Since version 2.0.116 FastNetMon got new experimental ability to detect remote attacker’s (/32 hosts) and announce them using BGP Unicast announces.
Known restrictions:
- No automatic unblock option
- Lack of automatic counter cleanup. Leads to speed calculation delays for loaded networks. In some cases can be fixed by frequent FastNetMon restarts
To use this option, please enable this mode in FastNetMon:
sudo fcli set main remote_host_tracking enable
You also can get top remote talkers this way (since FastNetMon 2.0.151):
sudo fcli show remote_host_counters
You can enable actions separately for incoming and outgoing directions of traffic:
sudo fcli set main enable_ban_remote_outgoing enable sudo fcli set main enable_ban_remote_incoming enable
To specify threshold values for remote hosts we use host groups with special names:
- remote_host_incoming
- remote_host_outgoing
You can create example host groups this way:
sudo fcli set hostgroup remote_host_incoming sudo fcli set hostgroup remote_host_incoming ban_for_bandwidth enable sudo fcli set hostgroup remote_host_incoming threshold_mbps 10 sudo fcli set hostgroup remote_host_incoming enable_ban enable sudo fcli set hostgroup remote_host_outgoing sudo fcli set hostgroup remote_host_outgoing ban_for_bandwidth enable sudo fcli set hostgroup remote_host_outgoing threshold_mbps 10 sudo fcli set hostgroup remote_host_outgoing enable_ban enable
After these configuration steps FastNetMon will block all remote hosts which exceed 10Mbits of traffic in any direction.
You can list blocked hosts this way:
sudo fcli show remote_blackhole
In addition to this, FastNetMon can generate BGP announces for blocked hosts and you can block them using your routers:
sudo fcli set main gobgp_announce_remote_host enable
You also can configure community and next hop for these announces:
sudo fcli set main gobgp_next_hop_remote_host 1.0.0.0 sudo fcli set main gobgp_community_remote_host 65001:669
You can manually block some host using fcli interface:
sudo fcli set remote_blackhole 10.11.12.13
To unblock some host, please use uuid from list command:
sudo fcli delete remote_blackhole 9a67b518-df3f-465c-a281-f62a5abf575f
Please be careful with really heavily loaded networks because FastNetMon does not free up tracking entries and can consume significant amount of memory.