FastNetMon Advanced offers complete production ready integration with cloud DDoS scrubbing service called Magic Transit provided by Cloudflare Inc. Cloudflare and Magic Transit are registered trademarks owned by Cloudflare Inc.
Please check your version of FastNetMon is 2.0.357 or newer.
To use this capability you will need to create API key which allows you to control Magic Transit. You can do it from this page (click in right top corner on “user” logotype then select “My Profile”. After that on left side select “API Tokens”).
You need to create API token which allows access only for Magic Transit and does not offer full control on account.
Click “Create token” then on the page bottom select “Create Custom Token” and click “Get started”.
- Token name: “fastnetmon”
- Permissions: “Account”, “Magic transit”, “Edit”.
Then continue to Summary and then “Create token”.
You will see token in format of long alpha numeric string, copy it.
In addition to authentication token you will need account ID. To get it you need to pick up any domain and then on right panel you will see ZoneID and AccountID. If you do not have any domains at Cloudflare then you need to open main dashbaord and on the left menu select “Manage account”, “Members”. Then you need to check URL in your browser: “https://dash.cloudflare.com/xxxx/members” and long xxxx sequence will be AccountID.
How it works? When FastNetMon detects attack against IP address it determines /24 prefix for IP which is under attack and then announces it to Scrubbing Centre. When attack stops or ban time expires FastNetMon removes announce from Scrubbing Centre using their API.
You can set priority and weight as you wish, next hop need to be set to value provided by scrubbing centre.
Then use fcli to apply configuration instead of editing file manually:
sudo fcli set plugin scrubbing_services_integration provider_name cloudflare sudo fcli set plugin scrubbing_services_integration cloudflare_api_token yyy sudo fcli set plugin scrubbing_services_integration cloudflare_account_id xxx sudo fcli set plugin scrubbing_services_integration cloudflare_next_hop 10.20.30.40 sudo fcli set plugin scrubbing_services_integration cloudflare_priority 100 sudo fcli set plugin scrubbing_services_integration cloudflare_weight 100 sudo fcli set plugin scrubbing_services_integration log_path /var/log/fastnetmon/fastnetmon_scrubbing_services_integration.log
Finally, configure it on FastNetMon side to call it when FastNetMon blocks / unblocks IP:
sudo fcli set main notify_script_enabled enable sudo fcli set main notify_script_format json sudo fcli set main notify_script_path /opt/fastnetmon/libraries/scrubbing_services_integration_plugin/scrubbing_services_integration sudo fcli commit
After that we recommend manually blocking some IP address from test prefix and checking that it works as expected.
You can do it this way:
sudo fcli set blackhole 1.2.3.4
And then to unblock list all blocked hosts with their UUIDs:
sudo fcli show blackhole
And unblock it:
sudo fcli delete blackhole <uuid>
Integration logic has very detailed logging and you can find log file here: /var/log/fastnetmon/fastnetmon_scrubbing_services_integration.log