FastNetMon has an experimental (not recommend for production use) ability to detect remote attacker’s (/32 hosts) and announce them using BGP Unicast announces. You can use it for production environment only if you run sFlow or sampled Netflow / IPFIX.
Known restrictions:
- No automatic unblock option
- Lack of automatic counter cleanup. Leads to speed calculation delays for loaded networks. In some cases can be fixed by frequent FastNetMon restarts
To use this option, please enable this mode in FastNetMon:
sudo fcli set main remote_host_tracking enable
You also can get top remote talkers this way:
sudo fcli show remote_host_counters
You can enable actions separately for incoming and outgoing directions of traffic:
sudo fcli set main enable_ban_remote_outgoing enable sudo fcli set main enable_ban_remote_incoming enable
To use this capability for new installations of FastNetMon which have per_direction_hostgroup_thresholds flag set to true you need will to follow next steps.
sudo fcli show main per_direction_hostgroup_thresholds
You need to create single hostgroup with name “remote_host” this way:
sudo fcli set hostgroup remote_host sudo fcli set hostgroup remote_host enable_ban enable
Then enable detection for incoming traffic:
sudo fcli set hostgroup remote_host enable_ban_incoming enable sudo fcli set hostgroup remote_host ban_for_bandwidth enable sudo fcli set hostgroup remote_host threshold_mbps 200
And outgoing (if needed):
sudo fcli set hostgroup remote_host enable_ban_outgoing enable sudo fcli set hostgroup remote_host ban_for_bandwidth_outgoing enable sudo fcli set hostgroup remote_host threshold_mbps_outgoing 200
If you do not use per_direction_hostgroup_thresholds then you need to use different approach explained below.
To specify threshold values for remote hosts we use host groups with special names:
- remote_host_incoming
- remote_host_outgoing
You can create example host groups this way:
sudo fcli set hostgroup remote_host_incoming sudo fcli set hostgroup remote_host_incoming ban_for_bandwidth enable sudo fcli set hostgroup remote_host_incoming threshold_mbps 10 sudo fcli set hostgroup remote_host_incoming enable_ban enable sudo fcli set hostgroup remote_host_outgoing sudo fcli set hostgroup remote_host_outgoing ban_for_bandwidth enable sudo fcli set hostgroup remote_host_outgoing threshold_mbps 10 sudo fcli set hostgroup remote_host_outgoing enable_ban enable
After these configuration steps FastNetMon will block all remote hosts which exceed 10Mbits of traffic in any direction.
You can list blocked hosts this way:
sudo fcli show remote_blackhole
In addition to this, FastNetMon can generate BGP announces for blocked hosts and you can block them using your routers:
sudo fcli set main gobgp_announce_remote_host enable
You also can configure community and next hop for these announces:
sudo fcli set main gobgp_next_hop_remote_host 1.0.0.0 sudo fcli set main gobgp_community_remote_host 65001:669
You can manually block some host using fcli interface:
sudo fcli set remote_blackhole 10.11.12.13
To unblock some host, please use uuid from list command:
sudo fcli delete remote_blackhole 9a67b518-df3f-465c-a281-f62a5abf575f
Please be careful with really heavily loaded networks because FastNetMon does not free up tracking entries and can consume significant amount of memory.
To check current traffic for specific remote host you can use this command:
sudo fcli show single_remote_host_counters 1.2.3.4
To maintain high level of performance in environments with very large number of monitored hosts we have cleanup logic which removes tracking entries for remote hosts which do not generate or receive any traffic for quite long period of time. This logic is enabled by default for all new installations.
On existing installation you can enable it manually this way:
sudo fcli set main ipv4_remote_automatic_data_cleanup enable sudo fcli set main ipv4_remote_automatic_data_cleanup_threshold 300 sudo fcli set main ipv4_remote_automatic_data_cleanup_delay 300 sudo fcli commit