To configure thresholds in FastNetMon correctly, you need to know peak traffic values during peacetime for all the hosts in your network. To simplify this process, FastNetMon includes the capability to show you peak traffic levels for all types of standard fixed thresholds available in FastNetMon.
To use this feature, you need to enable traffic metrics export to Clickhouse using this guide. If you have our visual stack installed, you have all the needed components in place, and you do not need to configure anything.
Please check that you run at least FastNetMon Advanced version 2.0.358 before using this guide.
After enabling metrics export, we recommend keeping FastNetMon running without enabling and blocking actions for at least 1 week to cover all possible weekly peak times. If you need baseline data urgently, you can keep it for 10-15 minutes – it will be good for a start.
We have no plans to support using data from InfluxDB as it does not handle such queries very well and fails to process a large number of metrics.
Our baseline tool works on multiple levels of aggregation:
- Global, includes all hosts in the network
- Per host (IPv4 only)
- Per prefix (IPv4 only, CIDR format)
- Per hostgroup
For small and medium-sized networks, we recommend starting with setting up only a single global hostgroup for simplicity.
If you have more than a single type of bandwidth profile with significantly different peak traffic (i.e. cache nodes, CDN server, high bandwidth business connections) in your network, we recommend moving hosts with significantly larger bandwidth usage into a separate hostgroup.
To get peak traffic metrics for all hosts in your network, you can run the following command:
sudo fcli show baseline_per_host global
After this command finishes, you may see output like this:
threshold_pps 145912 threshold_mbps 1585 threshold_flows 55892 threshold_tcp_pps 145910 threshold_udp_pps 61630 threshold_icmp_pps 1129 threshold_ip_fragments_pps 0 threshold_tcp_syn_pps 141824 threshold_tcp_mbps 1585 threshold_udp_mbps 559 threshold_icmp_mbps 0 threshold_ip_fragments_mbps 0 threshold_tcp_syn_mbps 1531
By default, we return baseline for incoming traffic, but you can explicitly specify the direction this way:
sudo fcli show baseline_per_host global outgoing
Example output:
threshold_pps_outgoing 377 threshold_mbps_outgoing 4535344 threshold_flows_outgoing 0 threshold_tcp_pps_outgoing 292 threshold_udp_pps_outgoing 377 threshold_icmp_pps_outgoing 79 threshold_ip_fragments_pps_outgoing 0 threshold_tcp_syn_pps_outgoing 32 threshold_tcp_mbps_outgoing 1629352 threshold_udp_mbps_outgoing 4534784 threshold_icmp_mbps_outgoing 58056 threshold_ip_fragments_mbps_outgoing 0 threshold_tcp_syn_mbps_outgoing 19512
Please note that if the hostgroup or network consists of a large number of hosts (as global), the query may require a prolonged time to finish, as it will process a very significant amount of metrics.
These values are your peak values over a period of 7 days. We recommend checking them for validity, and if you see unreasonably high values, we recommend checking your configuration by following our quick start step-by-step.
We do provide all the possible threshold types in output, but we do not recommend setting up all of them. We recommend using only pps and mbps thresholds for the majority of setups. You may add per-protocol thresholds to adjust to specific attack types, but we do not recommend doing so from the beginning.
If you use sampled protocols such as sFlow, or you have sampling enabled for Netflow or IPFIX, you will see zero numbers for flow metrics. Unfortunately, sampling theory does not allow us to recover the flow rate after packet-based sampling was applied, and that’s why these metrics are set to zeroes.
You may have peak traffic for a specific host in your network this way:
sudo fcli show baseline_per_host 10.1.2.3
To get a baseline value for a prefix, you can use it in CIDR format:
sudo fcli show baseline_per_host 10.1.2.3/24
To get a baseline value for the whole hostgroup, you can use the following format. Our tool will load all networks from specified hostgroup and then calculate peak traffic over all hosts in it:
sudo fcli show baseline_per_host my_hostgroup
If you had a DDoS attack over the last week, the attack traffic will be included and may affect the reliability of calculations.
To use peak traffic values as thresholds for attack detection, we recommend multiplying them by x2-x3 and then use. Basic recommendation for threshold setup is to set them to values which cannot be reached by normal traffic. For example, if you have 1G limit for customers, then it may be reasonable to set the threshold to 1.2G as this value cannot be reached by normal service usage and in case of DDoS, it can easily exceed this value. Another approach to set them up to value when you know your network starts performance degradation. For example, you know that your routers will melt down after X packets per second or you know that your upstream cannot handle more than 5G.
Baseline configuration is an ongoing process, and if you noticed that some attack was missed or you experienced a false alert on legitimate traffic, it may be a good time to review thresholds and adjust them.