Brief
In this document we could help you to setup FastNetMon in sFlow, Netflow / IPFIX or mirror mode. To start this step you should have installed FastNetMon.
Introduction
First of all, you need to start fcli configuration toolkit
sudo fcli
Common steps
You need to finish these steps for all available capture methods (sFlow, NetFlow, IPFIX, Mirror).
Please enumerate all your networks in CIDR form:
sudo fcli set main networks_list 11.22.33.0/22
We need this information to properly detect traffic’s direction.
If you need DDoS detection for IPv6 protocol, please check this guide.
If you have big number of networks and they change frequently we have options to read network list directly from BGP peering connection, please try this guide.
For networks with more than 1 million of hosts we suggest using alternative traffic calculation approach.
Enable traffic capture
- Netflow v5, v9, v10 (IPFIX)
- sFlow
- Port mirror
- Tera flow
- Amazon AWS VPC Flow logs
- Google GCE VPC Flow logs
How to check that it’s working?
First of all, you could check traffic counters
fcli> show total_traffic_counters
In normal case you should see non zero counters for incoming and outgoing traffic.
Total traffic counter types:
- Other traffic – “nor source nor destination is known to be part of our list of networks”. Also, it may be a non-IP (for example, ARP) traffic too
- Internal traffic – traffic where source and destination both belong to your list of networks. FastNetMon does not trigger DDoS alerts for such traffic at all
You could check load per subnet
fcli> show network_counters
For top 10 hosts in your network use this command
fcli> show host_counters bytes outgoing
To get traffic for specific host use this command:
fcli> show single_host_counters 10.1.2.3
Attack threshold configuration
As example we will block hosts which are receiving more than 100 Mbps:
fcli> set hostgroup global threshold_mbps 100 fcli> set hostgroup global ban_for_bandwidth enable
Also, FastNetMon can calculate total traffic for all hosts in specified hostgroup.
Enable ban actions for global host group
fcli> set hostgroup global enable_ban enable
Enable ban actions globally
fcli> set main enable_ban enable
Also, I recommend to enable pcap dump collection for attacks
fcli> set main collect_attack_pcap_dumps enable
And finally commit changes
fcli> commit
Then you could check blocks for hosts which exceeds this threshold
fcli> show blackhole
To unblock host you need to use UUID from previous command and issue following command:
fcli> delete blackhole d9b1885f-6d9b-4167-9e3e-0a3198bacee9
FastNetMon offers many threshold types, please check this guide to get more details.
By default, FastNetMon checks only incoming traffic but you can easily enable attack detection for outgoing traffic too:
sudo fcli set main do_not_ban_outgoing disable
Custom thresholds for different networks
By default, FastNetMon uses same “global” thresholds for all hosts in your networks. But you can create any number of hostgroups (literally, groups of networks) with custom thresholds and FastNetMon will use custom thresholds for different parts of your network.
To create new group:
sudo fcli set hostgroup my_new_group sudo fcli set hostgroup my_new_group threshold_mbps 200 sudo fcli set hostgroup my_new_group ban_for_bandwidth enable sudo fcli set hostgroup my_new_group enable_ban enable sudo fcli set hostgroup my_new_group networks 11.22.33.44/24 sudo fcli set hostgroup my_new_group networks 22.33.44.55/24 sudo fcli commit
Detection mode
FastNetMon can work in two modes:
- Blackhole mode, in this mode FastNetMon blocks attacked host using BGP Blackhole
- BGP Flow spec mode, in this mode FastNetMon can isolate only malicious traffic and filter out it using your routers
Please check this article to understand differences between these modes.
Actions
FastNetMon can do variety of actions when it detects attack.