it’s well described in this RFC. It works by delivering truncated raw packet headers encoded in Netflow v9 or IPFIX formats to the collector. These protocols do not implement any aggregation at all. Hardware just randomly samples a packet, wraps it into an IPFIX / Netflow packet and sends it to the collector.
Please ensure that you run at least version 2.0.361 before moving forward with this guide, as we made multiple significant changes for protocol support.
Family of these protocols includes:
- IPFIX inline monitoring services, available in Juniper MX and PTX
- IPFIX 315 by Cisco, available in ASR 9000, NCS 5500
- Netflow v9 lite from Cisco, mostly available in switches
Instead of adding separate fields for port numbers, IP addresses, protocol IDs and other information from network packets, these network telemetry protocols just add the first X bytes (60-100) of the packet header and deliver it to the collector. In this way, they behave like sFlow, but they use Netflow and IPFIX protocols as transport to carry this data as they’re way more flexible.
Such an approach provides great benefits as we have access to all information available in the packet and we’re not limited by the number of fields provided by the vendor. In addition to that, both protocols have no export delay and no flow aggregation. Both protocols offer extremely fast DDoS detection time, which can be in the range of a few seconds. In most cases, it is implemented in hardware, and it makes it one of the most attractive protocols for network monitoring.
This family of protocol uses standard for Netflow or IPFIX way of sampling encoding, which is completely supported by FastNetMon.
To enable support for each protocol, you need to enable Netflow / IPFIX plugin first.
To confirm that these parsers work as intended, we offer the following system metrics:
sudo fcli show system_counters|egrep 'lite|inline' netflow_v9_lite_headers 0 netflow_v9_lite_header_parser_error 0 ipfix_inline_headers 0 ipfix_inline_header_parser_error 0
As these protocols do not use aggregation, you can set a very short average calculation time to detect a DDoS attack in a matter of seconds:
sudo fcli set main average_calculation_time 3
For Juniper MX, we can offerthe following configuration example, which enables IPFIX inline monitoring services on the router:
set services inline-monitoring template FastNetMonInlineTemplate template-refresh-rate 30 set services inline-monitoring template FastNetMonInlineTemplate option-template-refresh-rate 100 set services inline-monitoring template FastNetMonInlineTemplate observation-domain-id 1 set services inline-monitoring instance FastNetMon-instance template-name FastNetMonInlineTemplate set services inline-monitoring instance FastNetMon-instance maximum-clip-length 126 set services inline-monitoring instance FastNetMon-instance collector FastNetMon-collector source-address 10.20.30.40 set services inline-monitoring instance FastNetMon-instance collector FastNetMon-collector destination-address 10.10.10.10 set services inline-monitoring instance FastNetMon-instance collector FastNetMon-collector destination-port 2055 set services inline-monitoring instance FastNetMon-instance collector FastNetMon-collector sampling-rate 1000 set interfaces xe-1/0/7 unit 0 family inet filter input FastNetMon-filter set interfaces xe-1/0/7 unit 0 family inet filter output FastNetMon-filter set firewall family inet filter FastNetMon-filter term 1 then inline-monitoring-instance FastNetMon-instance set firewall family inet filter FastNetMon-filter term 1 then accept
To enable telemetry export for IPv6, you need to add the following section:
set interfaces xe-1/0/7 unit 0 family inet6 filter input FastNetMon-filter-v6 set interfaces xe-1/0/7 unit 0 family inet6 filter output FastNetMon-filter-v6 set firewall family inet6 filter FastNetMon-filter-v6 term 1 then inline-monitoring-instance FastNetMon-instance set firewall family inet6 filter FastNetMon-filter-v6 term 1 then accept
For Cisco ASR 9000, it can be enabled this way, and for NCS 5500 you need to follow this guide.
FastNetMon has logic to strip outer GRE headers for this family of protocols, and it can be enabled ona protocol basis this way:
sudo fcli set main netflow_v9_extract_tunnel_traffic true sudo fcli set main ipfix_extract_tunnel_traffic true sudo fcli commit