FastNetMon can work in two mutually exclusive modes:
– BGP Blackhole
– BGP Flow spec
In BGP Blackhole mode, FastNetMon can announce your own host (or subnet for this host) with a specified BGP community. You can use this approach for traffic diversion to a cloud scrubbing centre or to completely block all (incoming and outgoing) traffic to this host in your network.
In this mode, FastNetMon tracks a number of counters for each host in your network (number of bytes, packets and flows per second for different types of traffic). And if some of your host crosses the baseline specified value, FastNetMon will create a BGP announce automatically. FastNetMon has options to exclude any ban actions for hosts in your network (whitelist). Also, it can ignore traffic related to some remote hosts (whitelist_remote) completely (useful mode to whitelist backup servers). If you need DDoS detection only for incoming or outgoing attack types, you can enable only the important direction of traffic (process_incoming_traffic and process_outgoing_traffic).
To switch FastNetMon to BGP Flow spec mode, you need to enable Flow spec globally (set main gobgp_flow_spec_announces enable) and activate Flow Spec NLRI/family for at least a single BGP peering connection (set bgp connection_to_my_router ipv4_flowspec enable).
In this mode, FastNetMon also keeps traffic counters for each host in your network, but actions executed when a host crosses baseline are different. Instead of immediately blocking the host, FastNetMon attempts to collect a traffic sample (from 20 to 500 packets) for the affected host. If it can collect the required amount of traffic, it uses our own attack detection engine to find attack traffic and create filtering rules. This engine works only on L3 and L4 layers and does not have options to check the content of packets.
FastNetMon uses a statistical approach and can find popular attack types (all kinds of amplification, floods from a few IP addresses) easily. But it’s important to have a rather large values for baselines in prder to have a significant amount of attack traffic in the sample.
FastNetMon implements a number of optimisations to reduce the number of BGP Flow spec rules and uses aggregation to find the best match.