This guide requires a completely working setup for total hostgroups.
When a hostgroup reaches a specified total traffic value, FastNetMon can call different actions.
To enable this feature, you have to enable ban actions this way:
sudo fcli set main enable_ban enable sudo fcli set main enable_ban_hostgroup enable
Before enabling the automatic way, you can block some hostgroup manually using the following command:
sudo fcli set hostgroup_block global_total
You can list all active blocks this way:
sudo fcli show hostgroup_block
Unblock example:
sudo fcli delete hostgroup_block 9905ee8f-b5fa-4d46-b232-75f508f13fd5
To automate attack detection, please set thresholds:
sudo fcli set hostgroup global_total enable_ban enable sudo fcli set hostgroup global_total enable_ban_incoming enable sudo fcli set hostgroup global_total ban_for_bandwidth enable sudo fcli set hostgroup global_total threshold_mbps 10
After that, please apply the configuration using the commit command, and FastNetMon will start automatic attack detection.
When an attack comes, FastNetMon can run different actions:
- BGP announce of all networks and hosts in hostgroup
- Script callback
You can download an example callback script from GitHub, which just prints information about a hostgroup under attack to /tmp/fastnetmon_notify_script.log
wget https://raw.githubusercontent.com/FastNetMon/fastnetmon_notify_python/main/notify_json.py
Then put it in a file
sudo cp notify_json.py /usr/local/bin/notify_json.py
And set executable bit for it:
sudo chmod +x /usr/local/bin/notify_json.py
Callback script in JSON mode uses “per hostgroup” schema from formats documentation. It can be enabled this way:
sudo fcli set main notify_script_hostgroup_enabled enable sudo fcli set main notify_script_hostgroup_path /usr/local/bin/notify_json.py sudo fcli commit