To achieve better DDoS detection, FastNetMon offers a number of predefined threshold types. For each entity (host or group of hosts) in your network, FastNetMon maintains a set of counters for different traffic types. FastNetMon calculates all counter types for incoming and outgoing traffic.
Global counters:
- Packets per second
- Mbits per second
- Flow per second (not available for sampled Netflow/IPFIX and sFlow)
Per protocol packet counters:
- TCP packets per second
- UDP packets per second
- ICMP packets per second
- TCP SYN packets per second
Per protocol bandwidth counters:
- TCP mbits per second
- TCP SYN Mbits per second
- UDP Mbits per second
- ICMP Mbits per second
You may set thresholds for incoming and outgoing traffic independently. Learn more about it in this guide.
Please note that TCP SYN counters count all packets/flows with the SYN flag set. I.e. it will be incremented in cases even when other flags are set as well (like SYN+ACK or SYN+ACK+PSH).
Please note that versions before 2.0.342 did not count ICMPv6 traffic for the ICMP threshold.
You can use any of these counters to trigger a DDoS alert. In the table below, you can find an option to enable a particular threshold and field name for setting the threshold itself.
| Option to enable | Threshold value name |
| ban_for_pps | threshold_pps |
| ban_for_bandwidth | threshold_mbps |
| ban_for_flows | threshold_flows |
| ban_for_tcp_pps | threshold_tcp_pps |
| ban_for_udp_pps | threshold_udp_pps |
| ban_for_icmp_pps | threshold_icmp_pps |
| ban_for_tcp_bandwidth | threshold_tcp_mbps |
| ban_for_udp_bandwidth | threshold_udp_mbps |
| ban_for_icmp_bandwidth | threshold_icmp_mbps |
| ban_for_tcp_syn_pps | threshold_tcp_syn_pps |
| ban_for_tcp_syn_bandwidth | threshold_tcp_syn_mbps |
In addition to thresholds for incoming traffic, FastNetMon offers the option to set independent thresholds for outgoing traffic:
| Option to enable | Threshold value name |
| ban_for_pps_outgoing | threshold_pps_outgoing |
| ban_for_bandwidth_outgoing | threshold_mbps_outgoing |
| ban_for_flows_outgoing | threshold_flows_outgoing |
| ban_for_tcp_pps_outgoing | threshold_tcp_pps_outgoing |
| ban_for_udp_pps_outgoing | threshold_udp_pps_outgoing |
| ban_for_icmp_pps_outgoing | threshold_icmp_pps_outgoing |
| ban_for_tcp_bandwidth_outgoing | threshold_tcp_mbps_outgoing |
| ban_for_udp_bandwidth_outgoing | threshold_udp_mbps_outgoing |
| ban_for_icmp_bandwidth_outgoing | threshold_icmp_mbps_outgoing |
| ban_for_tcp_syn_pps_outgoing | threshold_tcp_syn_pps_outgoing |
| ban_for_tcp_syn_bandwidth_outgoing | threshold_tcp_syn_mbps_outgoing |
FastNetMon evaluates all enabled thresholds using the logical operator OR. If any of the enabled threshold triggers are met, FastNetMon declares it as an attack.
To set a threshold for a hostgroup, you can use the following syntax:
sudo fcli set hostgroup [hostgroup name] [option name] true sudo fcli set hostgroup [hostgroup name] [threshold name] 1000
For example, to enable a limit by UDP packets per second, you can use:
sudo fcli set hostgroup global ban_for_udp_pps true sudo fcli set hostgroup global threshold_udp_pps 1000 sudo fcli commit
If you’re looking for more flexible thresholds, please refer to this guide.