04.12.2017

FastNetMon Advanced quick start

Brief

In this document we could help you to setup FastNetMon in sFlow, Netflow / IPFIX or mirror mode. To start this step you should have installed FastNetMon.

Introduction

First of all, you need to start fcli configuration toolkit:

Common steps

You need to finish these steps for all available capture methods (sFlow, NetFlow, IPFIX, Mirror).

Please enumerate all your networks in CIDR form:

fcli> set main networks_list 11.22.33.0/22

We need this information to properly detect traffic’s direction.

If you need DDoS detection for IPv6 protocol, please check this guide.

sFlow v5

Enable sFlow plugin:

Specify port for sFlow capture (6343 is default port):

Specify interface for listening (0.0.0.0 is default):

Apply changes and restart FastNetMon:

After this steps, you need to configure sFlow on sFlow agent’s side (switch, router, server) to configured port and host.

Netflow  v5, v9, v10 (IPFIX)

Enable netflow plugin:

Specify port for netflow capture (2055 is default port):

Then specify interface for listening (0.0.0.0 is default):

Urgent remark about Netflow sampling. FastNetMon could automatically extract sampling rate from Netflow v5, v9 and IPFIX but in some rare cases you should specify it explicitly:

Also, you should carefully review your active and inactive timeouts from Netflow agent side and set them to smallest possible values which do not overload your hardware. Then you need to select maximum value from them and use it for average_calculation_time option in seconds. Without this changes FastNetMon will could traffic bandwidth incorrectly:

Apply changes and restart daemon:

After this steps you need to configure Netflow / IPFIX on agent’s side (switch, router, server) to configured port.

We have detailed guides for following vendors: HuaweiJuniper, Mikrotik

Port mirror / SPAN / TAP capture

In this mode you need to configure port mirror / SPAN / TAP from your switch or router device.

List all available interfaces for your system:

We suggest using separate interface for management connection with FastNetMon for reliability reasons.

Enable port mirror plugin:

Enable it for specific port:

Then enable port mirroring on router or switch side.

How to check that it’s working?

First of all, you could check traffic counters:

In normal case you should see non zero counters for incoming and outgoing traffic.

Total traffic counter types:

  • Other traffic – “nor source nor destination is known to be part of our list of networks”.
  • Internal traffic – traffic where source and destination both belong to your list of networks.

Also you could check load per subnet:

Or for top 10 hosts in your network:

And that’s all . You could move to next step!

Email notifications

You could specify one or multiple emails to get notifications about detected DDoS attacks.

I recommend you to use local SMTP server in your network but in some cases, you also could use Gmail or other public mail services but keep in mind that in case of DDoS you could have reduced connectivity and external mail service may fail to deliver notification.

Then you could use this command and send test email to configured notification emails:

Then you could get notifications about all block and automatic unblock actions (if enabled).

Also, you could call custom script when attack comes.

Attack threshold configuration

As example we will block hosts which are exceeding 100 Mbps bandwidth consumption.

Enable ban actions for global host group:

Enable ban actions globally:

Also, I recommend to enable pcap dump collection for attacks:

And finally commit changes:

Then you could check blocks for hosts which exceeds this threshold:

That’s all.

BGP unicast configuration

FastNetMon has bundled support for BGP announces and it could announce attacked host with BGP and use BGP flow spec for fine grained DDoS filtering. Please check this article to understand differences between these modes.

In this part, we could describe configuration for BGP unicast.

For this manual, you need to configure BGP peering connection from your router side and you need to know all following data:

  • Peering IP for FastNetMon
  • ASN for FastNetMon
  • Router’s IP
  • Router’s ASN
  • Community number used for Blackhole at router side

As first step please enable BGP support:

Enable announces of host:

Then specify blackhole community used in your network (I personally encourage you to use recommended by RFC 7999 number, 666). Please use only 16 bit ASN numbers (< 65535) for communities here:

Then we need to create new BGP peering session:

And configure it (if you are using different from management IP for peering you need to configure it manually for your Ubuntu instance):

If your server with FastNetMon connected to peer through intermediate hosts we suggest to set BGP multi-hop feature:

Then enable support for IPv4 unicast for this device explicitly:

Finally, enable this peering connection:

And then we need to commit changes to FastNetMon and BGP daemon configuration:

After this it’s nice to check that we could announce IP’s correctly. We could ban some test IP for it:

And check BGP daemon active announces list:

Also, you could check neighbors status this way:

BGP flow spec configuration

For this step, you need to have working BGP unicast configuration. Please enable flow spec AFI on router’s side and then we could start!

Enable flow spec for your peering connection:

Enable flow spec globally:

Also, we could specify action type for FastNetMon’s announces (accept, discard or rate-limit):

For rate-limit you could specify actual rate (meaning of “rate” is depends on used vendor):

Commit changes:

Then we could prepare custom announce (please replace our example addresses here by your real addresses specified in networks list):

And check BGP daemon output: