In BGP Blackhole mode, FastNetMon can announce your own host (or subnet for this host) with a specified BGP community. You can use this approach for traffic diversion to a cloud scrubbing centre or to completely block all (incoming and outgoing) traffic to this host in your network.
In this mode, FastNetMon tracks number of counters for each host in your network (number of bytes, packets and flows per second for different types of traffic). And if some of your hosts cross this baseline value, then FastNetMon will create a BGP announce automatically.
To start with BGP Blackhole automation, you need to set thresholds using this guide.
Then enable ban actions globally:
sudo fcli set main enable_ban enable
If you’re configuring IPv6 blackhole, then you need to set this command:
sudo fcli set main enable_ban_ipv6 enable sudo fcli commit
Then you could check blocks for hosts which exceed this threshold:
sudo fcli show blackhole
For testing purposes, you may manually blackhole some host:
sudo fcli set blackhole 1.2.3.4
To unblock a host, you need to use UUID from the previous command and issue the following command:
sudo fcli delete blackhole d9b1885f-6d9b-4167-9e3e-0a3198bacee9
To get more information about a particular blackhole, you can usethe following command:
sudo fcli show blackhole d9b1885f-6d9b-4167-9e3e-0a3198bacee9
Example output:
IP: 10.0.10.1 UUID: 41799e15-8fa7-4b56-b3d6-840db3fcb956 Hostgroup: global Host Network: 10.0.10.1/22 Detection Source: manual Detection Threshold: unknown Detection Direction: unknown
To run some automatic block / mitigation actions, we offer a huge variety of options:
- BGP Blackhole for IPv4
- BGP Blackhole for IPv6
- Email alerts
- Bash Script call
- JSON script call
- Mikrotik route integration
- Cloud based DDoS scrubbing center traffic diversion via API
- Cloud based DDoS scrubbing center traffic diversion via BGP
- VyOS route management
- Web callback
- InfluxDB / Grafana alert
We recommend enabling email alerts before enabling BGP mode to confirm the correctness of the thresholds configuration.
Automatic unblock
When the attack is finished, FastNetMon can automatically unblock the blocked IP address. This capability can be enabled this way:
sudo fcli set main unban_enabled true sudo fcli commit
By default, FastNetMon unblocks the host after 12 minutes. This time can be changed (ban time in seconds) in the following way:
sudo fcli set main ban_time 600 sudo fcli commit
In addition to unconditional unblocking by timeout, FastNetMon has the capability to check if the attack has finished before unblocking it. This logic is enabled by default on all new installations. You can manually enable it this way:
sudo fcli set main unban_only_if_attack_finished true sudo fcli commit
Attack confirmation logic
For simplicity, the beginning of this guide omits an explanation of attack confirmation logic. In reality, after a host crosses the threshold, FastNetMon does not block it immediately. Instead, it creates a traffic capture request. We do it to capture the context of the attack for email alerts and script callbacks.
After capture request creation, FastNetMon will collect all traffic to/from a specified host. By default, FastNetMon captures 500 (for mirror/SPAN mode) or 20 (for sFlow v5, Netflow, IPFIX) packets.
If you wish, you can adjust the number of packets in the following way:
sudo fcli set main ban_details_records_count 5 sudo fcli commit
If it cannot capture this amount of packets for 60 seconds (can be configured using bucket_traffic_collection_timeout starting from 2.0.359), it removes the “traffic capture request” as orphaned and removes it completely. In this case, FastNetMon declares the attack as a false positive and does not apply any actions.
If you use sampled Netflow/IPFIX/sFlow v5, you can reduce this value to 2-3 packets or even set it to a single packet. In this case, FastNetMon will block the host almost immediately after receiving the initial alert, but you will lose the ability to understand the attack traffic.
If you enable traffic buffer capability attack confirmation step will be skipped, and the attack will be triggered immediately. In this case, FastNetMon will retrieve an attack sample from the in-memory traffic buffer, which stores packets and flows for the last X seconds. This sample will be used for script callbacks and email alerts.
In addition to the option to announce /32 or /128 hosts which are under attack, FastNetMon can announce whole networks where the attacked host is located. It may be useful for DDoS scrubbing centre diversion or internal network policy changes (i.e. to move the prefix under attack to in-house scrubbing or move it to another ISP).
In addition to BGP-based integration, we have native integration with multiple DDoS scrubbing centres via API.