To configure thresholds in FastNetMon correctly you need to know peak traffic values during peace time for all the hosts in your network. To simplify this process FastNetMon includes capability to show you peak traffic levels for all types of standard fixed thresholds available in FastNetMon.
To use this feature you need to enable traffic metrics export to Clickhouse using following guide. If you have our visual stack installed then you have all needed components in place and you do not need to configure anything.
Please check that you run at least FastNetMon Advanced version 2.0.358 before using this guide.
After enabling metrics export we recommend keeping FastNetMon running without enabling and block actions for at least 1 week to cover all possible weekly peak times. If you need baseline data urgently you can keep it for 10-15 minutes and it will be good for start.
We have no plans to support using data from InfluxDB as it does not handle such queries very well and fails to process large number of metrics.
Our baseline tool works on multiple levels of aggregation:
- Global, includes all hosts in network
- Per host (IPv4 only)
- Per prefix (IPv4 only, CIDR format)
- Per hostgroup
For small and medium sized networks we recommend starting from setting up only single global hostgroup for simplicity.
If you have more then single type of bandwidth profiles with significantly different peak traffic (i.e. cache nodes, CDN server, high bandwidth business connections) in your network we recommend moving hosts with significantly larger bandwidth usage into separate hostgroup.
To get peak traffic metrics for all hosts in your network you can run following command:
sudo fcli show baseline_per_host global
After this command finishes you may see output like this:
threshold_pps 145912 threshold_mbps 1585 threshold_flows 55892 threshold_tcp_pps 145910 threshold_udp_pps 61630 threshold_icmp_pps 1129 threshold_ip_fragments_pps 0 threshold_tcp_syn_pps 141824 threshold_tcp_mbps 1585 threshold_udp_mbps 559 threshold_icmp_mbps 0 threshold_ip_fragments_mbps 0 threshold_tcp_syn_mbps 1531
By default we return baseline for incoming traffic but you can explicitly specify direction this way:
sudo fcli show baseline_per_host global outgoing
Example output:
threshold_pps_outgoing 377 threshold_mbps_outgoing 4535344 threshold_flows_outgoing 0 threshold_tcp_pps_outgoing 292 threshold_udp_pps_outgoing 377 threshold_icmp_pps_outgoing 79 threshold_ip_fragments_pps_outgoing 0 threshold_tcp_syn_pps_outgoing 32 threshold_tcp_mbps_outgoing 1629352 threshold_udp_mbps_outgoing 4534784 threshold_icmp_mbps_outgoing 58056 threshold_ip_fragments_mbps_outgoing 0 threshold_tcp_syn_mbps_outgoing 19512
Please note that if hostgroup or network consists large number of hosts (as global) query may need very long time to finish as it will process very significant amount of metrics.
These values are your peaks values over period of 7 days. We recommend checking them for validity and if you see unreasonably high values we recommend checking your configuration by following our quick start step by step.
We do provide all the possible thresholds types in output but we do not recommend setting up all of them. We recommend using only pps and mbps thresholds for majority of setups. You may add per protocol thresholds to adjust to specific attack types but we do not recommend doing so from the beginning.
If you use sampled protocols such as sFlow or you have sampling enabled for Netflow or IPFIX you will see zero numbers for flow metrics. Unfortunately, sampling theory does not allow us to recover flow rate after packet based sampling was applied and that’s why these metrics are set to zeroes.
You may have peak traffic for specific host in your network this way:
sudo fcli show baseline_per_host 10.1.2.3
To get baseline value for prefix you can use it in CIDR format:
sudo fcli show baseline_per_host 10.1.2.3/24
To get baseline value for whole hostgroup you can use following format. Our tool will load all networks from specified hostgroup and then will calculate peak traffic over all hosts in it:
sudo fcli show baseline_per_host my_hostgroup
If you had DDoS over last week attack’s traffic will be included and may affect reliability of calculations.
To use peak traffic values as thresholds for attack detection we recommend to multiply them by x2-x3 and then use. Basic recommendation about thresholds setup is to setup them to values which cannot be reached by normal traffic. For example if you have 1G limit for customers then it may be reasonable to set threshold to 1.2G as this value cannot be reached by normal service usage and in case of DDoS it can easily exceed this value. Another approach to set them up to value when you know your network starts performance degradation. For example you know that your routers will melt down after X packet per second or you known that your upstream cannot handle more then 5G.
Baseline configuration is an ongoing process and if you noticed that some attack was missed or you experienced false alert on legitimate traffic it may be good time to review thresholds and adjust them.