To configure thresholds in FastNetMon correctly you need to know peak traffic values during peace time for all the hosts in your network. To simplify this process FastNetMon includes capability to show you peak traffic levels for all types of standard fixed thresholds available in FastNetMon.

To use this feature you need to enable traffic metrics export to Clickhouse using following guide. If you have our visual stack installed then you have all needed components in place and you do not need to configure anything.

Please check that you run at least FastNetMon Advanced version 2.0.358 before using this guide.

After enabling metrics export we recommend keeping FastNetMon running without enabling and block actions for at least 1 week to cover all possible weekly peak times. If you need baseline data urgently you can keep it for 10-15 minutes and it will be good for start.

We have no plans to support using data from InfluxDB as it does not handle such queries very well and fails to process large number of metrics.

Our baseline tool works on multiple levels of aggregation:

  • Global, includes all hosts in network
  • Per host (IPv4 only)
  • Per prefix (IPv4 only, CIDR format)
  • Per hostgroup

For small and medium sized networks we recommend starting from setting up only single global hostgroup for simplicity.

If you have more then single type of bandwidth profiles with significantly different peak traffic (i.e. cache nodes, CDN server, high bandwidth business connections) in your network we recommend moving hosts with significantly larger bandwidth usage into separate hostgroup.

To get peak traffic metrics for all hosts in your network you can run following command:

sudo fcli show baseline_per_host global

After this command finishes you may see output like this:

threshold_pps                  145912
threshold_mbps                 1585
threshold_flows                55892
threshold_tcp_pps              145910
threshold_udp_pps              61630
threshold_icmp_pps             1129
threshold_ip_fragments_pps     0
threshold_tcp_syn_pps          141824
threshold_tcp_mbps             1585
threshold_udp_mbps             559
threshold_icmp_mbps            0
threshold_ip_fragments_mbps    0
threshold_tcp_syn_mbps         1531

By default we return baseline for incoming traffic but you can explicitly specify direction this way:

sudo fcli show baseline_per_host global outgoing

Example output:

threshold_pps_outgoing                   377
threshold_mbps_outgoing                  4535344
threshold_flows_outgoing                 0
threshold_tcp_pps_outgoing               292
threshold_udp_pps_outgoing               377
threshold_icmp_pps_outgoing              79
threshold_ip_fragments_pps_outgoing      0
threshold_tcp_syn_pps_outgoing           32
threshold_tcp_mbps_outgoing              1629352
threshold_udp_mbps_outgoing              4534784
threshold_icmp_mbps_outgoing             58056
threshold_ip_fragments_mbps_outgoing     0
threshold_tcp_syn_mbps_outgoing          19512

Please note that if hostgroup or network consists large number of hosts (as global) query may need very long time to finish as it will process very significant amount of metrics.

These values are your peaks values over period of 7 days. We recommend checking them for validity and if you see unreasonably high values we recommend checking your configuration by following our quick start step by step.

We do provide all the possible thresholds types in output but we do not recommend setting up all of them. We recommend using only pps and mbps thresholds for majority of setups. You may add per protocol thresholds to adjust to specific attack types but we do not recommend doing so from the beginning.

If you use sampled protocols such as sFlow or you have sampling enabled for Netflow or IPFIX you will see zero numbers for flow metrics. Unfortunately, sampling theory does not allow us to recover flow rate after packet based sampling was applied and that’s why these metrics are set to zeroes.

You may have peak traffic for specific host in your network this way:

sudo fcli show baseline_per_host

To get baseline value for prefix you can use it in CIDR format:

sudo fcli show baseline_per_host

To get baseline value for whole hostgroup you can use following format. Our tool will load all networks from specified hostgroup and then will calculate peak traffic over all hosts in it:

sudo fcli show baseline_per_host my_hostgroup

If you had DDoS over last week attack’s traffic will be included and may affect reliability of calculations.

To use peak traffic values as thresholds for attack detection we recommend to multiply them by x2-x3 and then use. Basic recommendation about thresholds setup is to setup them to values which cannot be reached by normal traffic. For example if you have 1G limit for customers then it may be reasonable to set threshold to 1.2G as this value cannot be reached by normal service usage and in case of DDoS it can easily exceed this value. Another approach to set them up to value when you know your network starts performance degradation. For example you know that your routers will melt down after X packet per second or you known that your upstream cannot handle more then 5G.

Baseline configuration is an ongoing process and if you noticed that some attack was missed or you experienced false alert on legitimate traffic it may be good time to review thresholds and adjust them.

24/7 Tech Support

Email Us