FastNetMon has an experimental (not recommended for production use) ability to detect remote attackers (/32 hosts) and announce them using BGP Unicast announces. You can use it for a production environment only if you run sFlow or sampled Netflow / IPFIX.
Known restrictions:
- No automatic unblock option
- Lack of automatic counter cleanup. Leads to speed calculation delays for loaded networks. In some cases can be fixed by frequent FastNetMon restarts
To use this option, please enable this mode in FastNetMon:
sudo fcli set main remote_host_tracking enable
You can also get top remote talkers this way:
sudo fcli show remote_host_counters
You can enable actions separately for incoming and outgoing directions of traffic:
sudo fcli set main enable_ban_remote_outgoing enable sudo fcli set main enable_ban_remote_incoming enable
Create a single hostgroup with the name "remote_host" in the following way:
sudo fcli set hostgroup remote_host sudo fcli set hostgroup remote_host enable_ban enable
Then enable detection for incoming traffic:
sudo fcli set hostgroup remote_host enable_ban_incoming enable sudo fcli set hostgroup remote_host ban_for_bandwidth enable sudo fcli set hostgroup remote_host threshold_mbps 200
And outgoing (if needed):
sudo fcli set hostgroup remote_host enable_ban_outgoing enable sudo fcli set hostgroup remote_host ban_for_bandwidth_outgoing enable sudo fcli set hostgroup remote_host threshold_mbps_outgoing 200
After these configuration steps, FastNetMon will block all remote hosts which exceed 200 Mbits of traffic in any direction.
You can list blocked hosts this way:
sudo fcli show remote_blackhole
In addition to this, FastNetMon can generate BGP announces for blocked hosts, and you can block them using your routers:
sudo fcli set main gobgp_announce_remote_host enable
You can also configure the community and next hop for these announces:
sudo fcli set main gobgp_next_hop_remote_host 1.0.0.0 sudo fcli set main gobgp_community_remote_host 65001:669
You can manually block hosts using fcli interface:
sudo fcli set remote_blackhole 10.11.12.13
To unblock host, please use uuid from the list command:
sudo fcli delete remote_blackhole 9a67b518-df3f-465c-a281-f62a5abf575f
Please be careful with really heavily loaded networks because FastNetMon does not free up tracking entries and can consume a significant amount of memory.
To check the current traffic for a specific remote host, use this command:
sudo fcli show single_remote_host_counters 1.2.3.4
To maintain a high level of performance in environments with a very large number of monitored hosts, we have cleanup logic which removes tracking entries for remote hosts which do not generate or receive any traffic for rather long period of time. This logic is enabled by default for all new installations.
On an existing installation, you can enable it manually this way:
sudo fcli set main ipv4_remote_automatic_data_cleanup enable sudo fcli set main ipv4_remote_automatic_data_cleanup_threshold 300 sudo fcli set main ipv4_remote_automatic_data_cleanup_delay 300 sudo fcli commit
Deprecation announcement for old style remote hostgroups
In 2.0.380 release we've removed old way to define per direction remote hostgroups using specially named hostgroups remote_host_incoming and remote_host_outgoing. Please switch to using new unified bi direction detection logic implemented in "remote_host" logic. Starting from 2.0.380 per_direction_hostgroup_thresholds flag is no longer needed for remote detection logic as it's enabled by default.