04.12.2017

FastNetMon Advanced quick start

Brief

In this document we could help you to setup FastNetMon in sFlow, Netflow / IPFIX or mirror mode. To start this step you should have installed FastNetMon.

Introduction

First of all, you need to start fcli configuration toolkit

sudo fcli

Common steps

You need to finish these steps for all available capture methods (sFlow, NetFlow, IPFIX, Mirror).

Please enumerate all your networks in CIDR form:

sudo fcli set main networks_list 11.22.33.0/22

We need this information to properly detect traffic’s direction.

If you need DDoS detection for IPv6 protocol, please check this guide.

If you have big number of networks and they change frequently we have options to read network list directly from BGP peering connection, please try this guide.

For networks with more than 1 million of hosts we suggest using alternative traffic calculation approach.

Enable traffic capture

How to check that it’s working?

First of all, you could check traffic counters

fcli> show total_traffic_counters

In normal case you should see non zero counters for incoming and outgoing traffic.

Total traffic counter types:

  • Other traffic – “nor source nor destination is known to be part of our list of networks”. Also, it may be a non-IP (for example, ARP) traffic too
  • Internal traffic – traffic where source and destination both belong to your list of networks. FastNetMon does not trigger DDoS alerts for such traffic at all

You could check load per subnet

fcli> show network_counters

For top 10 hosts in your network use this command

fcli> show host_counters bytes outgoing

To get traffic for specific host use this command:

fcli> show single_host_counters 10.1.2.3

Attack threshold configuration

As example we will block hosts which are receiving more than 100 Mbps:

fcli> set hostgroup global threshold_mbps 100
fcli> set hostgroup global ban_for_bandwidth enable

Also, FastNetMon can calculate total traffic for all hosts in specified hostgroup.

Enable ban actions for global host group

fcli> set hostgroup global enable_ban enable

Enable ban actions globally

fcli> set main enable_ban enable

Also, I recommend to enable pcap dump collection for attacks

fcli> set main collect_attack_pcap_dumps enable

And finally commit changes

fcli> commit

Then you could check blocks for hosts which exceeds this threshold

fcli> show blackhole

To unblock host you need to use UUID from previous command and issue following command:

fcli> delete blackhole d9b1885f-6d9b-4167-9e3e-0a3198bacee9

FastNetMon offers many threshold types, please check this guide to get more details.

By default, FastNetMon checks only incoming traffic but you can easily enable attack detection for outgoing traffic too:

sudo fcli set main do_not_ban_outgoing disable

Custom thresholds for different networks

By default, FastNetMon uses same “global” thresholds for all hosts in your networks. But you can create any number of hostgroups (literally, groups of networks) with custom thresholds and FastNetMon will use custom thresholds for different parts of your network.

To create new group:

sudo fcli set hostgroup my_new_group
sudo fcli set hostgroup my_new_group threshold_mbps 200
sudo fcli set hostgroup my_new_group ban_for_bandwidth enable
sudo fcli set hostgroup my_new_group enable_ban enable
sudo fcli set hostgroup my_new_group networks 11.22.33.44/24
sudo fcli set hostgroup my_new_group networks 22.33.44.55/24
sudo fcli commit

Detection mode

FastNetMon can work in two modes:

  • Blackhole mode, in this mode FastNetMon blocks attacked host using BGP Blackhole
  • BGP Flow spec mode, in this mode FastNetMon can isolate only malicious traffic and filter out it using your routers

Please check this article to understand differences between these modes.

Actions

FastNetMon can do variety of actions when it detects attack.

BGP configuration