This guide requires completely working setup for total hostgroups.
When some hostgroup reaches specified total traffic value FastNetMon can call different actions.
To enable this feature, you have to enable ban actions this way:
sudo fcli set main enable_ban enable sudo fcli set main enable_ban_hostgroup enable
Before enabling automatic way, you can block some hostgroup manually using following command:
sudo fcli set hostgroup_block global_total
You can list all active blocks this way:
sudo fcli show hostgroup_block
Unblock example:
sudo fcli delete hostgroup_block 9905ee8f-b5fa-4d46-b232-75f508f13fd5
To automate attack detection, please set thresholds:
sudo fcli set hostgroup global_total enable_ban enable sudo fcli set hostgroup global_total enable_ban_incoming enable sudo fcli set hostgroup global_total ban_for_bandwidth enable sudo fcli set hostgroup global_total threshold_mbps 10
After that, please apply configuration using commit command and FastNetMon will start automatic attack detection.
When attack comes FastNetMon can run different actions:
- BGP announce of all networks and hosts in hostgroup
- Script callback
You can download example callback script from GitHub which just prints information about hostgroup under attack to /tmp/fastnetmon_notify_script.log
wget https://raw.githubusercontent.com/FastNetMon/fastnetmon_notify_python/main/notify_json.py
Then put it to file
sudo cp notify_json.py /usr/local/bin/notify_json.py
And set executable bit for it:
sudo chmod +x /usr/local/bin/notify_json.py
Callback script in JSON mode uses “per hostgroup” schema from formats documentation, it can be enabled this way:
sudo fcli set main notify_script_hostgroup_enabled enable sudo fcli set main notify_script_hostgroup_path /usr/local/bin/notify_json.py sudo fcli commit