FastNetMon Advanced provides a number of options to apply different actions when it discovers a DDoS attack. Also, it provides a number of options to extend it using different approaches.
In this guide, we will provide a completely working approach for implementing escalations. Using this script, you can configure FastNetMon to create a custom BGP announce for already blocked (blackholed) host when it crosses a specified (“emergency”) threshold of traffic.
To use this script, please configure BGP Then, please enable API You need to set a secure password for API, and specify this password inside the specified script on line: “auth_data”.
Please download this script from GitHub:
wget https://raw.githubusercontent.com/FastNetMon/blackhole-escalation-script-fastnetmon-advanced/main/escalation_to_bgp_blackhole.py chmod +x escalation_to_bgp_blackhole.py sudo cp escalation_to_bgp_blackhole.py /opt
Please install dependencies:
sudo pip install requests
Also, in script, change the following configuration options according to your requirements:
incoming_mbits_threshold = 100 outgoing_mbits_threshold = 100 incoming_packets_threshold = 2000 outgoing_packets_threshold = 2000 bgp_community = '65001:777' bgp_next_hop = '11.22.33.44'
Finally, please add the following cron entry in the file /etc/cron.d/escalation_to_bgp_blackhole:
SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin * * * * * root /opt/escalation_to_bgp_blackhole.py
Apply changes for cron:
service cron restart
This script will run each minute, check list of all already blackholed hosts and if they exceed thresholds in script it will announce /24 subnet for them with specified nexthop and community.