FastNetMon Advanced offers complete, production-ready integration with the cloud DDoS scrubbing service provided by Path.net.
To use this capability, you will need a username and a password for their API. Please check that your version of FastNetMon is 2.0.357 or newer.
How does FastNetMon scrubbing centre diversion automation work?
When FastNetMon detects an attack against an IP address, it determines /24 prefix for the IP which is under attack and then announces it to the scrubbing centre. When the attack stops or the ban time expires, FastNetMon removes the announce from the scrubbing centre using their API.
You can use fcli to apply a configuration:
sudo fcli set plugin scrubbing_services_integration provider_name path sudo fcli set plugin scrubbing_services_integration path_username your_username sudo fcli set plugin scrubbing_services_integration path_password your_password sudo fcli set plugin scrubbing_services_integration log_path /var/log/fastnetmon/fastnetmon_scrubbing_services_integration.log
Finally, configure it on the FastNetMon side to call it when FastNetMon blocks/unblocks IP:
sudo fcli set main notify_script_enabled enable sudo fcli set main notify_script_format json sudo fcli set main notify_script_path /opt/fastnetmon/libraries/scrubbing_services_integration_plugin/scrubbing_services_integration sudo fcli commit
After this, we recommend manually blocking some IP addresses from the test prefix and checking that it works as expected.
You can do it in the following way:
sudo fcli set blackhole 1.2.3.4
To unblock, list all blocked hosts with their UUIDs:
sudo fcli show blackhole
And unblock:
sudo fcli delete blackhole <uuid>
Integration logic has very detailed logging, and you can findthe log file here: /var/log/fastnetmon/fastnetmon_scrubbing_services_integration.log