sales@fastnetmon.com

Support

Free Trial
FastNetMon - Comprehensive Solution For DDoS Security

FastNetMon Advanced and Bison router integration

Home FastNetMon Advanced Technical Documentation FastNetMon Advanced and Bison router integration
Contents

FastNetMon Advanced has complete support for BGP Flow Spec based mitigation mode when FastNetMon detects malicious patterns and generates filtering rules to filter them out. Bison router does not support native BGP Flow Spec protocol yet but we have an option to add / remove ACLs via SSH automatically

To start you need to fully configure FastNetMon in BGP Flow Spec mode As Bison ACLs in Bison router do not support particular filtering options available in FastNetMon we need to explicitly disable them:

sudo fcli set main flow_spec_do_not_process_ip_fragmentation_flags_field true
sudo fcli set main flow_spec_do_not_process_length_field true
sudo fcli set main flow_spec_do_not_process_tcp_flags_field true
sudo fcli commit

As we're going to use ssh to connect from FastNetMon server / VM to server with Bison you need to create ssh user for it on server with Bison router.

Then grant following sudo permissions as rcli tools requires root access by placing following lines to /etc/sudoers.d/bison:

fastnetmon ALL=(root) NOPASSWD: /usr/sbin/rcli vif acl rule *
fastnetmon ALL=(root) NOPASSWD: /usr/sbin/rcli vif acl flush aclid *
fastnetmon ALL=(root) NOPASSWD: /usr/sbin/rcli sh vif acl rules aclid *
fastnetmon ALL=(root) NOPASSWD: /usr/sbin/rcli sh vif acl

After that please configuration /etc/fastnetmon_bison_flow_spec_acl.json with following content (adjust options to your particular case):

{
  "log_path": "/var/log/fastnetmon/fastnetmon_bison_flow_spec_acl.log",
  "ssh_host": "10.0.0.1",
  "ssh_port": 22,
  "ssh_user": "fastnetmon",
  "ssh_password": "", 
  "ssh_key_path": "/etc/bison_flow_spec_acl_ssh_private.key",
  "acl_id_ipv4": 21,
  "acl_id_ipv6": 22,
  "sudo": true
}

After that please download this file, please it to /opt/fastnetmon_bison_flow_spec_acl and then set executable bit for it:

sudo chmod +x /opt/fastnetmon_bison_flow_spec_acl

Then enable JSON based callback scripts on FastNetMon side:

sudo fcli set main notify_script_enabled enable
sudo fcli set main notify_script_format json
sudo fcli set main notify_script_path /opt/fastnetmon_bison_flow_spec_acl
sudo fcli commit

Please note that Bison ACLs work before NAT port translation happens and they will work in private IPs.

Then you need to enable ACL for IPv4 on Bison side this way:

#
# Apply ACL to PPPoE
#
# create ACL template VIF "pppoe_acl_tpl"
acl template vif add pppoe_acl_tpl

# add ACL 21 to VIF "pppoe_acl_tpl"
vif acl add dev pppoe_acl_tpl dir ingress aclid 21 prio 10

# use VIF "pppoe_acl_tpl" for every PPPPoE subscriber
sysctl set pppoe_template_acl "pppoe_acl_tpl"

To enable both IPv4 and IPv6 ACLs you will need to apply following configuration options:

#
# ACL
#
vif acl create aclid 21 type ipv4_tuple deny
vif acl create aclid 22 type ipv6_tuple deny

#
# Apply ACL to PPPoE
#
# create ACL template VIF "pppoe_acl_tpl"
acl template vif add pppoe_acl_tpl

# add ACL 21 to VIF "pppoe_acl_tpl"
vif acl add dev pppoe_acl_tpl dir ingress aclid 21 prio 10
vif acl add dev pppoe_acl_tpl dir ingress aclid 22 prio 20

# use VIF "pppoe_acl_tpl" for every PPPPoE subscriber
sysctl set pppoe_template_acl "pppoe_acl_tpl"

Please note that ACL rules will start applying only after PPPoE session is re-established again. You may wait for all customers to reconnect or restart Bison entirely (be aware about downtime during this procedure). Please note that IPv4 and IPv6 ACLs use different ACL IDs

If you use Netflow please note that you must not send NAT events (net collector) to FastNetMon as NAT event packets may cause issues with detection logic in versions older then 2.0.376.

