04.12.2017

FastNetMon Advanced quick start

Brief

In this document we could help you to setup FastNetMon in sFlow, Netflow / IPFIX or mirror mode. To start this step you should have installed FastNetMon.

Introduction

First of all, you need to start fcli configuration toolkit

Common steps

You need to finish these steps for all available capture methods (sFlow, NetFlow, IPFIX, Mirror).

Please enumerate all your networks in CIDR form:

We need this information to properly detect traffic’s direction.

If you need DDoS detection for IPv6 protocol, please check this guide.

If you have big number of networks and they change frequently we have options to read network list directly from BGP peering connection, please try this guide.

For networks with more than 1 million of hosts we suggest using alternative traffic calculation approach.

Enable traffic capture

How to check that it’s working?

First of all, you could check traffic counters

In normal case you should see non zero counters for incoming and outgoing traffic.

Total traffic counter types:

  • Other traffic – “nor source nor destination is known to be part of our list of networks”.
  • Internal traffic – traffic where source and destination both belong to your list of networks.

Also you could check load per subnet

Or for top 10 hosts in your network

And that’s all . You could move to next step!

Attack threshold configuration

As example we will block hosts which are receiving more than 100 Mbps:

Also, FastNetMon can calculate total traffic for all hosts in specified hostgroup.

Enable ban actions for global host group

Enable ban actions globally

Also, I recommend to enable pcap dump collection for attacks

And finally commit changes

Then you could check blocks for hosts which exceeds this threshold

FastNetMon offers many threshold types, please check this guide to get more details.

By default, FastNetMon checks only incoming traffic but you can easily enable attack detection for outgoing traffic too:

Detection mode

FastNetMon can work in two modes:

  • Blackhole mode, in this mode FastNetMon blocks attacked host using BGP Blackhole
  • BGP Flow spec mode, in this mode FastNetMon can isolate only malicious traffic and filter out it using your routers

Please check this article to understand differences between these modes.

Actions

FastNetMon can do variety of actions when it detects attack.

BGP configuration