27.06.2019

Attack detection for per hostgroup thresholds

This guide requires completely working setup for total hostgroups.

When some hostgroup reaches specified total traffic value FastNetMon can call different actions.

To enable this feature, you have to enable ban actions this way:

sudo fcli set main enable_ban_hostgroup enable
sudo fcli set hostgroup global_total enable_ban enable
sudo fcli set main enable_ban enable

Before enabling automatic way, you can block some hostgroup manually using following command:

sudo fcli set hostgroup_block global_total

You can list all active blocks this way:

sudo fcli show hostgroup_block

Unblock example:

sudo fcli delete hostgroup_block 9905ee8f-b5fa-4d46-b232-75f508f13fd5

To automate attack detection, please set thresholds:

sudo fcli set hostgroup global_total ban_for_bandwidth enable 
sudo fcli set hostgroup global_total threshold_mbps 10 
sudo fcli set hostgroup global_total enable_ban enable 

After that, please apply configuration using commit command and FastNetMon will start automate detection.

When attack comes FastNetMon can run different actions. Right now we support only callback script in JSON mode (we use “per hostgroup” schema from formats documentation), it can be enabled this way:

sudo fcli set main notify_script_hostgroup_enabled enable
sudo fcli set main notify_script_hostgroup_path /usr/local/bin/notify_json.py
sudo fcli commit

Example script:

#!/usr/bin/python

import sys
import logging
import json
import pprint

logging.basicConfig(filename='/tmp/fastnetmon_notify_script.log',
    format='%(asctime)s %(message)s', level=logging.DEBUG)

# Read all data from stdin
stdin_data = sys.stdin.read()

logging.info("We got following details: " + stdin_data)

parsed_details = json.loads(stdin_data)

logging.info("Decoded details from JSON: " + pprint.pformat(parsed_details))

# You can use attack details in this form: parsed_details['attack_details']['attack_direction']
logging.info("Attack direction: " + parsed_details['attack_details']['attack_direction'])

This script is a little bit different from standard script for per host thresholds. It does not use any arguments for script. All information passed to stdin.