To check that tool can connect to remote server please use following command:

echo '{"alert_scope":"host","action":"connection_check"}' | sudo /opt/fastnetmon_bison_flow_spec_acl

After all configuration is put in place FastNetMon will automatically create and remove filtering rules on Bison router via ssh

To ensure that everything works I can recommend creating rule which filters UDP traffic towards 192.0.2.1/32

which belong to IETF documentation range and not used publicly:

sudo fcli set flowspec '{"protocols":["udp"], "destination_prefix": "192.0.2.1/32","action_type": "discard"}'

And then check that everything went well in /var/log/fastnetmon/fastnetmon_bison_flow_spec_acl.log

Then check that ACLs present on Bison side:

sudo /usr/sbin/rcli sh vif acl rules aclid 21
acl id 21, type ipv4_tuple, action deny, num rules 5
--
prio 5, proto 17, src 172.16.12.83, dst 192.0.2.1, sport any, dport any
prio 4, proto 17, src 172.16.7.193, dst xx, sport 45772, dport 36891
prio 3, proto 17, src 172.16.12.83, dst xx, sport 56186, dport 53726
prio 2, proto 17, src 172.16.9.52, dst xx, sport 53418, dport 12612
prio 1, proto 17, src 172.16.13.102, dst xx, sport 48130, dport 60187

In case of need you can remove all ACLs using this command:

sudo /usr/sbin/rcli vif acl flush aclid 21

For testing (will cause outage when applied on live traffic) purposes you can run random commands to create rules:

echo '{"alert_scope":"host","action":"partial_block", "flow_spec_rules":[{"action_type": "discard", "protocols":["udp"]}]}' | sudo bin/fastnetmon_bison_flow_spec_acl

echo '{"alert_scope":"host","action":"partial_block", "flow_spec_rules":[{"action_type": "discard", "protocols":["tcp"]}]}' | sudo bin/fastnetmon_bison_flow_spec_acl

echo '{"alert_scope":"host","action":"partial_block", "flow_spec_rules":[{"action_type": "discard", "protocols":["udp"], "destination_ports": [123] }]}' | sudo bin/fastnetmon_bison_flow_spec_acl
 
echo '{"alert_scope":"host","action":"partial_block", "flow_spec_rules":[{"action_type": "discard", "protocols":["udp"], "source_ports": [123] }]}' | sudo bin/fastnetmon_bison_flow_spec_acl
  
echo '{"alert_scope":"host","action":"partial_block", "flow_spec_rules":[{"action_type": "discard", "protocols":["udp"], "destination_ports": [123], "source_prefix": "10.0.0.1/32" }]}' | sudo bin/fastnetmon_bison_flow_spec_acl

echo '{"alert_scope":"host","action":"partial_block", "flow_spec_rules":[{"action_type": "discard", "protocols":["udp"], "destination_ports": [123], "source_prefix": "10.0.0.1/24" }]}' | sudo bin/fastnetmon_bison_flow_spec_acl

echo '{"alert_scope":"host","action":"partial_block", "flow_spec_rules":[{"action_type": "discard", "source_prefix": "10.0.0.1/24" }]}' | sudo bin/fastnetmon_bison_flow_spec_acl

echo '{"alert_scope":"host","action":"partial_block", "flow_spec_rules":[{"action_type": "discard", "destination_prefix": "10.0.0.1/24" }]}' | sudo bin/fastnetmon_bison_flow_spec_acl
 
echo '{"alert_scope":"host","action":"partial_block", "flow_spec_rules":[{"action_type": "discard", "protocols":["udp"], "destination_ports": [123], "source_ports":[1234],"destination_perfix": "10.0.3.0/24","source_prefix": "10.0.0.1/24" }]}' | sudo bin/fastnetmon_bison_flow_spec_acl