21.11.2018

Automatic blocks for remote attackers

Since version 2.0.116 FastNetMon got new experimental ability  to detect remote attacker’s (/32 hosts) and announce them using BGP Unicast announces.

Known restrictions:

  • No automatic unblock option
  • Lack of automatic counter cleanup. Leads to speed calculation delays for loaded networks. In some cases can be fixed by frequent FastNetMon restarts

To use this option, please enable this mode in FastNetMon:

sudo fcli set main remote_host_tracking enable

You also can get top remote talkers this way (since FastNetMon 2.0.151):

sudo fcli show remote_host_counters

You can enable actions separately for incoming and outgoing directions of traffic:

sudo fcli set main enable_ban_remote_outgoing enable
sudo fcli set main enable_ban_remote_incoming enable

To specify threshold values for remote hosts we use host groups with special names:

  • remote_host_incoming
  • remote_host_outgoing

You can create example host groups this way:

sudo fcli set hostgroup remote_host_incoming
sudo fcli set hostgroup remote_host_incoming ban_for_bandwidth enable
sudo fcli set hostgroup remote_host_incoming threshold_mbps 10
sudo fcli set hostgroup remote_host_incoming enable_ban enable

sudo fcli set hostgroup remote_host_outgoing
sudo fcli set hostgroup remote_host_outgoing ban_for_bandwidth enable
sudo fcli set hostgroup remote_host_outgoing threshold_mbps 10
sudo fcli set hostgroup remote_host_outgoing enable_ban enable

After these configuration steps FastNetMon will block all remote hosts which exceed 10Mbits of traffic in any direction.

You can list blocked hosts this way:

sudo fcli show remote_blackhole

In addition to this, FastNetMon can generate BGP announces for blocked hosts and you can block them using your routers:

sudo fcli set main gobgp_announce_remote_host enable

You also can configure community and next hop for these announces:

sudo fcli set main gobgp_next_hop_remote_host 1.0.0.0
sudo fcli set main gobgp_community_remote_host 65001:669

You can manually block some host using fcli interface:

sudo fcli set remote_blackhole 10.11.12.13

To unblock some host, please use uuid from list command:

sudo fcli delete remote_blackhole 9a67b518-df3f-465c-a281-f62a5abf575f

Please be careful with really heavily loaded networks because FastNetMon does not free up tracking entries and can consume significant amount of memory.