04.12.2017

FastNetMon Advanced quick start

Brief

In this document we could help you to setup FastNetMon in sFlow, Netflow / IPFIX or mirror mode. To start this step you should have installed FastNetMon.

Introduction

First of all, you need to start fcli configuration toolkit:

Common steps

You need to finish this steps for all available capture methods (sFlow, NetFlow, IPFIX, Mirror).

Please enumerate all your networks in CIDR form:

fcli> set main networks_list 11.22.33.0/22

We definitely need this information because we could not extract this information from traffic automatically.

sFlow v5

Please enable sflow plugin:

Then please specify port for sflow capture (6343 is default port):

Then specify interface for listening (0.0.0.0 is default):

Apply changes and restart daemon:

After this steps, you need to configure sflow on sflow agent’s side (switch, router, server) to configured port. Please be careful with iptables rules!

Netflow  v5, v9, v10 (IPFIX)

Please enable netflow plugin:

Then please specify port for netflow capture (2055 is default port):

Then specify interface for listening (0.0.0.0 is default):

Urgent remark about Netflow sampling. FastNetMon could automatically extract sampling rate from Netflow  v5, v9 and IPFIX but in some rare cases you should specify it explicitly:

Also, you should carefully review your active and inactive timeouts from Netflow agent side and set them to smallest possible. Then you need to select maximum value from them and use it for average_calculation_time option in seconds. Without this changes FastNetMon will work incorrectly because correct bandwidth calculation is too important for it.

Apply changes and restart daemon:

After this steps you need to configure Netflow / IPFIX on agent’s side (switch, router, server) to configured port. Please be careful with iptables rules!

Port mirror / SPAN / TAP capture

In this mode you need to configure port mirror / SPAN / TAP from your switch or router device.

As first step, please extract all available interfaces for your system:

We suggest using separate interface for management connection with FastNetMon for reliability reasions.

Enable port mirror plugin:

Enable it for specific port:

Then enable port mirroring on router, switch side.

How to check that it’s working?

First of all, you could check traffic counters:

In normal case you should see non zero counters for incoming and outgoing traffic. Other traffic means “nor source nor destination is known to be part of our list of networks”. Internal traffic is traffic where source and destination both belong to your list of networks.

Also you could check load per subnet:

Or for top 10 hosts in your network:

And that’s all J Then you could move to next step!

Email notifications

You could specify one or multiple emails to get notifications about detected DDoS attacks.

I recommend you to use local SMTP server in your network but in some cases, you also could use Gmail or other public mail services but keep in mind that in case of DDoS you could have reduced connectivity and external mail service may fail to deliver notification.

Then you could use this command and send test email to configured notification emails:

Then you could get notifications about all block and automatic unblock actions (if enabled).

Ban action configuration

Also FastNetMon could call notify script which calls when DDoS arrives. You could use it for integration with third-part applications or monitoring systems.

Then please install mail tool if not installed:

Then open example notify script with favorite editor /etc/fastnetmon/scripts/notify_about_attack.sh and specify your email in field: “email_notify”.

Then try to run it manually for ban action:

And try to run it manually for unban (we do not have details in this case):

Enable this action in FastNetMon:

Attack threshold configuration

As example we will block hosts which are exceeding 100 Mbps bandwidth consumption.

Enable ban actions for global host group:

Enable ban actions globally:

Also, I recommend to enable pcap dump collection for attacks:

And finally commit changes:

Then you could check blocks for hosts which exceeds this threshold:

That’s all.

BGP unicast configuration

FastNetMon has bundled support for BGP announces and it could announce attacked host with BGP and use BGP flow spec for dine grained DDoS filtering. In this part, we could describe configuration for BGP unicast.

For this manual, you need to configure BGP peering connection from your router side and you need to know all following data:

  • Peering IP for FastNetMon
  • ASN for FastNetMon
  • Router’s IP
  • Router’s ASN
  • Community number used for Blackhole at router side

As first step please enable BGP support:

Enable announces of host:

Then specify blackhole community used in your network (I personally encourage you to use recommended by RFC 7999 number, 666). Please use only 16 bit ASN numbers (< 65535) for communities here:

Then we need to create new BGP peering session:

And configure it (if you are using different from management IP for peering you need to configure it manually for your Ubuntu instance):

Then enable support for IPv4 unicast for this device explicitly:

Finally, enable this peering connection:

And then we need to commit changes to FastNetMon and BGP daemon configuration:

After this it’s nice to check that we could announce IP’s correctly. We could ban some test IP for it:

And check BGP daemon active announces list:

Also, you could check neighbors status this way:

BGP flow spec configuration

For this step, you need to have working BGP unicast configuration. Please enable flow spec AFI on router’s side and then we could start!

Enable flow spec for your peering connection:

Enable flow spec globally:

Also, we could specify action type for FastNetMon’s announces (accept, discard or rate-limit):

For rate-limit you could specify actual rate (meaning of “rate” is depends on used vendor):

Commit changes:

Then we could prepare custom announce (please replace our example addresses here by your real addresses specified in networks list):

And check BGP daemon output: